Problem
Every other Tier 1 centralized workflow in this repo now points at the v1 reusable in petry-projects/.github (landed in #78). The lone exception is .github/workflows/claude.yml — it's still the inline pre-centralization version.
The next compliance-audit run will flag this as non-stub-claude.yml via the new check from petry-projects/.github#89.
Why it wasn't done in #78
The claude-code-action GitHub App refuses to mint an OAuth token for any PR whose diff includes .github/workflows/*.yml. With claude-code / claude previously a required status check on this repo, that turned every workflow-touching PR into a deadlock. #78 worked around this by reverting just claude.yml and merging the rest, then we updated the ruleset to drop the required check (this morning).
Resolution path
Now that the ruleset no longer requires claude-code / claude, the file can be migrated. Two options:
A. PAT workaround (recommended for ongoing work): Add a GH_PAT_WORKFLOWS repo secret containing a classic PAT with workflow scope. The reusable's caller picks it up via secrets: inherit, the action uses it instead of OAuth, and the App-token validation is bypassed for future PRs that touch workflows.
gh secret set GH_PAT_WORKFLOWS --repo petry-projects/markets --body "$(cat ~/.config/petry-pat-workflow)"
Then a regular PR replacing claude.yml with the canonical stub from petry-projects/.github/standards/workflows/claude.yml will merge cleanly.
B. One-shot direct push: Add yourself as a temporary bypass actor on the ruleset, push the stub directly to main, remove the bypass.
Either way, after the migration the file should match:
jobs:
claude-code:
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1
secrets: inherit
permissions: { contents: write, id-token: write, pull-requests: write, issues: write, actions: read, checks: read }
Problem
Every other Tier 1 centralized workflow in this repo now points at the v1 reusable in petry-projects/.github (landed in #78). The lone exception is
.github/workflows/claude.yml— it's still the inline pre-centralization version.The next compliance-audit run will flag this as
non-stub-claude.ymlvia the new check from petry-projects/.github#89.Why it wasn't done in #78
The
claude-code-actionGitHub App refuses to mint an OAuth token for any PR whose diff includes.github/workflows/*.yml. Withclaude-code / claudepreviously a required status check on this repo, that turned every workflow-touching PR into a deadlock. #78 worked around this by reverting justclaude.ymland merging the rest, then we updated the ruleset to drop the required check (this morning).Resolution path
Now that the ruleset no longer requires
claude-code / claude, the file can be migrated. Two options:A. PAT workaround (recommended for ongoing work): Add a
GH_PAT_WORKFLOWSrepo secret containing a classic PAT withworkflowscope. The reusable's caller picks it up viasecrets: inherit, the action uses it instead of OAuth, and the App-token validation is bypassed for future PRs that touch workflows.Then a regular PR replacing claude.yml with the canonical stub from
petry-projects/.github/standards/workflows/claude.ymlwill merge cleanly.B. One-shot direct push: Add yourself as a temporary bypass actor on the ruleset, push the stub directly to main, remove the bypass.
Either way, after the migration the file should match: