fix: Upgrade claude-code-action to v1.0.28 to fix installer race condition

[rjmurillo-bot]

Summary

Fixes #804

Resolves Claude Code Assistant workflow failures caused by a race condition in the claude-code-action installer.

Problem

The Claude Code Assistant workflow failed with "another process is currently installing Claude" error after 3 installation attempts.

Root Cause: Race condition in claude-code-action v1.0.27 where:

1. Installation timeout (120s) kills the shell but not the installer process
2. Orphaned installer holds a lock file
3. Retry attempts fail due to lock

Timeline from failed run (20737935687):

• 04:22:58 - Attempt 1 starts
• 04:24:58 - 120s timeout kills shell (installer continues in background)
• 04:25:03 - Attempt 2 fails: "another process is currently installing Claude"
• 04:25:22 - Attempt 3 fails: same error

Solution

Upgraded claude-code-action from v1.0.27 to v1.0.28 (released 2026-01-05).

v1.0.28 release notes specifically mention:

"Bug fixes for orphaned installer processes and SDK path handling"

This directly addresses the race condition we encountered.

Changes

• .github/workflows/claude.yml: Updated action from v1.0.27 (commit 7145c3e) to v1.0.28 (commit c9ec2b0)
• Added comment explaining the fix and linking to Issue Add OpenAI Codex MCP support to Sync-McpConfig.ps1 #804

Verification

The next workflow run will use v1.0.28 with the installer bug fix. The workflow should complete successfully.

References

• Issue Add OpenAI Codex MCP support to Sync-McpConfig.ps1 #804: Add OpenAI Codex MCP support to Sync-McpConfig.ps1
• Failed workflow: https://github.com/rjmurillo/ai-agents/actions/runs/20737935687
• v1.0.28 release: https://github.com/anthropics/claude-code-action/releases/tag/v1.0.28
• Session log: .agents/sessions/2026-01-05-session-374-issue-804-debug.md
• Investigation details: Add OpenAI Codex MCP support to Sync-McpConfig.ps1 #804 (comment)

Test Plan

• Root cause analysis completed
• Workflow updated to v1.0.28
• Changes committed and pushed
• CI workflow completes successfully (will verify after merge)
• Issue Add OpenAI Codex MCP support to Sync-McpConfig.ps1 #804 workflow can proceed with Codex MCP implementation

🤖 Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[github-actions]

AI Quality Gate Review

Tip

✅ Final Verdict: PASS

Walkthrough

This PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:

• Security Agent: Scans for vulnerabilities, secrets exposure, and security anti-patterns
• QA Agent: Evaluates test coverage, error handling, and code quality
• Analyst Agent: Assesses code quality, impact analysis, and maintainability
• Architect Agent: Reviews design patterns, system boundaries, and architectural concerns
• DevOps Agent: Evaluates CI/CD, build pipelines, and infrastructure changes
• Roadmap Agent: Assesses strategic alignment, feature scope, and user value

Review Summary

Agent	Verdict	Category	Status
Security	PASS	N/A	✅
QA	PASS	N/A	✅
Analyst	PASS	N/A	✅
Architect	PASS	N/A	✅
DevOps	PASS	N/A	✅
Roadmap	PASS	N/A	✅

💡 Quick Access: Click on individual agent jobs (e.g., "🔒 security Review", "🧪 qa Review") in the workflow run to see detailed findings and step summaries.

Security Review Details

Security Review: PR #805

PR Type Classification

File	Category	Security Scrutiny
.agents/sessions/2026-01-05-session-374-issue-804-debug.md	DOCS	None required
.github/workflows/claude.yml	WORKFLOW	Injection, secrets, permissions
.serena/memories/ci-infrastructure-claude-code-action-installer-race-condition.md	DOCS	None required

Findings

Severity	Category	Finding	Location	CWE
-	-	No security issues found	-	-

Analysis

Workflow Change Review:

1. Action pinning: Change from @7145c3e0510bcdbdd29f67cc4a8c1958f1acfa2f (v1.0.27) to @c9ec2b02b40ac0444c6716e51d5e19ef2e0b8d00 (v1.0.28) [PASS]

   • Action pinned to full commit SHA (40 chars)
   • Source: anthropics/claude-code-action (verified vendor)
   • Comment documents version and release URL

2. Permissions: Unchanged from baseline [PASS]

3. Secrets handling: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} properly masked [PASS]

4. Input injection: No untrusted inputs flow into the action change [PASS]

Documentation Files:

• Session log and memory files contain only debugging documentation
• No real credentials or sensitive data exposed
• Example code snippets use proper placeholder patterns

Recommendations

None required.

Verdict

VERDICT: PASS
MESSAGE: Action upgrade from v1.0.27 to v1.0.28 uses proper SHA pinning from trusted vendor. No security issues.

Architect Review Details

Design Quality Assessment

Aspect	Rating (1-5)	Notes
Pattern Adherence	5	Follows existing workflow patterns with pinned commits and version comments
Boundary Respect	5	Change scoped to CI configuration; no logic introduced into YAML per ADR-006
Coupling	5	External dependency managed via version pinning with explicit commit hash
Cohesion	5	Single-purpose change: version upgrade to fix known bug
Extensibility	5	No impact on extensibility

Overall Design Score: 5/5

Architectural Concerns

Severity	Concern	Location	Recommendation
None	-	-	-

Breaking Change Assessment

• Breaking Changes: No
• Impact Scope: None
• Migration Required: No
• Migration Path: N/A

Technical Debt Analysis

• Debt Added: None
• Debt Reduced: Low (resolves flaky CI caused by upstream bug)
• Net Impact: Improved

ADR Assessment

• ADR Required: No
• Decisions Identified: None. This is a patch version upgrade to a third-party action that fixes a bug. No new patterns, frameworks, or architectural trade-offs introduced.
• Existing ADR: ADR-006 (logic in PowerShell, not YAML) remains respected
• Recommendation: N/A

Recommendations

1. None. The change is minimal, well-documented, and follows established patterns.

Verdict

VERDICT: PASS
MESSAGE: Minimal version upgrade to fix documented upstream bug. No architectural impact. ADR-006 compliance maintained.

Roadmap Review Details

Based on my review of the PR and product roadmap, I can now provide the strategic alignment assessment.

Strategic Alignment Assessment

Criterion	Rating	Notes
Aligns with project goals	High	Enables multi-agent workflows by fixing CI infrastructure that blocks development
Priority appropriate	High	Blocking bug fix takes precedence; resolves active CI failure
User value clear	High	Restores workflow functionality for all contributors
Investment justified	High	Minimal change (1 line + 1 comment) resolves complete CI blockage

Feature Completeness

• Scope Assessment: Right-sized
• Ship Ready: Yes
• MVP Complete: Yes
• Enhancement Opportunities: None needed; upstream fix is the correct approach

Impact Analysis

Dimension	Assessment	Notes
User Value	High	Unblocks Issue #804 and all Claude Code Assistant workflow runs
Business Impact	High	CI reliability is foundational; workflow failures block all contributors
Technical Leverage	High	Vendor fix avoids custom workarounds; zero maintenance burden added
Competitive Position	Neutral	Infrastructure maintenance, not differentiating feature

Concerns

Priority	Concern	Recommendation
Low	Pin uses commit SHA not tag	Acceptable per existing pattern; ensures reproducibility

Recommendations

1. Merge promptly to unblock Issue Add OpenAI Codex MCP support to Sync-McpConfig.ps1 #804 workflow
2. Monitor first workflow run to confirm v1.0.28 resolves the race condition
3. Session log and Serena memory provide good reference for future CI debugging

Verdict

VERDICT: PASS
MESSAGE: Surgical bug fix. Minimal change resolves complete CI blockage. Upstream vendor fix is the correct approach. Aligns with platform priority hierarchy (Claude Code P0).

Analyst Review Details

I confirmed the fix commit. Now I have enough information to complete the analysis.

---

Analyst Review: PR #805 - Upgrade claude-code-action to v1.0.28

Code Quality Score

Criterion	Score (1-5)	Notes
Readability	5	Single-line change with clear comment explaining purpose
Maintainability	5	Standard version pin pattern with SHA for reproducibility
Consistency	5	Follows existing pattern of pinning actions by SHA with version comment
Simplicity	5	Minimal change to address specific issue

Overall: 5/5

Impact Assessment

• Scope: Isolated (single workflow file)
• Risk Level: Low
• Affected Components: .github/workflows/claude.yml, CI workflow execution

Findings

Priority	Category	Finding	Location
Low	Documentation	Session log adds 297 lines of investigation notes	.agents/sessions/2026-01-05-session-374-issue-804-debug.md
Low	Documentation	Serena memory adds 104 lines for future reference	.serena/memories/ci-infrastructure-claude-code-action-installer-race-condition.md

Verification

• [PASS] Commit SHA c9ec2b02b40ac0444c6716e51d5e19ef2e0b8d00 verified in anthropics/claude-code-action repository
• [PASS] Commit 63ea7e31 in v1.0.28 includes fix: "prevent orphaned installer processes from blocking retries"
• [PASS] Fix adds --foreground and --kill-after=10 flags to timeout command, addressing exact root cause

Recommendations

1. None required. The upgrade is targeted and verified.

Verdict

VERDICT: PASS
MESSAGE: Minimal, verified dependency upgrade fixes documented race condition. SHA pinning follows project conventions.

DevOps Review Details

Pipeline Impact Assessment

Area	Impact	Notes
Build	None	No build process changes
Test	None	No test configuration changes
Deploy	None	No deployment changes
Cost	None	Same runner, same job structure

CI/CD Quality Checks

Check	Status	Location
YAML syntax valid	✅	.github/workflows/claude.yml
Actions pinned to SHA	✅	Line 119: pinned to c9ec2b02b40ac0444c6716e51d5e19ef2e0b8d00
Secrets secure	✅	Line 121: uses ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
Permissions scoped	✅	Lines 27-34: explicit permissions
Version comment accurate	✅	Line 117-118: comment matches v1.0.28 with issue reference

Findings

Severity	Category	Finding	Location	Fix
None	-	No issues found	-	-

The change is minimal and correct:

1. Action upgraded from v1.0.27 (SHA 7145c3e) to v1.0.28 (SHA c9ec2b0)
2. Version comment updated with release link
3. Added context comment linking to Issue Add OpenAI Codex MCP support to Sync-McpConfig.ps1 #804
4. SHA pinning maintained (security best practice)

Template Assessment

• PR Template: Not in scope
• Issue Templates: Not in scope
• Template Issues: N/A

Automation Opportunities

Opportunity	Type	Benefit	Effort
None identified	-	-	-

Recommendations

1. The session log and Serena memory are documentation artifacts, not CI concerns.

VERDICT: PASS
MESSAGE: Action version upgrade from v1.0.27 to v1.0.28 is correctly implemented with SHA pinning and appropriate documentation. Addresses installer race condition fix.

QA Review Details

VERDICT: PASS
MESSAGE: Workflow configuration change upgrades action version with no executable code changes requiring tests.

PR TYPE: WORKFLOW + DOCS
FILES:
- WORKFLOW: .github/workflows/claude.yml (1 file - version pin update)
- DOCS: .agents/sessions/2026-01-05-session-374-issue-804-debug.md (session log)
- DOCS: .serena/memories/ci-infrastructure-claude-code-action-installer-race-condition.md (memory)

EVIDENCE:
- Tests found: N/A - version pin change only, no new executable code
- Edge cases: N/A - no logic changes
- Error handling: N/A - no logic changes
- Blocking issues: 0

ANALYSIS:

1. **Scope of Change**: The workflow change is a version pin update from v1.0.27 (7145c3e) to v1.0.28 (c9ec2b0). This is a dependency version bump with no logic changes to the workflow YAML itself.

2. **No Executable Code Added**: The changed line updates an action reference and adds a comment. Per ADR-006 compliance noted in the workflow, logic lives in PowerShell scripts which have separate tests.

3. **Session Log Quality**: The session documentation includes:
   - Root cause analysis with timeline
   - Evidence from failed workflow run
   - Investigation of alternative solutions
   - Clear resolution path

4. **Commit Hash Verification**: The new commit hash (c9ec2b02b40ac0444c6716e51d5e19ef2e0b8d00) is pinned correctly with release notes reference.

5. **No Test Requirements**: Version pin changes to external actions do not require test coverage. The action itself is tested by Anthropic.

QUALITY CONCERNS:

| Severity | Issue | Location | Evidence | Required Fix |
|----------|-------|----------|----------|--------------|
| LOW | Consider adding version comment inline | .github/workflows/claude.yml:119 | Comment on line 117-118 is good but could include version hash comment | Optional |

REGRESSION RISK ASSESSMENT:
- **Risk Level**: Low - version upgrade to fix a bug, no breaking changes per release notes
- **Affected Components**: Claude Code Assistant workflow only
- **Breaking Changes**: None - v1.0.28 is a patch release
- **Required Testing**: CI workflow execution will verify fix (documented in PR test plan)

---

Run Details

Property	Value
Run ID	20738523588
Triggered by	pull_request on 805/merge
Commit	76343c5b295cae5f0d7a11c2ed8462916138c204

_{Powered by AI Quality Gate workflow}

[github-actions]

PR Validation Report

Note

✅ Status: PASS

Description Validation

Check	Status
Description matches diff	PASS

QA Validation

Check	Status
Code changes detected	True
QA report exists	false

⚡ Warnings

• QA report not found for code changes (recommended before merge)

---

_{Powered by PR Validation workflow}

[Copilot]

Pull request overview

This PR resolves a CI/CD failure by upgrading the claude-code-action from v1.0.27 to v1.0.28 to fix a race condition in the installer that caused workflow failures. The race condition occurred when installation timeouts killed the shell process but left the installer running in the background, causing subsequent retry attempts to fail due to lock file conflicts.

Key changes:

• Upgraded claude-code-action to v1.0.28 which includes a fix for orphaned installer processes
• Documented the root cause analysis and resolution in session logs and Serena memory
• Added explanatory comments linking the fix to Issue #804

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.github/workflows/claude.yml	Updated claude-code-action from v1.0.27 (commit 7145c3e) to v1.0.28 (commit c9ec2b0) with explanatory comment
.agents/sessions/2026-01-05-session-374-issue-804-debug.md	Comprehensive session log documenting the investigation, root cause analysis, and resolution of the installer race condition
.serena/memories/ci-infrastructure-claude-code-action-installer-race-condition.md	Knowledge base entry documenting the race condition issue, symptoms, resolution, and prevention strategies for future reference