Implement new check permission for graceful skip of Claude Code response (#494)

* Implement new check permission for graceful skip of Claude Code response
2 weeks ago · 24cd33cca8
5 changed files with 39 additions and 35 deletions
--- a/.github/workflows/_check-permission.yml
+++ b/.github/workflows/_check-permission.yml
@ -20,9 +20,9 @@ on:
				@@ -20,9 +20,9 @@ on:
      user_permission:
        description: "The actual permission level of the user"
        value: ${{ jobs.check-permission.outputs.user_permission }}
-      should_skip:
-        description: "Whether subsequent jobs should be skipped"
-        value: ${{ jobs.check-permission.outputs.should_skip }}
+      should_proceed:
+        description: "Whether subsequent jobs should proceed"
+        value: ${{ jobs.check-permission.outputs.should_proceed }}

 permissions:
  contents: read
@ -34,7 +34,7 @@ jobs:
				@@ -34,7 +34,7 @@ jobs:
    outputs:
      has_permission: ${{ steps.check.outputs.has_permission }}
      user_permission: ${{ steps.check.outputs.user_permission }}
-      should_skip: ${{ steps.check.outputs.should_skip }}
+      should_proceed: ${{ steps.check.outputs.should_proceed }}
    steps:
      - name: Check out repo
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@ -56,7 +56,7 @@ jobs:
				@@ -56,7 +56,7 @@ jobs:
          REQUIRED: ${{ inputs.require_permission }}
          ACTUAL: ${{ steps.check.outputs.user_permission }}
          HAS_PERM: ${{ steps.check.outputs.has_permission }}
-          SHOULD_SKIP: ${{ steps.check.outputs.should_skip }}
+          SHOULD_PROCEED: ${{ steps.check.outputs.should_proceed }}
        run: |
          echo "🤖 Permission Check"
          echo "================================"
@ -64,4 +64,4 @@ jobs:
				@@ -64,4 +64,4 @@ jobs:
          echo "Required: $REQUIRED"
          echo "Actual: $ACTUAL"
          echo "Has permission: $HAS_PERM"
-          echo "Should skip: $SHOULD_SKIP"
+          echo "Should proceed: $SHOULD_PROCEED"
--- a/.github/workflows/_respond.yml
+++ b/.github/workflows/_respond.yml
@ -13,15 +13,19 @@ on:
				@@ -13,15 +13,19 @@ on:
 permissions: {}

 jobs:
-  check-run:
-    name: Check PR run
-    uses: ./.github/workflows/check-run.yml
+  check-permission:
+    name: Check permission
+    uses: ./.github/workflows/_check-permission.yml
+    with:
+      failure_mode: "skip"
+      require_permission: "write"
    permissions:
      contents: read

  validation:
    name: Validation
-    needs: check-run
+    needs: check-permission
+    if: needs.check-permission.outputs.should_proceed == 'true'
    runs-on: ubuntu-24.04
    permissions:
      contents: read
@ -74,9 +78,9 @@ jobs:
				@@ -74,9 +78,9 @@ jobs:
  comment:
    name: Claude comment
    runs-on: ubuntu-24.04
-    needs: validation
+    needs: [check-permission, validation]
    timeout-minutes: 15
-    if: needs.validation.outputs.should_comment == 'true'
+    if: needs.check-permission.outputs.should_proceed == 'true' && needs.validation.outputs.should_comment == 'true'
    permissions:
      actions: read
      contents: write
@ -86,7 +90,7 @@ jobs:
				@@ -86,7 +90,7 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 1
          ref: ${{ github.event.pull_request.head.sha }}
@ -112,7 +116,7 @@ jobs:
				@@ -112,7 +116,7 @@ jobs:
      - name: Run Claude Code
        id: claude
        timeout-minutes: 10
-        uses: anthropics/claude-code-action@f30f5eecfce2f34fa72e40fa5f7bcdbdcad12eb8 # v1.0.14
+        uses: anthropics/claude-code-action@6337623ebba10cf8c8214b507993f8062fd4ccfb # v1.0.22
        with:
          anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-RESPONSE-API-KEY }}
          track_progress: true
--- a/.github/workflows/test-check-permission.yml
+++ b/.github/workflows/test-check-permission.yml
@ -33,11 +33,11 @@ jobs:
				@@ -33,11 +33,11 @@ jobs:
        env:
          HAS_PERMISSION: ${{ steps.check-fail.outputs.has_permission }}
          USER_PERMISSION: ${{ steps.check-fail.outputs.user_permission }}
-          SHOULD_SKIP: ${{ steps.check-fail.outputs.should_skip }}
+          SHOULD_PROCEED: ${{ steps.check-fail.outputs.should_proceed }}
        run: |
          echo "Has permission: $HAS_PERMISSION"
          echo "User permission: $USER_PERMISSION"
-          echo "Should skip: $SHOULD_SKIP"
+          echo "Should proceed: $SHOULD_PROCEED"

  test-skip-mode:
    name: Test skip mode
@ -58,11 +58,11 @@ jobs:
				@@ -58,11 +58,11 @@ jobs:
          failure_mode: skip

      - name: Conditional step
-        if: steps.check-skip.outputs.should_skip != 'true'
+        if: steps.check-skip.outputs.should_proceed == 'true'
        run: echo "Would run privileged operation"

      - name: Skip notification
-        if: steps.check-skip.outputs.should_skip == 'true'
+        if: steps.check-skip.outputs.should_proceed != 'true'
        run: echo "Skipped privileged operation due to permissions"

  test-continue-mode:
@ -123,7 +123,7 @@ jobs:
				@@ -123,7 +123,7 @@ jobs:
          failure_mode: skip

      - name: Check write permission (fallback)
-        if: steps.check-admin.outputs.should_skip == 'true'
+        if: steps.check-admin.outputs.should_proceed != 'true'
        id: check-write
        uses: ./check-permission
        with:
--- a/check-permission/README.md
+++ b/check-permission/README.md
@ -21,16 +21,16 @@ Check user permissions with configurable failure handling.
				@@ -21,16 +21,16 @@ Check user permissions with configurable failure handling.
 ### Failure Modes

 - **`fail`**: Exit 1 when permission missing - workflow stops
- **`skip`**: Exit 0, set `should_skip=true` - skip protected steps
+- **`skip`**: Exit 0, set `should_proceed=false` - skip protected steps
 - **`continue`**: Exit 0 always - branch on `has_permission` output

 ## Outputs

-| Output            | Description                                                            |
-| ----------------- | ---------------------------------------------------------------------- |
-| `has_permission`  | `true` if user has required permission, `false` otherwise              |
-| `user_permission` | Actual permission level of the user (`admin`, `write`, `read`, `none`) |
-| `should_skip`     | `true` when failure_mode is `skip` and permission check fails          |
+| Output            | Description                                                             |
+| ----------------- | ----------------------------------------------------------------------- |
+| `has_permission`  | `true` if user has required permission, `false` otherwise               |
+| `user_permission` | Actual permission level of the user (`admin`, `write`, `read`, `none`)  |
+| `should_proceed`  | `true` when permission check passes, `false` when `skip` mode and fails |

 ## Usage Examples

@ -55,7 +55,7 @@ Check user permissions with configurable failure handling.
				@@ -55,7 +55,7 @@ Check user permissions with configurable failure handling.
    token: ${{ secrets.GITHUB_TOKEN }}
    failure_mode: skip

- if: steps.permission.outputs.should_skip != 'true'
+- if: steps.permission.outputs.should_proceed == 'true'
  run: ./deploy.sh
 ```

@ -90,7 +90,7 @@ on:
				@@ -90,7 +90,7 @@ on:
 jobs:
  check:
    outputs:
-      should_skip: ${{ steps.check.outputs.should_skip }}
+      should_proceed: ${{ steps.check.outputs.should_proceed }}
    steps:
      - uses: actions/checkout@v4
      - id: check
@ -103,7 +103,7 @@ jobs:
				@@ -103,7 +103,7 @@ jobs:

  deploy:
    needs: check
-    if: needs.check.outputs.should_skip != 'true'
+    if: needs.check.outputs.should_proceed == 'true'
    steps:
      - run: ./deploy.sh
 ```
--- a/check-permission/action.yml
+++ b/check-permission/action.yml
@ -27,9 +27,9 @@ outputs:
				@@ -27,9 +27,9 @@ outputs:
  user_permission:
    description: "The actual permission level of the user"
    value: ${{ steps.check-permission.outputs.user_permission }}
-  should_skip:
-    description: "Whether the workflow should skip (true when failure_mode is 'skip' and permission check fails)"
-    value: ${{ steps.check-permission.outputs.should_skip }}
+  should_proceed:
+    description: "Whether the workflow should proceed (true when permission check passes, or failure_mode is 'continue')"
+    value: ${{ steps.check-permission.outputs.should_proceed }}

 runs:
  using: "composite"
@ -88,7 +88,7 @@ runs:
				@@ -88,7 +88,7 @@ runs:
        if [ $USER_LEVEL -ge $REQUIRED_LEVEL ]; then
          echo "✓ User has required permission"
          echo "has_permission=true" >> "$GITHUB_OUTPUT"
-          echo "should_skip=false" >> "$GITHUB_OUTPUT"
+          echo "should_proceed=true" >> "$GITHUB_OUTPUT"
          exit 0
        else
          echo "✗ User does not have required permission"
@ -96,17 +96,17 @@ runs:
				@@ -96,17 +96,17 @@ runs:
          case "$FAILURE_MODE" in
            fail)
              echo "::error::User '$USERNAME' does not have required '$REQUIRE' permission."
-              echo "should_skip=false" >> "$GITHUB_OUTPUT"
+              echo "should_proceed=false" >> "$GITHUB_OUTPUT"
              exit 1
              ;;
            skip)
              echo "::warning::User '$USERNAME' does not have required '$REQUIRE' permission. Marking for skip."
-              echo "should_skip=true" >> "$GITHUB_OUTPUT"
+              echo "should_proceed=false" >> "$GITHUB_OUTPUT"
              exit 0
              ;;
            continue)
              echo "::notice::User '$USERNAME' does not have required '$REQUIRE' permission. Continuing - check outputs for branching."
-              echo "should_skip=false" >> "$GITHUB_OUTPUT"
+              echo "should_proceed=true" >> "$GITHUB_OUTPUT"
              exit 0
              ;;
          esac