examples: address external review finding fixes#4
Merged
Conversation
Same finding-fix pass applied to the public example workflows so consumers pin against a version that carries the calibrated shape. - #5 (label match too permissive): Tighten the example's issue-to-PR `if:` from `startsWith('claude-fix:')` to an explicit whitelist, with a comment calling out why prefix matching is a trap. - #6 (heredoc collision): Random `EOF_$(openssl rand -hex 16)` delimiter in the compose step. - #7a (eager `npm ci` on mention): Drop the `Install dependencies` step. Comment on Setup Node explains why; prompt can tell the agent to install before scripts that need deps. - #8a (Opus cost): Sonnet default with Opus opt-in via case-insensitive word-boundary `deep` anywhere in the comment body. - #9 (scope-to-diff): Already addressed in previous PR (#2) — no change needed here. Plus the mention-parsing step enforcing `@claude` as first non-whitespace token (word-boundary after), with `steps.mention.outputs.proceed` gating subsequent steps. Comment sharpening: - #1 (postinstall RCE via package.json edit): Example's allowlist comment now names this path explicitly and directs consumers to `.npmrc` `ignore-scripts=true` as the npm-config-level mitigation. - #2 (`Bash(git:*)` rationale): review.yml comment now says "read-only by design" instead of implying it's universal guidance. Consumer-facing note: everything marked TODO: pin still needs the consumer to substitute their own pinned SHAs. Nothing security-critical here changes that expectation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mirror of HarperFast/harper#402's
fae521ccommit. Applying the finding-fix pass from the deep external review to the public example workflows so consumers pin against a version that carries the calibrated shape.Fixed
claude-fix:typo|docs|deps|bug) instead ofstartsWith('claude-fix:'), with a comment explaining why prefix matching admits typoed variants.EOF_$(openssl rand -hex 16)delimiter inexamples/claude-review.yml's compose step.npm cion mention: removed. Comment onSetup Node.jsexplains why — most mentions don't need deps.deepin the comment body. Cost gets spent deliberately.Mention-parsing step (new in this PR for the example)
New shell step that enforces
@claudeas the first non-whitespace token. Subsequent steps guard onsteps.mention.outputs.proceed == 'true'so non-matching comments exit cleanly without running the agent. Also outputs the model name per thedeepword-boundary match.Comment sharpening
Write(package.json)+postinstall+ barenpm installchain explicitly, and directs consumers to.npmrcignore-scripts=trueas the mitigation.Bash(git:*)rationale:claude-review.yml's comment now says "read-only by design" and notes the authoring workflows grant broader git access bounded by branch protection.🤖 Generated with Claude Code