Skip to content

fix: add checkout step to classify-issue-severity workflow #21236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
david-fraley merged 7 commits into from
Dec 11, 2025
Merged

fix: add checkout step to classify-issue-severity workflow #21236

david-fraley merged 7 commits into from
Dec 11, 2025
+20 −1

Conversation

@david-fraley
Copy link
Collaborator

@david-fraley david-fraley commented Dec 11, 2025
edited
Loading

Summary

  • Adds actions/checkout@v4 step before the claude-code-action
  • Sets persist-credentials: false for security (addresses artipacked warning)
  • Adds execution file extraction to get Claude's analysis output
  • Fixes shellcheck linting issues
  • Addresses template injection warning with appropriate safeguards

Problem

The workflow was failing with multiple issues:

  1. Git directory error: claude-code-action requires a git repository for setup but no checkout step existed
  2. Empty output: The action doesn't provide a direct result output - it uses an execution_file instead
  3. Security warnings:
    • artipacked warning about credential persistence
    • zizmor template-injection warning

Solution

  1. Added actions/checkout@v4 to clone the repository with persist-credentials: false
  2. Added execution file extraction step that:
    • Reads the execution_file output from claude-code-action
    • Extracts the result using jq
    • Passes it to the post-comment job
  3. Fixed linting issues:
    • Used jq < file instead of cat file | jq (SC2002)
    • Used command grouping for multiple redirects (SC2129)
    • Passed template variables through environment variables instead of direct interpolation
  4. Added zizmor ignore comment for the template-injection false positive (execution_file is from trusted source)

Fixes

  • Resolves "fatal: not in a git directory" error
  • Resolves "Executable not found in $PATH: claude" error
  • Resolves empty result output issue
  • Addresses all linter warnings (shellcheck, actionlint, zizmor)

Test plan

  • Branch synced with main
  • All linters passing
  • Merge PR
  • Apply triage-check label to a test issue
  • Verify workflow runs successfully and posts classification comment

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

david-fraley and others added 3 commits December 11, 2025 20:33
@david-fraley @claude
fix: add checkout step to classify-issue-severity workflow
d2a55c6 
The claude-code-action requires a git repository to be present for
git configuration during setup. Without checking out the repository,
the action fails with:

  fatal: not in a git directory
  error: Executable not found in $PATH: "claude"

This adds the required actions/checkout@v4 step before running the
claude-code-action to ensure the git directory exists.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@david-fraley
fix: add persist-credentials: false to checkout step
a78077d 
Addresses artipacked security warning about credential persistence
through GitHub Actions artifacts. This prevents git credentials from
being persisted in the workspace.
@david-fraley
fix: extract result from claude-code-action execution file
8fe52fb 
The claude-code-action doesn't output a 'result' field directly.
Instead, it provides an 'execution_file' output that contains
the execution details. Added a step to read this file and extract
the result for downstream jobs.
@david-fraley
fix: address shellcheck linting issues
922c111 
- Replace 'cat file | cmd' with 'cmd < file' (SC2002)
- Use command grouping for multiple redirects (SC2129)
@david-fraley
fix: prevent template injection by using env var
2f4d988 
Addresses zizmor template-injection warning by passing the execution
file path through an environment variable instead of directly
interpolating it in the shell script.
@david-fraley
fix: add zizmor ignore for template-injection
ca7d80f 
The execution_file output is from the claude-code-action (trusted source),
not user-controlled input, so this is a false positive. Adding explicit
ignore comment to suppress the warning.
@david-fraley david-fraley enabled auto-merge (squash) December 11, 2025 21:35
@david-fraley david-fraley merged commit c44a2c3 into main Dec 11, 2025
30 checks passed
@david-fraley david-fraley deleted the fix/add-checkout-step branch December 11, 2025 21:48
@github-actions github-actions bot locked and limited conversation to collaborators Dec 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@DevelopmentCats DevelopmentCats DevelopmentCats approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder jdomeracki-coder is a code owner

Assignees

@david-fraley david-fraley

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david-fraley @DevelopmentCats