From 999d988d4f345977751065c5a65bf32f9bae0baa Mon Sep 17 00:00:00 2001
From: Daniel Wood <daniel@woods.us>
Date: Mon, 16 Feb 2026 13:26:09 -0500
Subject: [PATCH 1/3] ci: skip claude review when its own workflow file is
 modified

The OAuth token exchange validates that the workflow file matches
main exactly, so PRs that modify claude-code-review.yml always fail.
Add an early check that detects this and skips the review gracefully
instead of burning runner time on an inevitable 401.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude-code-review.yml | 38 +++++++++++++++++++-----
 1 file changed, 31 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 25de2f9..24763b4 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -17,18 +17,23 @@ jobs:
       id-token: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
+      - name: Check if review workflow was modified
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh -R ${{ github.repository }} pr diff ${{ github.event.pull_request.number }} --name-only | grep -q '^\.github/workflows/claude-code-review\.yml$'; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            echo "::notice::Skipping Claude review — workflow file was modified (OAuth validation will fail)"
+          fi
 
-      - name: Minimize previous Claude review comments
+      - name: Minimize previous review comments
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh pr view ${{ github.event.pull_request.number }} \
+          gh -R ${{ github.repository }} pr view ${{ github.event.pull_request.number }} \
             --json comments \
-            --jq '.comments[] | select(.author.login == "claude") | .id' \
+            --jq '.comments[] | select(.author.login == "claude" or .author.login == "github-actions") | .id' \
           | while read -r node_id; do
             gh api graphql -f query='
               mutation {
@@ -38,7 +43,26 @@ jobs:
               }'
           done
 
+      - name: Post skip comment
+        if: steps.check.outputs.skip == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh -R ${{ github.repository }} pr comment ${{ github.event.pull_request.number }} \
+            --body "## Code review
+
+          Skipped — this PR modifies \`claude-code-review.yml\`. The OAuth token exchange requires the workflow file to match the default branch, so the review cannot run until this change is merged.
+
+          @copilot please review this pull request."
+
+      - name: Checkout repository
+        if: steps.check.outputs.skip != 'true'
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
       - name: Run Claude Code Review
+        if: steps.check.outputs.skip != 'true'
         uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

From 876acfcdd891c48afb009b163d21e58ab15a9803 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Feb 2026 18:40:26 +0000
Subject: [PATCH 2/3] Initial plan


From d5ace503ea2efbcc1dd128594028429bb1672163 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Feb 2026 18:43:18 +0000
Subject: [PATCH 3/3] fix(ci): add changelog entry and improve workflow skip
 logic

- Add missing CHANGELOG.md entry for workflow skip feature (CL-1)
- Make "Minimize previous review comments" step conditional to avoid race condition
- Add explicit skip=false to check step for clarity
- Improve skip comment message (remove @copilot mention, clearer explanation)
- Add commit reference link to CHANGELOG.md

Co-authored-by: danielewood <23008560+danielewood@users.noreply.github.com>
---
 .github/workflows/claude-code-review.yml | 9 +++++++--
 CHANGELOG.md                             | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 24763b4..fbf1a5d 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -25,9 +25,12 @@ jobs:
           if gh -R ${{ github.repository }} pr diff ${{ github.event.pull_request.number }} --name-only | grep -q '^\.github/workflows/claude-code-review\.yml$'; then
             echo "skip=true" >> "$GITHUB_OUTPUT"
             echo "::notice::Skipping Claude review — workflow file was modified (OAuth validation will fail)"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Minimize previous review comments
+        if: steps.check.outputs.skip != 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -51,9 +54,11 @@ jobs:
           gh -R ${{ github.repository }} pr comment ${{ github.event.pull_request.number }} \
             --body "## Code review
 
-          Skipped — this PR modifies \`claude-code-review.yml\`. The OAuth token exchange requires the workflow file to match the default branch, so the review cannot run until this change is merged.
+          ⏭️ **Skipped** — This PR modifies \`claude-code-review.yml\`.
+
+          The Claude Code Action OAuth flow validates that the workflow file matches the default branch exactly. PRs that modify this file will always fail the OAuth validation until merged.
 
-          @copilot please review this pull request."
+          Manual review or alternative review tools should be used for this change."
 
       - name: Checkout repository
         if: steps.check.outputs.skip != 'true'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 946ed87..71fda73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `require_tool()` guard in `checks.py` for `go`, `gh` — gives clear errors when tools are missing locally
 - Add Claude Code automatic PR review and `@claude` mention workflows
 - Add Copilot review instructions (`.github/copilot-instructions.md`) with project coding standards
+- Add early skip check to Claude Code review workflow when `claude-code-review.yml` is modified to avoid OAuth validation failures ([`999d988`])
 
 ### Tests
 
@@ -544,6 +545,7 @@ Initial release.
 [`a62908f`]: https://github.com/sensiblebit/certkit/commit/a62908f
 [`55b5c1e`]: https://github.com/sensiblebit/certkit/commit/55b5c1e
 [`8cf81d9`]: https://github.com/sensiblebit/certkit/commit/8cf81d9
+[`999d988`]: https://github.com/sensiblebit/certkit/commit/999d988
 [#24]: https://github.com/sensiblebit/certkit/pull/24
 [#25]: https://github.com/sensiblebit/certkit/pull/25
 [#26]: https://github.com/sensiblebit/certkit/pull/26