Skip to content

ci: fix Claude auto-review auth (use github_token, skip OIDC exchange)#5

Merged
jnasbyupgrade merged 2 commits into
Postgres-Extensions:masterfrom
jnasbyupgrade:fix-claude-review-auth
Jul 14, 2026
Merged

ci: fix Claude auto-review auth (use github_token, skip OIDC exchange)#5
jnasbyupgrade merged 2 commits into
Postgres-Extensions:masterfrom
jnasbyupgrade:fix-claude-review-auth

Conversation

@jnasbyupgrade

@jnasbyupgrade jnasbyupgrade commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes the Claude auto-review and makes it cost-aware.

Auth fix. The pull_request_target review was failing with 401 - Invalid OIDC token (the action's OIDC→GitHub-App-token exchange, which is tied to the triggering actor's permissions). Passing github_token: ${{ secrets.GITHUB_TOKEN }} makes the action skip that exchange and use the workflow token directly — repo/workflow-scoped, independent of any user's role. Also drops the now-unneeded id-token: write.

Cost gate. The paid review now runs last: a pre-step waits for the PR's other check-runs to finish and only runs Claude if they all pass. If any sibling check failed (or CI times out), the review is skipped — no spend reviewing a PR that's already broken.

Note: pull_request_target runs the workflow from the base branch, so this PR's own review check still runs the old master workflow (will fail auth) — the fix only takes effect once merged.

The pull_request_target review failed with 401 Unauthorized (Invalid OIDC
token) because the action tried to exchange the workflow OIDC token for a
GitHub App token. Supplying github_token makes it skip that exchange and use
the token directly. Also drops the now-unneeded id-token: write permission.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4037fb67-563e-42c3-a4a1-e99667d0f492

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

…red)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jnasbyupgrade jnasbyupgrade merged commit 2005416 into Postgres-Extensions:master Jul 14, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant