From 1563598d086d23ddce6c85abe1d049758d381f62 Mon Sep 17 00:00:00 2001
From: Marti <marcin.gorny.94@protonmail.com>
Date: Sun, 22 Feb 2026 14:22:49 +0000
Subject: [PATCH 1/6] "Claude PR Assistant workflow"

---
 .github/workflows/claude.yml | 50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 .github/workflows/claude.yml

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 0000000000..79fe056478
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,50 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'
+

From 9c822599d7fcc7ed06a01f9cbbdf1798fdece4a0 Mon Sep 17 00:00:00 2001
From: Marti <marti@miden.team>
Date: Sun, 22 Feb 2026 14:50:25 +0000
Subject: [PATCH 2/6] feat: add Claude PR triage and CI auto-fix workflows

- claude-pr-triage.yml: labels PRs on open/edit/sync based on changed
  files and PR content (type, area, size labels)
- claude-ci-autofix.yml: triggers on test/build/lint failures, checks
  the actor has write/maintain/admin access, then attempts a minimal
  fix on a new branch and opens a PR with the changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude-ci-autofix.yml | 133 ++++++++++++++++++++++++
 .github/workflows/claude-pr-triage.yml  |  43 ++++++++
 2 files changed, 176 insertions(+)
 create mode 100644 .github/workflows/claude-ci-autofix.yml
 create mode 100644 .github/workflows/claude-pr-triage.yml

diff --git a/.github/workflows/claude-ci-autofix.yml b/.github/workflows/claude-ci-autofix.yml
new file mode 100644
index 0000000000..32b8e6a49a
--- /dev/null
+++ b/.github/workflows/claude-ci-autofix.yml
@@ -0,0 +1,133 @@
+name: Claude CI Auto-Fix
+
+on:
+  workflow_run:
+    workflows: ["test", "build", "lint"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+  issues: write
+
+jobs:
+  auto-fix:
+    # Only run on PR branches that failed, skip branches created by this workflow
+    if: |
+      github.event.workflow_run.conclusion == 'failure' &&
+      github.event.workflow_run.pull_requests[0] &&
+      !startsWith(github.event.workflow_run.head_branch, 'claude-auto-fix-ci-')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check actor is a maintainer
+        id: check-permission
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = '${{ github.event.workflow_run.actor.login }}';
+            try {
+              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: actor,
+              });
+              const allowed = ['write', 'maintain', 'admin'].includes(data.permission);
+              if (!allowed) {
+                core.notice(`Skipping auto-fix: ${actor} does not have write access (permission: ${data.permission})`);
+              }
+              return allowed;
+            } catch (e) {
+              core.notice(`Skipping auto-fix: could not verify permissions for ${actor}: ${e.message}`);
+              return false;
+            }
+
+      - name: Checkout code
+        if: steps.check-permission.outputs.result == 'true'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_branch }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup git identity
+        if: steps.check-permission.outputs.result == 'true'
+        run: |
+          git config --global user.email "claude[bot]@users.noreply.github.com"
+          git config --global user.name "claude[bot]"
+
+      - name: Create fix branch
+        if: steps.check-permission.outputs.result == 'true'
+        id: branch
+        run: |
+          BRANCH_NAME="claude-auto-fix-ci-${{ github.event.workflow_run.head_branch }}-${{ github.run_id }}"
+          git checkout -b "$BRANCH_NAME"
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+
+      - name: Get CI failure details
+        if: steps.check-permission.outputs.result == 'true'
+        id: failure_details
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const jobs = await github.rest.actions.listJobsForWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{ github.event.workflow_run.id }}
+            });
+
+            const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure');
+
+            let errorLogs = [];
+            for (const job of failedJobs.slice(0, 3)) {
+              try {
+                const logs = await github.rest.actions.downloadJobLogsForWorkflowRun({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  job_id: job.id
+                });
+                errorLogs.push({ jobName: job.name, logs: logs.data.substring(0, 8000) });
+              } catch (e) {
+                errorLogs.push({ jobName: job.name, logs: `(could not fetch logs: ${e.message})` });
+              }
+            }
+
+            return {
+              runUrl: '${{ github.event.workflow_run.html_url }}',
+              workflowName: '${{ github.event.workflow_run.name }}',
+              failedJobs: failedJobs.map(j => j.name),
+              errorLogs: errorLogs
+            };
+
+      - name: Fix CI failures with Claude
+        if: steps.check-permission.outputs.result == 'true'
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          claude_args: "--allowedTools 'Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(git:*),Bash(cargo:*),Bash(gh:*)'"
+          prompt: |
+            The ${{ github.event.workflow_run.name }} CI workflow failed on branch
+            `${{ github.event.workflow_run.head_branch }}` (PR #${{ github.event.workflow_run.pull_requests[0].number }}).
+
+            Failed jobs: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs, ', ') }}
+            CI run URL: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
+
+            Error logs:
+            ${{ toJSON(fromJSON(steps.failure_details.outputs.result).errorLogs) }}
+
+            miden-base is a Rust project. Please:
+            1. Analyse the failure logs above to identify the root cause.
+            2. Make the minimal code changes needed to fix the failure (compilation errors,
+               test failures, lint errors, etc.). Do NOT change unrelated code.
+            3. Commit the fixes to the current branch (`${{ steps.branch.outputs.branch_name }}`).
+            4. Open a PR against `${{ github.event.workflow_run.head_branch }}` with:
+               - Title: "fix(ci): auto-fix ${{ github.event.workflow_run.name }} failures on ${{ github.event.workflow_run.head_branch }}"
+               - Body explaining what was changed and why.
+            5. Comment on PR #${{ github.event.workflow_run.pull_requests[0].number }} linking
+               to the new fix PR.
+
+            If the failure is not something you can fix automatically (e.g. infrastructure issue,
+            missing secret, upstream breakage), just post a comment on the PR explaining what
+            you found and why it cannot be auto-fixed.
diff --git a/.github/workflows/claude-pr-triage.yml b/.github/workflows/claude-pr-triage.yml
new file mode 100644
index 0000000000..327790dce5
--- /dev/null
+++ b/.github/workflows/claude-pr-triage.yml
@@ -0,0 +1,43 @@
+name: Claude PR Triage
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+
+jobs:
+  triage-pr:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude PR Triage
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          allowed_non_write_users: "*"
+          prompt: |
+            Triage the following pull request in the miden-base repository by adding appropriate labels.
+
+            Repository: ${{ github.repository }}
+            PR number: ${{ github.event.pull_request.number }}
+
+            Steps:
+            1. Run `gh label list` to see all available labels.
+            2. Run `gh pr view ${{ github.event.pull_request.number }} --json title,body,files` to inspect the PR.
+            3. Apply the most relevant labels using `gh pr edit ${{ github.event.pull_request.number }} --add-label <label>`.
+
+            Label selection guidance for miden-base (a Rust ZK-rollup library):
+            - Type: bug, enhancement, refactor, documentation, chore, breaking-change
+            - Area: based on changed files (accounts, notes, transactions, block-kernel, crypto, etc.)
+            - Size: judge by number of changed lines (small <50, medium <250, large otherwise)
+
+            Only add labels that exist in the repo. Do not post any comments.

From 2a60385d64b63ab8fc8599a3e8adf91f2598c9ba Mon Sep 17 00:00:00 2001
From: Marti <marti@miden.team>
Date: Sun, 22 Feb 2026 15:35:32 +0000
Subject: [PATCH 3/6] feat: add maintainer permission checks to Claude
 workflows

- claude.yml: restrict @claude mentions to maintainers via
  collaborator permission check
- claude-pr-triage.yml: use author_association for pr-from-maintainers
  label; remove size labels; drop ZK-rollup description

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude-pr-triage.yml |  5 +++--
 .github/workflows/claude.yml           | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-pr-triage.yml b/.github/workflows/claude-pr-triage.yml
index 327790dce5..fd9b313cf8 100644
--- a/.github/workflows/claude-pr-triage.yml
+++ b/.github/workflows/claude-pr-triage.yml
@@ -35,9 +35,10 @@ jobs:
             2. Run `gh pr view ${{ github.event.pull_request.number }} --json title,body,files` to inspect the PR.
             3. Apply the most relevant labels using `gh pr edit ${{ github.event.pull_request.number }} --add-label <label>`.
 
-            Label selection guidance for miden-base (a Rust ZK-rollup library):
+            Label selection guidance for miden-base:
             - Type: bug, enhancement, refactor, documentation, chore, breaking-change
             - Area: based on changed files (accounts, notes, transactions, block-kernel, crypto, etc.)
-            - Size: judge by number of changed lines (small <50, medium <250, large otherwise)
+            - Maintainer: add "pr-from-maintainers" if the PR author's association is OWNER,
+              MEMBER, or COLLABORATOR. The author's association is: ${{ github.event.pull_request.author_association }}
 
             Only add labels that exist in the repo. Do not post any comments.
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 79fe056478..ba2fef4430 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -25,12 +25,36 @@ jobs:
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
     steps:
+      - name: Check actor is a maintainer
+        id: check-permission
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = '${{ github.actor }}';
+            try {
+              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: actor,
+              });
+              const allowed = ['write', 'maintain', 'admin'].includes(data.permission);
+              if (!allowed) {
+                core.notice(`Skipping: ${actor} does not have write access (permission: ${data.permission})`);
+              }
+              return allowed;
+            } catch (e) {
+              core.notice(`Skipping: could not verify permissions for ${actor}: ${e.message}`);
+              return false;
+            }
+
       - name: Checkout repository
+        if: steps.check-permission.outputs.result == 'true'
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
       - name: Run Claude Code
+        if: steps.check-permission.outputs.result == 'true'
         id: claude
         uses: anthropics/claude-code-action@v1
         with:

From 4bf93ad9cb5ae79882167a971f55f098b6f8228f Mon Sep 17 00:00:00 2001
From: Marti <marti@miden.team>
Date: Sun, 22 Feb 2026 15:38:43 +0000
Subject: [PATCH 4/6] fix: use author_association instead of collaborator API
 for permission checks

getCollaboratorPermissionLevel requires admin token access which
GITHUB_TOKEN does not have. Switch to author_association from the
event payload (claude.yml) and pulls.get() (claude-ci-autofix.yml)
which only require read access.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude-ci-autofix.yml | 27 ++++++++++++-------------
 .github/workflows/claude.yml            | 23 ++++++++-------------
 2 files changed, 21 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/claude-ci-autofix.yml b/.github/workflows/claude-ci-autofix.yml
index 32b8e6a49a..94e8913147 100644
--- a/.github/workflows/claude-ci-autofix.yml
+++ b/.github/workflows/claude-ci-autofix.yml
@@ -26,22 +26,21 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
-            const actor = '${{ github.event.workflow_run.actor.login }}';
-            try {
-              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                username: actor,
-              });
-              const allowed = ['write', 'maintain', 'admin'].includes(data.permission);
-              if (!allowed) {
-                core.notice(`Skipping auto-fix: ${actor} does not have write access (permission: ${data.permission})`);
-              }
-              return allowed;
-            } catch (e) {
-              core.notice(`Skipping auto-fix: could not verify permissions for ${actor}: ${e.message}`);
+            const prNumber = context.payload.workflow_run.pull_requests[0]?.number;
+            if (!prNumber) {
+              core.notice('Skipping auto-fix: no associated PR found');
               return false;
             }
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: prNumber,
+            });
+            const allowed = ['OWNER', 'MEMBER', 'COLLABORATOR'].includes(pr.author_association);
+            if (!allowed) {
+              core.notice(`Skipping auto-fix: PR author association is ${pr.author_association}`);
+            }
+            return allowed;
 
       - name: Checkout code
         if: steps.check-permission.outputs.result == 'true'
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index ba2fef4430..30b4c4ea30 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -30,22 +30,15 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
-            const actor = '${{ github.actor }}';
-            try {
-              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                username: actor,
-              });
-              const allowed = ['write', 'maintain', 'admin'].includes(data.permission);
-              if (!allowed) {
-                core.notice(`Skipping: ${actor} does not have write access (permission: ${data.permission})`);
-              }
-              return allowed;
-            } catch (e) {
-              core.notice(`Skipping: could not verify permissions for ${actor}: ${e.message}`);
-              return false;
+            const association =
+              context.payload.comment?.author_association ||
+              context.payload.review?.author_association ||
+              context.payload.issue?.author_association;
+            const allowed = ['OWNER', 'MEMBER', 'COLLABORATOR'].includes(association);
+            if (!allowed) {
+              core.notice(`Skipping: author association is ${association}`);
             }
+            return allowed;
 
       - name: Checkout repository
         if: steps.check-permission.outputs.result == 'true'

From 86a04e3b8a38e4e58843829e3ca2e4833486e31d Mon Sep 17 00:00:00 2001
From: Marti <marti@miden.team>
Date: Sun, 22 Feb 2026 15:44:20 +0000
Subject: [PATCH 5/6] fix: prevent pwn request vulnerability in
 claude-ci-autofix workflow

Restrict workflow_run trigger to PRs from the same repository
(not forks) to prevent untrusted code execution in a privileged
context (CWE-829, CodeQL alert #14).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/claude-ci-autofix.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-ci-autofix.yml b/.github/workflows/claude-ci-autofix.yml
index 94e8913147..48a052315f 100644
--- a/.github/workflows/claude-ci-autofix.yml
+++ b/.github/workflows/claude-ci-autofix.yml
@@ -14,10 +14,13 @@ permissions:
 
 jobs:
   auto-fix:
-    # Only run on PR branches that failed, skip branches created by this workflow
+    # Only run on PR branches that failed, skip branches created by this workflow.
+    # head_repository check prevents checkout of untrusted code from forks in this
+    # privileged workflow_run context (pwn request mitigation).
     if: |
       github.event.workflow_run.conclusion == 'failure' &&
       github.event.workflow_run.pull_requests[0] &&
+      github.event.workflow_run.head_repository.full_name == github.repository &&
       !startsWith(github.event.workflow_run.head_branch, 'claude-auto-fix-ci-')
     runs-on: ubuntu-latest
     steps:

From 10a60b2e86cbed42ba2b5e37da19543f64e48aa7 Mon Sep 17 00:00:00 2001
From: "Claude (Opus)" <noreply@anthropic.com>
Date: Sat, 14 Mar 2026 08:35:30 +0000
Subject: [PATCH 6/6] chore: remove Claude CI auto-fix workflow

Remove the auto-CI-fix workflow per team consensus - there are concerns
about automated code modifications. The PR triage and @claude mention
workflows are kept.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude-ci-autofix.yml | 135 ------------------------
 1 file changed, 135 deletions(-)
 delete mode 100644 .github/workflows/claude-ci-autofix.yml

diff --git a/.github/workflows/claude-ci-autofix.yml b/.github/workflows/claude-ci-autofix.yml
deleted file mode 100644
index 48a052315f..0000000000
--- a/.github/workflows/claude-ci-autofix.yml
+++ /dev/null
@@ -1,135 +0,0 @@
-name: Claude CI Auto-Fix
-
-on:
-  workflow_run:
-    workflows: ["test", "build", "lint"]
-    types:
-      - completed
-
-permissions:
-  contents: write
-  pull-requests: write
-  actions: read
-  issues: write
-
-jobs:
-  auto-fix:
-    # Only run on PR branches that failed, skip branches created by this workflow.
-    # head_repository check prevents checkout of untrusted code from forks in this
-    # privileged workflow_run context (pwn request mitigation).
-    if: |
-      github.event.workflow_run.conclusion == 'failure' &&
-      github.event.workflow_run.pull_requests[0] &&
-      github.event.workflow_run.head_repository.full_name == github.repository &&
-      !startsWith(github.event.workflow_run.head_branch, 'claude-auto-fix-ci-')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check actor is a maintainer
-        id: check-permission
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prNumber = context.payload.workflow_run.pull_requests[0]?.number;
-            if (!prNumber) {
-              core.notice('Skipping auto-fix: no associated PR found');
-              return false;
-            }
-            const { data: pr } = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: prNumber,
-            });
-            const allowed = ['OWNER', 'MEMBER', 'COLLABORATOR'].includes(pr.author_association);
-            if (!allowed) {
-              core.notice(`Skipping auto-fix: PR author association is ${pr.author_association}`);
-            }
-            return allowed;
-
-      - name: Checkout code
-        if: steps.check-permission.outputs.result == 'true'
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.workflow_run.head_branch }}
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup git identity
-        if: steps.check-permission.outputs.result == 'true'
-        run: |
-          git config --global user.email "claude[bot]@users.noreply.github.com"
-          git config --global user.name "claude[bot]"
-
-      - name: Create fix branch
-        if: steps.check-permission.outputs.result == 'true'
-        id: branch
-        run: |
-          BRANCH_NAME="claude-auto-fix-ci-${{ github.event.workflow_run.head_branch }}-${{ github.run_id }}"
-          git checkout -b "$BRANCH_NAME"
-          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
-
-      - name: Get CI failure details
-        if: steps.check-permission.outputs.result == 'true'
-        id: failure_details
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const jobs = await github.rest.actions.listJobsForWorkflowRun({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              run_id: ${{ github.event.workflow_run.id }}
-            });
-
-            const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure');
-
-            let errorLogs = [];
-            for (const job of failedJobs.slice(0, 3)) {
-              try {
-                const logs = await github.rest.actions.downloadJobLogsForWorkflowRun({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  job_id: job.id
-                });
-                errorLogs.push({ jobName: job.name, logs: logs.data.substring(0, 8000) });
-              } catch (e) {
-                errorLogs.push({ jobName: job.name, logs: `(could not fetch logs: ${e.message})` });
-              }
-            }
-
-            return {
-              runUrl: '${{ github.event.workflow_run.html_url }}',
-              workflowName: '${{ github.event.workflow_run.name }}',
-              failedJobs: failedJobs.map(j => j.name),
-              errorLogs: errorLogs
-            };
-
-      - name: Fix CI failures with Claude
-        if: steps.check-permission.outputs.result == 'true'
-        uses: anthropics/claude-code-action@v1
-        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          claude_args: "--allowedTools 'Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(git:*),Bash(cargo:*),Bash(gh:*)'"
-          prompt: |
-            The ${{ github.event.workflow_run.name }} CI workflow failed on branch
-            `${{ github.event.workflow_run.head_branch }}` (PR #${{ github.event.workflow_run.pull_requests[0].number }}).
-
-            Failed jobs: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs, ', ') }}
-            CI run URL: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
-
-            Error logs:
-            ${{ toJSON(fromJSON(steps.failure_details.outputs.result).errorLogs) }}
-
-            miden-base is a Rust project. Please:
-            1. Analyse the failure logs above to identify the root cause.
-            2. Make the minimal code changes needed to fix the failure (compilation errors,
-               test failures, lint errors, etc.). Do NOT change unrelated code.
-            3. Commit the fixes to the current branch (`${{ steps.branch.outputs.branch_name }}`).
-            4. Open a PR against `${{ github.event.workflow_run.head_branch }}` with:
-               - Title: "fix(ci): auto-fix ${{ github.event.workflow_run.name }} failures on ${{ github.event.workflow_run.head_branch }}"
-               - Body explaining what was changed and why.
-            5. Comment on PR #${{ github.event.workflow_run.pull_requests[0].number }} linking
-               to the new fix PR.
-
-            If the failure is not something you can fix automatically (e.g. infrastructure issue,
-            missing secret, upstream breakage), just post a comment on the PR explaining what
-            you found and why it cannot be auto-fixed.