docs: document include/exclude_comments_by_actor inputs#1130
Merged
ashwin-ant merged 2 commits intoanthropics:mainfrom Apr 5, 2026
Merged
docs: document include/exclude_comments_by_actor inputs#1130ashwin-ant merged 2 commits intoanthropics:mainfrom
ashwin-ant merged 2 commits intoanthropics:mainfrom
Conversation
…r inputs These inputs were added in anthropics#812 but never documented in usage.md or security.md. This adds them to the inputs table in usage.md and references comment filtering as a prompt injection mitigation in security.md. Fixes anthropics#972
Collaborator
|
@claude review |
Contributor
There was a problem hiding this comment.
LGTM — straightforward docs-only change that correctly documents existing inputs.
Extended reasoning...
Overview
This PR adds documentation for two existing inputs (include_comments_by_actor and exclude_comments_by_actor) that were implemented in #812 but never documented. Changes are limited to two markdown files: docs/usage.md (two new rows in the inputs table) and docs/security.md (one new paragraph in the Prompt Injection Risks section).
Security risks
None. This is purely documentation — no code, configuration, or logic changes. The descriptions in the docs accurately match the existing action.yml input descriptions.
Level of scrutiny
Minimal scrutiny needed. Documentation-only changes with no functional impact. The new text is consistent with the existing style and accurately reflects the implemented behavior.
Other factors
The one bug report filed is a nit about "Supports wildcards" (plural) being slightly misleading since only *[bot] is supported — but as the report itself notes, this wording is pre-existing in action.yml and not introduced by this PR. The PR faithfully reproduces the existing description, which is the correct approach for a documentation PR. Fixing the wording inconsistency would be a separate concern.
Comment on lines
+79
to
+80
| | `include_comments_by_actor` | Comma-separated list of actor usernames to INCLUDE in comments. Supports wildcards: `*[bot]` matches all bots. Empty (default) includes all actors | No | "" | | ||
| | `exclude_comments_by_actor` | Comma-separated list of actor usernames to EXCLUDE from comments. Supports wildcards: `*[bot]` matches all bots. If an actor matches both lists, exclusion takes priority | No | "" | |
Contributor
There was a problem hiding this comment.
🟡 Nit: "Supports wildcards" (plural) is slightly misleading — the implementation in actor-filter.ts only supports the single hardcoded pattern *[bot] via exact string comparison, not general glob/wildcard matching. Consider "Supports the *[bot] wildcard" for precision. This wording is pre-existing from action.yml, not introduced by this PR.
Extended reasoning...
What the bug is
The documentation for both include_comments_by_actor and exclude_comments_by_actor says "Supports wildcards: *[bot] matches all bots", using the plural "wildcards" which implies general wildcard/glob pattern support.
How the implementation actually works
Looking at src/github/utils/actor-filter.ts line 26, the matching logic is:
if (pattern === "*[bot]" && actor.endsWith("[bot]")) return true;This is a hardcoded exact string comparison against the literal pattern *[bot] — it does not implement any general wildcard or glob matching. The function only supports two matching modes: exact match (actor === pattern) and this single special-cased bot pattern.
Step-by-step proof
Consider a user who reads "Supports wildcards" and configures:
exclude_comments_by_actor: "deploy*,*-ci"parseActorFiltersplits this into["deploy*", "*-ci"]- For an actor like
deploy-bot,matchesActorPatternchecks:"deploy-bot" === "deploy*"→ false, then"deploy*" === "*[bot]"→ false → returns false - For an actor like
github-ci,matchesActorPatternchecks:"github-ci" === "*-ci"→ false, then"*-ci" === "*[bot]"→ false → returns false - Neither pattern matches, and the comments are silently included despite the user expecting them to be filtered out
Impact
Users reading "Supports wildcards" would reasonably try patterns like deploy* or *-ci to match actor usernames that don't follow the [bot] suffix convention. These patterns would silently fail with no error or warning, leading to unexpected behavior in comment filtering.
Pre-existing nature
This wording originates in action.yml (lines 48 and 52) which already had the same "Supports wildcards" phrasing before this PR. The PR faithfully reproduces the existing description into user-facing documentation, where it will reach more users.
Suggested fix
Change "Supports wildcards: *[bot] matches all bots" to something more precise like "Supports the *[bot] wildcard to match all bot accounts" — both here in docs/usage.md and ideally in action.yml as well.
Address review feedback: "Supports wildcards" was misleading since only the *[bot] pattern is supported, not general glob matching.
ashwin-ant
approved these changes
Apr 5, 2026
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Apr 13, 2026
Bumps the github-actions group with 2 updates: [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `anthropics/claude-code-action` from 1.0.88 to 1.0.93 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.93 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.93> > > v1.0.92 > ------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.92> > > v1.0.91 > ------- > > What's Changed > -------------- > > * Use pinned bun binary for post-steps when allowed\_non\_write\_users is set by [`@OctavianGuzu`](https://github.com/OctavianGuzu) in [anthropics/claude-code-action#1190](https://redirect.github.com/anthropics/claude-code-action/pull/1190) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.91> > > v1.0.90 > ------- > > What's Changed > -------------- > > * fix: forward MCP\_TIMEOUT, MCP\_TOOL\_TIMEOUT, MAX\_MCP\_OUTPUT\_TOKENS to action step by [`@qozle`](https://github.com/qozle) in [anthropics/claude-code-action#1162](https://redirect.github.com/anthropics/claude-code-action/pull/1162) > * security: reject PATH\_TO\_CLAUDE\_CODE\_EXECUTABLE with control characters by [`@qozle`](https://github.com/qozle) in [anthropics/claude-code-action#1185](https://redirect.github.com/anthropics/claude-code-action/pull/1185) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.90> > > v1.0.89 > ------- > > What's Changed > -------------- > > * fix: skip token revocation when no token was acquired by [`@Dave-London`](https://github.com/Dave-London) in [anthropics/claude-code-action#918](https://redirect.github.com/anthropics/claude-code-action/pull/918) > * Use env vars for workflow\_run context values in example workflows by [`@ddworken`](https://github.com/ddworken) in [anthropics/claude-code-action#1125](https://redirect.github.com/anthropics/claude-code-action/pull/1125) > * docs: document include/exclude\_comments\_by\_actor inputs by [`@yuribodo`](https://github.com/yuribodo) in [anthropics/claude-code-action#1130](https://redirect.github.com/anthropics/claude-code-action/pull/1130) > * fix: use correct fallback type for reviewData in fetcher by [`@MaxwellCalkin`](https://github.com/MaxwellCalkin) in [anthropics/claude-code-action#1034](https://redirect.github.com/anthropics/claude-code-action/pull/1034) > * Strip OIDC token request env vars from Claude session by [`@chyipin`](https://github.com/chyipin) in [anthropics/claude-code-action#1011](https://redirect.github.com/anthropics/claude-code-action/pull/1011) > * fix: skip retries for non-retryable errors in retryWithBackoff by [`@ei-grad`](https://github.com/ei-grad) in [anthropics/claude-code-action#1082](https://redirect.github.com/anthropics/claude-code-action/pull/1082) > * fix: restore ripgrep execute bits after bun install --production by [`@qozle`](https://github.com/qozle) in [anthropics/claude-code-action#1163](https://redirect.github.com/anthropics/claude-code-action/pull/1163) > * fix: allow # in branch names for PR checkout and base restore by [`@qozle`](https://github.com/qozle) in [anthropics/claude-code-action#1167](https://redirect.github.com/anthropics/claude-code-action/pull/1167) > * fix: prevent hang in restoreConfigFromBase on repos with .gitmodules by [`@qozle`](https://github.com/qozle) in [anthropics/claude-code-action#1166](https://redirect.github.com/anthropics/claude-code-action/pull/1166) > * fix: strip shell comment lines before parsing claude\_args by [`@VoidChecksum`](https://github.com/VoidChecksum) in [anthropics/claude-code-action#1055](https://redirect.github.com/anthropics/claude-code-action/pull/1055) > * fix: snapshot PR's .claude/ to .claude-pr/ before security restore by [`@qozle`](https://github.com/qozle) in [anthropics/claude-code-action#1172](https://redirect.github.com/anthropics/claude-code-action/pull/1172) > * chore: fix prettier formatting by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1171](https://redirect.github.com/anthropics/claude-code-action/pull/1171) > * chore: fix prettier formatting in parse-sdk-options.test.ts by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1176](https://redirect.github.com/anthropics/claude-code-action/pull/1176) > * fix: pin bun runtime config and improve log hygiene by [`@ashwin-ant`](https://github.com/ashwin-ant) in [anthropics/claude-code-action#1174](https://redirect.github.com/anthropics/claude-code-action/pull/1174) > > New Contributors > ---------------- > > * [`@yuribodo`](https://github.com/yuribodo) made their first contribution in [anthropics/claude-code-action#1130](https://redirect.github.com/anthropics/claude-code-action/pull/1130) > * [`@MaxwellCalkin`](https://github.com/MaxwellCalkin) made their first contribution in [anthropics/claude-code-action#1034](https://redirect.github.com/anthropics/claude-code-action/pull/1034) > * [`@chyipin`](https://github.com/chyipin) made their first contribution in [anthropics/claude-code-action#1011](https://redirect.github.com/anthropics/claude-code-action/pull/1011) > * [`@ei-grad`](https://github.com/ei-grad) made their first contribution in [anthropics/claude-code-action#1082](https://redirect.github.com/anthropics/claude-code-action/pull/1082) > * [`@qozle`](https://github.com/qozle) made their first contribution in [anthropics/claude-code-action#1163](https://redirect.github.com/anthropics/claude-code-action/pull/1163) > * [`@VoidChecksum`](https://github.com/VoidChecksum) made their first contribution in [anthropics/claude-code-action#1055](https://redirect.github.com/anthropics/claude-code-action/pull/1055) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.89> Commits * [`b47fd72`](anthropics/claude-code-action@b47fd72) chore: bump Claude Code to 2.1.101 and Agent SDK to 0.2.101 * [`c26cb64`](anthropics/claude-code-action@c26cb64) chore: bump Claude Code to 2.1.100 and Agent SDK to 0.2.98 * [`657fb7c`](anthropics/claude-code-action@657fb7c) chore: bump Claude Code to 2.1.98 and Agent SDK to 0.2.98 * [`2ff1acb`](anthropics/claude-code-action@2ff1acb) chore: bump Claude Code to 2.1.97 and Agent SDK to 0.2.97 * [`b2fdd80`](anthropics/claude-code-action@b2fdd80) Use pinned bun binary for post-steps when allowed\_non\_write\_users is set ([#1190](https://redirect.github.com/anthropics/claude-code-action/issues/1190)) * [`26ddc35`](anthropics/claude-code-action@26ddc35) chore: bump Claude Code to 2.1.96 and Agent SDK to 0.2.96 * [`3983706`](anthropics/claude-code-action@3983706) chore: bump Claude Code to 2.1.94 and Agent SDK to 0.2.94 * [`6cad158`](anthropics/claude-code-action@6cad158) security: reject PATH\_TO\_CLAUDE\_CODE\_EXECUTABLE with control characters ([#1185](https://redirect.github.com/anthropics/claude-code-action/issues/1185)) * [`0f1fe5e`](anthropics/claude-code-action@0f1fe5e) fix: forward MCP\_TIMEOUT, MCP\_TOOL\_TIMEOUT, MAX\_MCP\_OUTPUT\_TOKENS to action s... * [`6e2bd52`](anthropics/claude-code-action@6e2bd52) fix: pin bun runtime config and improve log hygiene ([#1174](https://redirect.github.com/anthropics/claude-code-action/issues/1174)) * Additional commits viewable in [compare view](anthropics/claude-code-action@1eddb33...b47fd72) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 Release notes *Sourced from [actions/upload-artifact's releases](https://github.com/actions/upload-artifact/releases).* > v7.0.1 > ------ > > What's Changed > -------------- > > * Update the readme with direct upload details by [`@danwkennedy`](https://github.com/danwkennedy) in [actions/upload-artifact#795](https://redirect.github.com/actions/upload-artifact/pull/795) > * Readme: bump all the example versions to v7 by [`@danwkennedy`](https://github.com/danwkennedy) in [actions/upload-artifact#796](https://redirect.github.com/actions/upload-artifact/pull/796) > * Include changes in typespec/ts-http-runtime 0.3.5 by [`@yacaovsnc`](https://github.com/yacaovsnc) in [actions/upload-artifact#797](https://redirect.github.com/actions/upload-artifact/pull/797) > > **Full Changelog**: <actions/upload-artifact@v7...v7.0.1> Commits * [`043fb46`](actions/upload-artifact@043fb46) Merge pull request [#797](https://redirect.github.com/actions/upload-artifact/issues/797) from actions/yacaovsnc/update-dependency * [`634250c`](actions/upload-artifact@634250c) Include changes in typespec/ts-http-runtime 0.3.5 * [`e454baa`](actions/upload-artifact@e454baa) Readme: bump all the example versions to v7 ([#796](https://redirect.github.com/actions/upload-artifact/issues/796)) * [`74fad66`](actions/upload-artifact@74fad66) Update the readme with direct upload details ([#795](https://redirect.github.com/actions/upload-artifact/issues/795)) * See full diff in [compare view](actions/upload-artifact@bbbca2d...043fb46) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
include_comments_by_actorandexclude_comments_by_actorto the inputs table indocs/usage.mddocs/security.mdThese inputs were implemented in #812 and tracked in #845, but the documentation was never updated.
Fixes #972