Skip to content

Fix broken @claude handler (claude.yml finishes in 0s) + add workflow-edit guardrails #169

Description

@izzywdev

@claude — the repo's @claude handler (.github/workflows/claude.yml, using anthropics/claude-code-action) is BROKEN: it replies to every mention with "Claude finished … in 0s" and does no real work. This blocks cross-repo infra requests (e.g. #166 — provision the mendys DB role). Please investigate, fix, and add guardrails.

Evidence (from the failing run logs)

  • Handler fetches the issue comment OK, then its change-detection phase runs GET /compare/main...claude/issue-166-<ts>404 "Branch does not exist remotely"Error checking for changes in branch: HttpError: Not Found (compare two commits). The working branch was never created (Claude produced no commits) and the diff step assumes it exists, so it bails.
  • The run also executes stray, irrelevant setup inside the Claude step: cd e2e && npm install && npx playwright install chromium --with-deps && npx playwright test — leftover e2e content in the handler's prompt / base command / loaded CLAUDE.md.
  • NOT an Anthropic credit/key problem (step reports success in ~0s).

Phase 1 — Investigate which push broke it

  • git log --oneline -30 -- .github/workflows/claude.yml (+ claude-auto-pr.yml, claude-ci-autofix.yml, ci-failure-triage.yml).
  • git log -p -- .github/workflows/claude.yml: find when the anthropics/claude-code-action version/ref changed, when the prompt/direct_prompt/override_prompt/claude_args/settings changed, when an e2e/playwright command was introduced, or when trigger/base-branch/use_commit_signing/branch handling changed.
  • git blame the lines producing the e2e commands and the branch/diff behavior; correlate commit dates with when the 0s behavior began (issue Provision dedicated mendys Postgres role + Mongo user (MendysRobotics prod blocked) #166 created 2026-07-07, first bad reply minutes later).
  • Also check root CLAUDE.md / .github prompt files — the e2e commands may come from a loaded instruction file, not the YAML.
  • Report the exact breaking commit + why.

Phase 2 — Fix

Restore a known-good config: correct/pinned action SHA that doesn't 404 on a no-op run, remove e2e/playwright leftovers from the prompt, fix branch handling so a no-change run doesn't crash on compare. Keep secrets as secrets. Minimal, reviewable diff.

Phase 3 — Guardrails (so an edit can't silently break the handler again)

  1. actionlint (+ a claude-handler sanity check) as a REQUIRED status check on any PR touching .github/workflows/**.
  2. CODEOWNERS requiring review for .github/workflows/** (esp. claude*.yml).
  3. Pin third-party actions to full commit SHAs (comment the human-readable version) for the claude handlers.
  4. A lightweight smoke check (scheduled/manual) that mentions @claude on a sandbox/labeled test issue and asserts a real, non-"0s" response — catches regressions fast.
  5. Short "editing the @claude handlers" runbook (prompt do/don'ts, SHA-pin policy, how to test), consistent with the FuzeSDLC governance baseline.

Phase 4 — Verify & close the loop

Ship the handler fix and the guardrails as separate small PRs. Report the breaking commit.

Refs: izzywdev/MendysRobotics#134, FuzeInfra #166.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions