From eaab577fd23129007f9ca733294e118afe72c082 Mon Sep 17 00:00:00 2001
From: Adam Storm <storm@cockroachlabs.com>
Date: Mon, 6 Oct 2025 09:15:00 -0400
Subject: [PATCH 1/2] dev-inf: Use GITHUB_TOKEN for Claude Code review action

The action's OIDC token exchange is failing, likely because the GitHub
app isn't configured to accept OIDC tokens from this workflow. By
explicitly providing the built-in GITHUB_TOKEN, we bypass the OIDC
exchange entirely.

The built-in token has sufficient permissions for PR analysis and
commenting, which is all this workflow needs.

Release note: None
Epic: None
---
 .github/workflows/pr-analyzer-threestage.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/pr-analyzer-threestage.yml b/.github/workflows/pr-analyzer-threestage.yml
index 005ac17d3fde..91f248fd30f4 100644
--- a/.github/workflows/pr-analyzer-threestage.yml
+++ b/.github/workflows/pr-analyzer-threestage.yml
@@ -29,6 +29,7 @@ jobs:
         id: stage1
         uses: cockroachdb/claude-code-action@v1
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           use_vertex: "true"
           claude_args: |
             --model claude-sonnet-4-5-20250929
@@ -63,6 +64,7 @@ jobs:
         if: contains(steps.stage1.outputs.result, 'STAGE1_RESULT - POTENTIAL_BUG_DETECTED')
         uses: cockroachdb/claude-code-action@v1
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           use_vertex: "true"
           claude_args: |
             --model claude-4-5-sonnet-20250929
@@ -98,6 +100,7 @@ jobs:
         if: contains(steps.stage2.outputs.result, 'STAGE2_RESULT - POTENTIAL_BUG_DETECTED')
         uses: cockroachdb/claude-code-action@v1
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           use_vertex: "true"
           claude_args: |
             --model claude-4-5-sonnet-20250929
@@ -147,6 +150,7 @@ jobs:
         if: always()
         uses: cockroachdb/claude-code-action@v1
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           use_vertex: "true"
           claude_args: |
             --model claude-4-5-sonnet-20250929

From a39066a5379e80498df3dddfb57c3f98916a60f2 Mon Sep 17 00:00:00 2001
From: Adam Storm <storm@cockroachlabs.com>
Date: Mon, 6 Oct 2025 10:10:18 -0400
Subject: [PATCH 2/2] dev-inf: Checkout PR head SHA for Claude Code review
 action

When using pull_request_target, the workflow runs in the context of the
base branch. By default, checkout merges with the target branch, which
could result in the LLM reporting on things that don't appear to
actually exist in the PR.

Explicitly set ref to the PR head SHA to analyze the actual PR code.

Release note: None
Epic: None
---
 .github/workflows/pr-analyzer-threestage.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pr-analyzer-threestage.yml b/.github/workflows/pr-analyzer-threestage.yml
index 91f248fd30f4..ea72f8d10a16 100644
--- a/.github/workflows/pr-analyzer-threestage.yml
+++ b/.github/workflows/pr-analyzer-threestage.yml
@@ -16,6 +16,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
           fetch-depth: 1
 
       - name: Authenticate to Google Cloud