From 518c678f1f66c828052660b9a1640309a674e752 Mon Sep 17 00:00:00 2001
From: Jonathan Zhang <topcoder1@gmail.com>
Date: Fri, 1 May 2026 12:43:18 -0700
Subject: [PATCH] fix(claude-review): skip claude-code-action for
 dependabot/renovate PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

claude-code-action@v1 currently crashes when invoked on a dependabot
PR with the error:

  Internal error: directory mismatch for directory
  "/home/runner/work/_actions/anthropics/claude-code-action/v1/tsconfig.json", fd 4

Verified across topcoder1/ci-workflows#7, #8, #9 — three consecutive
dependabot PRs, all FAILURE on `review / Claude Review`. The same
action+version succeeds on human-authored PRs in the same repo, so
the bug is specific to dependabot's restricted GITHUB_TOKEN scope.

Even when the action does run on dep bumps, the value is low —
diffs are upstream version metadata, not project logic. The risk
classifier still labels them; humans still see the diff at merge
time. Skipping Claude review here is signal, not loss.

Implementation: a pre-check step posts a one-line "Skipped" PR
comment when the PR author is dependabot[bot] or renovate[bot],
sets a step output, and the claude-code-action step is gated on
that output. The job remains green so branch rulesets that require
`review / Claude Review` are satisfied.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude-review.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 85fca2f..bc629b0 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -35,7 +35,31 @@ jobs:
         with:
           fetch-depth: ${{ inputs.checkout_depth }}
 
+      # Skip claude-code-action for bot-authored PRs (dependabot, renovate).
+      # The action's @v1 currently crashes with "directory mismatch ...
+      # tsconfig.json, fd 4" on dependabot's restricted GITHUB_TOKEN scope —
+      # verified across 3 consecutive dependabot PRs (topcoder1/ci-workflows
+      # #7/#8/#9). Even when the action does run, dependency bumps don't
+      # benefit from Claude review (the diff is upstream version metadata,
+      # not project logic). The risk classifier still labels these PRs.
+      #
+      # We post a "Skipped" summary comment so the required check is satisfied
+      # green — branch rulesets that require `review / Claude Review` would
+      # otherwise treat a skipped job as failing.
+      - name: Skip review for bot-authored PRs (dependabot/renovate)
+        id: bot_check
+        if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR: ${{ github.event.pull_request.number }}
+          ACTOR: ${{ github.event.pull_request.user.login }}
+        run: |
+          set -euo pipefail
+          gh pr comment "$PR" --body "Skipped: bot-authored PR (\`$ACTOR\`). Dependency bumps are reviewed by the risk classifier and human merge gate."
+          echo "skipped=true" >> "$GITHUB_OUTPUT"
+
       - name: Claude Code Review
+        if: ${{ steps.bot_check.outputs.skipped != 'true' }}
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}