From dd3fa0597ce80a014b57ad1be51f28af0b282d70 Mon Sep 17 00:00:00 2001
From: liobrasil <limol.lionel@gmail.com>
Date: Mon, 9 Feb 2026 11:07:06 -0400
Subject: [PATCH] fix: use Claude app auth and sticky comment for code review
 workflow

- Remove github_token override so Claude uses its own app auth (claude[bot])
- Enable use_sticky_comment for single updatable PR comment
- Add id-token: write and pull-requests: write permissions
- Remove manual gh pr comment instructions and cleanup step
- Simplify allowed tools to only what's needed for review
---
 .github/workflows/claude-code-review.yml | 47 ++----------------------
 1 file changed, 4 insertions(+), 43 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index ea2c11d..31e3db9 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -23,14 +23,11 @@ jobs:
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
     runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ github.token }}
     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: write
-      # Use the workflow token (GITHUB_TOKEN) instead of the Claude GitHub App token exchange.
-      # This avoids "workflow validation" failures when this workflow file is modified in a PR.
+      id-token: write
 
     steps:
       - name: Checkout repository
@@ -43,7 +40,6 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          github_token: ${{ github.token }}
           prompt: |
             REPO: ${{ github.repository }}
             PR NUMBER: ${{ github.event.pull_request.number }}
@@ -59,42 +55,7 @@ jobs:
 
             Post your review as a single updatable PR comment (do NOT create a new comment for every push).
 
-            Requirements:
-            - Always include the marker `<!-- claude-code-review -->` at the very top of the comment.
-            - IMPORTANT: You MUST use `gh pr comment` to post your review. Do NOT use `gh api` as it is not in your allowed tools and will fail silently.
-            - Use `gh pr comment` with `--edit-last --create-if-none` so subsequent runs update the prior comment.
-            - Replace the entire comment body each run (overwrite, don't append).
-
-            Command (use exactly this pattern):
-            ```
-            gh pr comment ${{ github.event.pull_request.number }} --edit-last --create-if-none --body-file - <<'EOF'
-            <!-- claude-code-review -->
-            <YOUR REVIEW CONTENT HERE>
-            EOF
-            ```
-
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
-          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
-
-      - name: Cleanup older Claude review comments
-        if: always()
-        run: |
-          set -euo pipefail
-          repo='${{ github.repository }}'
-          pr='${{ github.event.pull_request.number }}'
-
-          mapfile -t ids < <(
-            gh api "repos/${repo}/issues/${pr}/comments" --paginate --jq \
-              'map(select(.body | contains("<!-- claude-code-review -->"))) | sort_by(.created_at) | .[].id'
-          )
-
-          if [ "${#ids[@]}" -le 1 ]; then
-            echo "No duplicate Claude review comments found."
-            exit 0
-          fi
-
-          for ((i=0; i<${#ids[@]}-1; i++)); do
-            echo "Deleting old Claude review comment ${ids[$i]}"
-            gh api "repos/${repo}/issues/comments/${ids[$i]}" -X DELETE --silent
-          done
+          use_sticky_comment: true
+          claude_args: '--allowed-tools "Bash(gh pr diff:*),Bash(gh pr view:*)"'