humanlayer · dexhorthy · Jun 14, 2025 · Jun 10, 2025 · Jun 10, 2025 · Jun 13, 2025
@@ -0,0 +1 @@
+CLAUDE.md
@@ -0,0 +1,11 @@
+# CODEOWNERS file for authorized Claude CI users
+# This file defines who can trigger Claude workflows via comments and PRs
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Global owners - these users can trigger Claude workflows
+* @dexhorthy @balanceiskey @AdjectiveAllison
+
+# !!claudecode @dexhorthy @balanceiskey @AdjectiveAllison
+
+.github/workflows/ @dexhorthy 
+.github/CODEOWNERS @dexhorthy 
@@ -12,9 +12,25 @@ jobs:
       pull-requests: write
       issues: write
       id-token: write
-    env:
-      OVERRIDE_GITHUB_TOKEN: ${{ secrets.CLAUDE_PAT_TOKEN }}
     steps:
+      - name: Check authorization
+        id: auth-check
+        run: |
+          # Get the PR author
+          PR_AUTHOR="${{ github.event.pull_request.user.login }}"
+          echo "PR author: $PR_AUTHOR"
+
+          # List of authorized users from CODEOWNERS
+          AUTHORIZED_USERS=$(cat .github/CODEOWNERS | grep !!claudecode | cut -d' ' -f3-)
+
+          # Check if user is authorized
+          if echo "$AUTHORIZED_USERS" | grep -w "$PR_AUTHOR" > /dev/null; then
+            echo "User $PR_AUTHOR is authorized"
+            echo "authorized=true" >> $GITHUB_OUTPUT
+          else
+            echo "User $PR_AUTHOR is not authorized to trigger Claude workflows"
+            echo "authorized=false" >> $GITHUB_OUTPUT
+          fi
       # Simply checking out the repository is sufficient - the action handles the PR code
       - name: Checkout code
         uses: actions/checkout@v4
@@ -23,13 +39,15 @@ jobs:
 
 
       - name: Run Code Review with Claude
+        if: steps.auth-check.outputs.authorized == 'true'
         uses: anthropics/claude-code-action@beta
-        env:
-          OVERRIDE_GITHUB_TOKEN: ${{ secrets.CLAUDE_PAT_TOKEN }}
         with:
           # Your Anthropic API key
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
+          # GitHub token for API access
+          github_token: ${{ secrets.CLAUDE_PAT_TOKEN }}
+
           # Direct prompt for Claude to execute
           direct_prompt: "Review the PR changes. Focus on code quality, potential bugs, and performance issues. Suggest improvements where appropriate. Pay special attention to Kubernetes operator patterns and Go best practices according to the CLAUDE.md file."
 

@@ -14,11 +14,24 @@ jobs:
       issues: write
       id-token: write
     steps:
-      # Set environment variables for Claude Code Action
-      - name: Set up environment
+      - name: Check authorization
+        id: auth-check
         run: |
-          echo "OVERRIDE_GITHUB_TOKEN=${{ secrets.CLAUDE_PAT_TOKEN }}" >> $GITHUB_ENV
-          echo "Setting up PAT token for Claude Code Action"
+          # Get the comment author
+          COMMENT_AUTHOR="${{ github.event.comment.user.login }}"
+          echo "Comment author: $COMMENT_AUTHOR"
+
+          # List of authorized users from CODEOWNERS
+          AUTHORIZED_USERS=$(cat .github/CODEOWNERS | grep !!claudecode | cut -d' ' -f3-)
+
+          # Check if user is authorized
+          if echo "$AUTHORIZED_USERS" | grep -w "$COMMENT_AUTHOR" > /dev/null; then
+            echo "User $COMMENT_AUTHOR is authorized"
+            echo "authorized=true" >> $GITHUB_OUTPUT
+          else
+            echo "User $COMMENT_AUTHOR is not authorized to trigger Claude workflows"
+            echo "authorized=false" >> $GITHUB_OUTPUT
+          fi
 
       # Simply checking out the repository is sufficient
       - name: Checkout code
@@ -27,14 +40,17 @@ jobs:
           fetch-depth: 0  # Get full history for accurate diffs
 
       - name: Claude Response
+        if: steps.auth-check.outputs.authorized == 'true'
         uses: anthropics/claude-code-action@beta
         with:
           # Your Anthropic API key
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
+          # GitHub token for API access
+          github_token: ${{ secrets.CLAUDE_PAT_TOKEN }}
+
           # Explicitly set the trigger phrase
           trigger_phrase: "@claude"
-          # Note: Token is provided via OVERRIDE_GITHUB_TOKEN environment variable
 
           # Timeout for execution
           timeout_minutes: 20
@@ -19,11 +19,24 @@ jobs:
       issues: write
       id-token: write
     steps:
-      # Set environment variables for Claude Code Action
-      - name: Set up environment
+      - name: Check authorization
+        id: auth-check
         run: |
-          echo "OVERRIDE_GITHUB_TOKEN=${{ secrets.CLAUDE_PAT_TOKEN }}" >> $GITHUB_ENV
-          echo "Setting up PAT token for Claude Code Action"
+          # Get the comment author
+          COMMENT_AUTHOR="${{ github.event.comment.user.login }}"
+          echo "Comment author: $COMMENT_AUTHOR"
+
+          # List of authorized users from CODEOWNERS
+          AUTHORIZED_USERS=$(cat .github/CODEOWNERS | grep !!claudecode | cut -d' ' -f3-)
+
+          # Check if user is authorized
+          if echo "$AUTHORIZED_USERS" | grep -w "$COMMENT_AUTHOR" > /dev/null; then
+            echo "User $COMMENT_AUTHOR is authorized"
+            echo "authorized=true" >> $GITHUB_OUTPUT
+          else
+            echo "User $COMMENT_AUTHOR is not authorized to trigger Claude workflows"
+            echo "authorized=false" >> $GITHUB_OUTPUT
+          fi
 
       # Simply checking out the repository is sufficient
       - name: Checkout code
@@ -33,7 +46,7 @@ jobs:
 
       # If running on a PR comment, we need to explicitly check out the PR branch
       - name: Checkout PR branch if needed
-        if: github.event.issue.pull_request
+        if: github.event.issue.pull_request && steps.auth-check.outputs.authorized == 'true'
         run: |
           # Get the PR number from the issue object
           PR_NUMBER="${{ github.event.issue.number }}"
@@ -53,14 +66,17 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.CLAUDE_PAT_TOKEN }}
 
       - name: Claude PR Creation
+        if: steps.auth-check.outputs.authorized == 'true'
         uses: anthropics/claude-code-action@beta
         with:
           # Your Anthropic API key
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
+          # GitHub token for API access
+          github_token: ${{ secrets.CLAUDE_PAT_TOKEN }}
+
           # Explicitly set the trigger phrase
           trigger_phrase: "@claude"
-          # Note: Token is provided via OVERRIDE_GITHUB_TOKEN environment variable
 
           # Timeout for execution (longer for PR creation)
           timeout_minutes: 30
@@ -33,6 +33,10 @@ jobs:
           path: acp/bin
           key: ${{ runner.os }}-acp-bin-${{ hashFiles('acp/Makefile') }}
 
+      - name: Generate mocks
+        working-directory: acp
+        run: make mocks
+
       - name: Install golangci-lint
         working-directory: acp
         run: make golangci-lint
@@ -71,6 +75,10 @@ jobs:
           path: acp/bin
           key: ${{ runner.os }}-acp-bin-${{ hashFiles('acp/Makefile') }}
 
+      - name: Generate mocks
+        working-directory: acp
+        run: make mocks
+
       - name: Run tests
         working-directory: acp
         run: make test
@@ -102,6 +110,10 @@ jobs:
           path: acp/bin
           key: ${{ runner.os }}-acp-bin-${{ hashFiles('acp/Makefile') }}
 
+      - name: Generate mocks
+        working-directory: acp
+        run: make mocks
+
       - name: Build
         working-directory: acp
         run: make build

@@ -9,3 +9,7 @@
 # Generated files
 acp_commands.sh
 
+# Generated kustomization files
+acp/config/localdev/kustomization.yaml
+
+acp/config/tmp/