chore: fix Claude sticky comments in PR reviews

[olivermeyer]

Sticky comments only work when Claude uses the default Claude[bot] user. When we pass a custom token, it uses git github-actions[bot] user and sticky comments don't work.

[claude]

🔍 PR Review: #407 - Fix Claude Sticky Comments in PR Reviews

✅ APPROVED - Excellent Fix!

This PR correctly addresses a critical issue with Claude's sticky comment functionality in PR reviews. The change is minimal, correct, and well-justified.

---

📋 Summary

Change: Removed github_token: ${{ secrets.GITHUB_TOKEN }} parameter from both interactive and automation mode Claude Code action invocations.

Impact:

• ✅ Enables sticky comments to work correctly
• ✅ Claude will use the default claude[bot] GitHub app identity
• ✅ No breaking changes or security implications

Files Changed: 1 file, 2 lines deleted

• .github/workflows/_claude-code.yml (lines 82 and 97)

---

✅ CRITICAL CHECKS - ALL PASSED

1. ✅ Commit Message - PASSED

chore: fix Claude sticky comments in PR reviews

Assessment: Perfect conventional commit format

• ✅ Type: chore (correct for CI/CD infrastructure fix)
• ✅ Scope: None (optional, could have been ci but chore is acceptable)
• ✅ Description: Clear and concise

2. ✅ Code Quality - PASSED

YAML Syntax: ✅ Valid (verified with Python YAML parser)

Reusable Workflow Contract: ✅ Preserved

• The _claude-code.yml workflow accepts ANTHROPIC_API_KEY secret (still passed)
• No required inputs or secrets were removed
• Both caller workflows (claude-code-automation-pr-review.yml, claude-code-interactive.yml) remain compatible

3. ✅ Technical Correctness - PASSED

Root Cause Analysis:

According to the claude-code-action documentation, the github_token parameter should "only be included if you're connecting a custom GitHub app of your own".

When github_token is provided:

• ❌ The action uses the provided token's identity (github-actions[bot])
• ❌ Sticky comments don't work (they expect claude[bot] username)

When github_token is omitted:

• ✅ The action automatically uses the Claude App token
• ✅ Comments appear as claude[bot]
• ✅ Sticky comments work correctly (updating single comment instead of creating multiple)

Why This Matters:

The PR workflow at .github/workflows/claude-code-automation-pr-review.yml sets:

use_sticky_comment: true  # Line 22

This feature consolidates all Claude responses into a single, updated comment—cleaner for PR reviews. The fix ensures this works as intended.

4. ✅ Test Coverage - N/A (Infrastructure Change)

No tests required: This is a GitHub Actions workflow configuration change. There are no workflow-specific tests in the repository, which is standard practice.

Verification: Manual testing in CI (this PR will validate the fix when merged)

5. ✅ Architecture Compliance - PASSED

Modulith Architecture: N/A (workflow change, not code)

Workflow Architecture: ✅ Follows reusable workflow pattern correctly

• Entry point workflows call _claude-code.yml
• Secrets and inputs properly passed
• No workflow coupling introduced

6. ✅ Security & Medical Device Compliance - PASSED

Security Analysis:

✅ More Secure: Removing the explicit GITHUB_TOKEN is actually better for security:

1. Uses Anthropic's managed GitHub App (scoped permissions)
2. Automatic token revocation after use (handled by claude-code-action)
3. No need to manage custom GitHub App credentials

✅ No Secrets Exposure:

• No secrets added or removed
• ANTHROPIC_API_KEY still properly handled as secret

✅ Permissions Model:

• Workflow still declares required permissions (lines 41-46):

  permissions:
    contents: write
    pull-requests: write
    issues: write
    id-token: write
    actions: read

Medical Device Compliance: ✅ No impact

• Workflow change doesn't affect code quality gates
• Audit, lint, test workflows unaffected
• Ketryx reporting unchanged

7. ✅ Documentation - ACCEPTABLE (Minor Suggestion)

Current State: PR description is clear and accurate.

Suggestion (Non-blocking):
Consider updating .github/CLAUDE.md to document this decision:

### Claude Code Action Configuration

**IMPORTANT**: Do NOT pass `github_token` parameter to `anthropics/claude-code-action`.

**Rationale**:
- Sticky comments only work with default `claude[bot]` identity
- Passing `github_token` causes comments to use `github-actions[bot]` instead
- The action automatically uses Claude App token when `github_token` is omitted

**Correct Usage**:
```yaml
uses: anthropics/claude-code-action@v1
with:
  anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
  use_sticky_comment: true  # This works!
  # ❌ DO NOT ADD: github_token: ${{ secrets.GITHUB_TOKEN }}

Reference: PR #407

### 8. ✅ CI/CD Impact - PASSED

**Affected Workflows**:

1. ✅ **claude-code-automation-pr-review.yml**
   - Triggers: PR opened/sync/ready_for_review
   - Change: Will now use `claude[bot]` identity
   - Sticky comments: **NOW WORKING** ✨

2. ✅ **claude-code-interactive.yml**
   - Triggers: @claude mentions, workflow_dispatch
   - Change: Will now use `claude[bot]` identity
   - No functional impact (interactive mode doesn't use sticky comments)

3. ✅ **claude-code-automation-operational-excellence-weekly.yml**
   - Triggers: Weekly schedule, manual
   - Change: Will now use `claude[bot]` identity
   - No functional impact (doesn't target PRs)

**Backwards Compatibility**: ✅ Fully compatible
- No breaking changes to workflow callers
- No new required parameters
- Existing runs unaffected

---

## 🎯 Impact Analysis

### Before This Fix

PR #123 opened → Claude reviews → creates comment as github-actions[bot]
PR #123 updated → Claude reviews → creates NEW comment as github-actions[bot]
PR #123 updated → Claude reviews → creates ANOTHER NEW comment as github-actions[bot]
Result: Cluttered PR with multiple bot comments ❌

### After This Fix

PR #123 opened → Claude reviews → creates comment as claude[bot]
PR #123 updated → Claude reviews → UPDATES same comment as claude[bot]
PR #123 updated → Claude reviews → UPDATES same comment as claude[bot]
Result: Single, up-to-date comment ✅

---

## 🔬 Testing Evidence

### CI Status: ✅ All Passing

Based on PR checks:
- ✅ **lint**: Passed (1m38s)
- ✅ **audit**: Passed (1m23s)
- ✅ **CodeQL**: Passed (1m24s)
- ⏳ **test**: Pending (expected, unrelated to workflow change)
- ⏳ **claude-review**: Pending (this review job)

**Note**: The workflow change will be validated when this PR triggers the `claude-code-automation-pr-review.yml` workflow.

---

## 📚 References

**Supporting Documentation**:
- [claude-code-action usage docs](https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md) - Documents that `github_token` should only be used for custom GitHub apps
- [PR #411 - claude-code-action](https://github.com/anthropics/claude-code-action/pull/411) - Added sticky comment bot customization options
- [Issue #419 - claude-code-action](https://github.com/anthropics/claude-code-action/issues/419) - Sticky comment feature discussion
- [Issue #705 - claude-code-action](https://github.com/anthropics/claude-code-action/issues/705) - Sticky comments with pull_request_target events

---

## 🏆 Kudos

**Excellent Work** 🌟

- ✅ **Minimal change**: Only removes what's necessary
- ✅ **Root cause**: Correctly identified the issue
- ✅ **Clean commit**: Perfect conventional commit message
- ✅ **Clear description**: PR body explains the "why"
- ✅ **Quick fix**: Reduces PR comment noise immediately

This is a textbook example of a clean infrastructure fix!

---

## ✅ Recommendation

**APPROVE AND MERGE**

**Merge Strategy**: Squash merge (standard for this repo)

**Post-Merge Validation**:
1. Wait for next PR to trigger `claude-code-automation-pr-review.yml`
2. Verify Claude comments appear as `claude[bot]`
3. Verify subsequent PR updates modify the same comment (sticky behavior)

**Optional Follow-up** (Create separate issue if desired):
- Document this decision in `.github/CLAUDE.md`
- Add comment in `_claude-code.yml` warning against re-adding `github_token`

---

**Reviewed by**: Claude Sonnet 4.5 via claude-code-action
**Review Date**: 2026-01-29
**Medical Device Context**: No regulatory impact, infrastructure improvement only

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 10 files with indirect coverage changes

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud