@@ -41,21 +41,24 @@ jobs:
4141 GH_TOKEN : ${{ github.token }}
4242 EVENT_NAME : ${{ github.event_name }}
4343 ACTOR : ${{ github.actor }}
44+ REPO : ${{ github.repository }}
4445 PR_NUMBER : ${{ env.PR_NUMBER }}
4546 COMMENT_BODY : ${{ github.event.comment.body }}
4647 PR_TITLE : ${{ github.event.pull_request && github.event.pull_request.title || '' }}
4748 PR_AUTHOR : ${{ github.event.pull_request && github.event.pull_request.user && github.event.pull_request.user.login || '' }}
4849 PR_HEAD_REPO : ${{ github.event.pull_request && github.event.pull_request.head && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name || '' }}
50+ PR_HEAD_REF : ${{ github.event.pull_request && github.event.pull_request.head && github.event.pull_request.head.ref || '' }}
51+ PR_BASE_REF : ${{ github.event.pull_request && github.event.pull_request.base && github.event.pull_request.base.ref || '' }}
4952 run : |
50- set -e
53+ set -euo pipefail
5154
5255 # Default: proceed for pull_request events; gate comment-driven runs.
5356 PROCEED="true"
5457
5558 if [ "$EVENT_NAME" = "issue_comment" ] || [ "$EVENT_NAME" = "pull_request_review_comment" ]; then
56- PERM=$(gh api "repos/${{ github.repository }} /collaborators/$ACTOR/permission" --jq .permission 2>/dev/null || echo "none")
59+ PERM=$(gh api "repos/$REPO /collaborators/$ACTOR/permission" --jq .permission 2>/dev/null || echo "none")
5760 case "$PERM" in
58- admin|maintain|write) ;;
61+ admin|maintain|write) ;;
5962 *)
6063 echo "Non-collaborator trigger ($PERM); skipping."
6164 PROCEED="false"
@@ -64,22 +67,21 @@ jobs:
6467 fi
6568
6669 # Fetch PR metadata for fork/release/dependabot gating.
67-
70+ TITLE=""
6871 AUTHOR=""
6972 HEAD_REPO=""
7073 HEAD_REF=""
7174 BASE_REF=""
7275
73-
7476 if [ "$EVENT_NAME" = "pull_request" ]; then
75-
77+ TITLE="$PR_TITLE"
7678 AUTHOR="$PR_AUTHOR"
7779 HEAD_REPO="$PR_HEAD_REPO"
78- HEAD_REF="${{ github.event.pull_request.head.ref }} "
79- BASE_REF="${{ github.event.pull_request.base.ref }} "
80+ HEAD_REF="$PR_HEAD_REF "
81+ BASE_REF="$PR_BASE_REF "
8082 else
81- PR_JSON=$(gh pr view "$PR_NUMBER" --repo "${{ github.repository }} " --json title,author,headRepository,headRepositoryOwner,headRefName,baseRefName)
82- '%s' "$PR_JSON" | jq -r '.title // ""')
83+ PR_JSON=$(gh pr view "$PR_NUMBER" --repo "$REPO " --json title,author,headRepository,headRepositoryOwner,headRefName,baseRefName)
84+ TITLE=$(printf '%s' "$PR_JSON" | jq -r '.title // ""')
8385 AUTHOR=$(printf '%s' "$PR_JSON" | jq -r '.author.login // ""')
8486 HEAD_REF=$(printf '%s' "$PR_JSON" | jq -r '.headRefName // ""')
8587 BASE_REF=$(printf '%s' "$PR_JSON" | jq -r '.baseRefName // ""')
8890 HEAD_REPO=$(printf '%s' "$PR_JSON" | jq -r 'if .headRepository and .headRepository.full_name then .headRepository.full_name elif .headRepositoryOwner and .headRepository and .headRepository.name then (.headRepositoryOwner.login + "/" + .headRepository.name) else "" end')
8991 fi
9092
91-
9293 if [ -z "$HEAD_REPO" ]; then
9394 echo "Could not determine head repo; skipping to protect secrets."
9495 PROCEED="false"
@@ -104,18 +105,16 @@ jobs:
104105 fi
105106
106107 # Heuristic: release-please branches commonly include "release-please".
107- if [ -n "$HEAD_REF" ] && echo "$HEAD_REF" | grep -qi "release-please"; then
108+ if [ -n "$HEAD_REF" ] && printf '%s' "$HEAD_REF" | grep -qi "release-please"; then
108109 PROCEED="false"
109110 fi
110111
111- if [ "$HEAD_REPO" != "${{ github.repository }} " ]; then
112+ if [ "$HEAD_REPO" != "$REPO " ]; then
112113 echo "Fork PR detected ($HEAD_REPO); skipping to protect secrets."
113114 PROCEED="false"
114115 fi
115116
116- # Debug: print gating context
117117 echo "Gate context: author=$AUTHOR head_ref=$HEAD_REF base_ref=$BASE_REF head_repo=$HEAD_REPO"
118-
119118 echo "proceed=$PROCEED" >> "$GITHUB_OUTPUT"
120119
121120name : Cleanup previous Claude workflow comments
0 commit comments