Skip to content

Replace gh-aw workflow with claude-code-action for vault secrets#2544

Merged
skl merged 2 commits intomainfrom
skl/fix-ci-workflow
Feb 23, 2026
Merged

Replace gh-aw workflow with claude-code-action for vault secrets#2544
skl merged 2 commits intomainfrom
skl/fix-ci-workflow

Conversation

@skl
Copy link
Member

@skl skl commented Feb 23, 2026
edited
Loading

Summary

Replaces the gh-aw (GitHub Agentic Workflow) with a plain GitHub Actions workflow using anthropics/claude-code-action@v1. This solves a fundamental incompatibility with HashiCorp Vault-sourced secrets (example failure).

Problem: gh-aw's compiler hardcodes ${{ secrets.ANTHROPIC_API_KEY }} in validate and execution steps. When secrets come from Vault (exported to $GITHUB_ENV), GitHub Actions step-level env: takes precedence, overriding the vault value with empty. This broke both the agent job and the auto-generated detection job.

Solution: Pass vault-exported secrets directly to claude-code-action via ${{ env.ANTHROPIC_API_KEY }}. The new workflow:

  • ✅ Vault integration works natively
  • ✅ Enables use_commit_signing for secure API-based commits to PR branches
  • ✅ Restricts git tools to read-only operations (log, diff, show, status, submodule)
  • ✅ Single job replacing 6-job pipeline with native PR commenting
  • ✅ Passes zizmor security audit (pedantic mode)
  • ✅ Maintains all OBI analysis capabilities with explicit safety constraints

Files changed: Deleted 1226 lines (gh-aw source + compiled output), added 109 lines (new workflow).

🤖 Generated with Claude Code

Requires:

@skl @claude
ci: replace gh-aw workflow with claude-code-action
393cf66 
Replaces the gh-aw (GitHub Agentic Workflow) with a plain GitHub Actions workflow using anthropics/claude-code-action@v1. This solves vault-sourced secret handling where gh-aw's compiler hardcodes ${{ secrets.ANTHROPIC_API_KEY }} (empty with vault), blocking both the agent and detection jobs. The new workflow:

- Passes vault-exported ANTHROPIC_API_KEY directly to claude-code-action via ${{ env.ANTHROPIC_API_KEY }}
- Enables use_commit_signing for secure API-based commits to the PR branch
- Restricts git tools to read-only operations (log, diff, show, status)
- Eliminates the 6-job pipeline (detection, safe_outputs, conclusion) with claude-code-action's native PR commenting
- Passes zizmor security audit (pedantic mode)
- Maintains all OBI analysis capabilities with explicit safety constraints

Closes gh-aw limitations with vault while improving security via minimal permissions and read-only git access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@skl skl requested a review from a team as a code owner February 23, 2026 15:32
@skl skl added the agent/fix-obi Trigger agentic workflow to fix obi's breaking changes label Feb 23, 2026
@skl @claude
ci: use grafana-beyla-bot GitHub App token for claude-code-action
e0cb81c 
The action's built-in OIDC exchange requires the Claude Code GitHub App
(github.com/apps/claude) to be installed on the repo. Instead, use
grafana's create-github-app-token to get a token from grafana-beyla-bot
(same pattern as bot_sync-obi-submodule.yml) and pass it via github_token
to bypass the built-in app authentication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@skl skl removed the agent/fix-obi Trigger agentic workflow to fix obi's breaking changes label Feb 23, 2026
grcevski
grcevski approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@grcevski grcevski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@skl skl added agent/fix-obi Trigger agentic workflow to fix obi's breaking changes and removed agent/fix-obi Trigger agentic workflow to fix obi's breaking changes labels Feb 23, 2026
@codecov-commenter
Copy link

codecov-commenter commented Feb 23, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.68%. Comparing base (9b60bc9) to head (e0cb81c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2544      +/-   ##
==========================================
+ Coverage   48.62%   48.68%   +0.06%     
==========================================
  Files          53       53              
  Lines        4027     4028       +1     
==========================================
+ Hits         1958     1961       +3     
+ Misses       1934     1933       -1     
+ Partials      135      134       -1
Flag Coverage Δ
unittests 48.68% <ø> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@skl skl merged commit 7b93668 into main Feb 23, 2026
17 of 19 checks passed
@skl skl deleted the skl/fix-ci-workflow branch February 23, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grcevski grcevski grcevski approved these changes

Assignees

No one assigned

Labels

agent/fix-obi Trigger agentic workflow to fix obi's breaking changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@skl @codecov-commenter @grcevski