From 39dbfd23e10223355eb7e5bf225104103617de92 Mon Sep 17 00:00:00 2001
From: Fischer <fischer@nodus.to>
Date: Wed, 3 Jun 2026 09:20:51 -0500
Subject: [PATCH] Restore @claude workflow on the .github repo

Keep @claude working on issues/PRs in this repo. claude.yml is a direct-trigger
workflow (not reusable), so each repo that wants @claude needs its own copy;
this is the canonical copy from getnodus/workflow. Also restore actionlint so
the workflow file is linted on PRs.

Requires the CLAUDE_CODE_OAUTH_TOKEN org secret to be accessible to this repo.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/actionlint.yml | 25 +++++++++++++++++
 .github/workflows/claude.yml     | 46 ++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 .github/workflows/actionlint.yml
 create mode 100644 .github/workflows/claude.yml

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..c8b501e
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,25 @@
+name: actionlint
+
+# Lints workflow files so Renovate (and humans) have a real green signal before
+# merging changes to the actions that power other repos. Mark this check as
+# required in branch protection to gate auto-merge on it.
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Run actionlint
+        shell: bash
+        run: |
+          bash <(curl -sSfL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+          ./actionlint -color
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 0000000..61ba3f5
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,46 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    # The @claude mention is invoked by issue/PR/review comments. On a public
+    # repo anyone can comment, so we gate on author_association as
+    # defense-in-depth on top of the action's own internal check. Only
+    # already-trusted accounts (OWNER / MEMBER / COLLABORATOR) can spin
+    # Claude using our org OAuth token.
+    if: |
+      (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
+        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          additional_permissions: |
+            actions: read