From dd77f94126be1da86f3ffe8244de0be4f403c310 Mon Sep 17 00:00:00 2001
From: ian-flores <iflores.siaca@posit.co>
Date: Fri, 6 Feb 2026 12:00:42 -0800
Subject: [PATCH 1/3] Update Claude review workflows to Opus 4.6

---
 .github/workflows/claude-auto-review.yml |  2 +-
 .github/workflows/claude.yml             | 54 ++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/claude.yml

diff --git a/.github/workflows/claude-auto-review.yml b/.github/workflows/claude-auto-review.yml
index 9d5b9b82..ed7b7896 100644
--- a/.github/workflows/claude-auto-review.yml
+++ b/.github/workflows/claude-auto-review.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           allowed_tools: "mcp__github__create_pull_request,mcp__github__create_issue,mcp__github__search_issues,mcp__github__update_issue,mcp__github__create_pending_pull_request_review,mcp__github__add_pull_request_review_comment_to_pending_review,mcp__github__submit_pending_pull_request_review,mcp__github__get_pull_request_diff"
           use_bedrock: true
-          model: "us.anthropic.claude-opus-4-5-20251101-v1:0"
+          model: "us.anthropic.claude-opus-4-6-v1"
           fallback_model: "us.anthropic.claude-3-7-sonnet-20250219-v1:0"
           timeout_minutes: "60"
           direct_prompt: |
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 00000000..ad4597d4
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,54 @@
+name: Claude PR Assistant
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+env:
+  PTD_AWS_ACCOUNT: ${{ secrets.PTD_AWS_ACCOUNT }}
+
+jobs:
+  claude-code-action:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.PTD_AWS_ACCOUNT }}:role/claude-code
+          role-session-name: gha-claude-code-action
+          aws-region: us-east-2
+
+      - name: Run Claude Code Action
+        uses: anthropics/claude-code-action@beta
+        with:
+          model: "us.anthropic.claude-opus-4-6-v1"
+          fallback_model: "us.anthropic.claude-3-7-sonnet-20250219-v1:0"
+          timeout_minutes: "60"
+          use_bedrock: true
+          branch_prefix: "claude-"
+          additional_permissions: "actions: read"
+          allowed_tools: "mcp__github__create_pull_request,mcp__github__create_issue,mcp__github__search_issues,mcp__github__update_issue,mcp__github__create_pending_pull_request_review,mcp__github__add_pull_request_review_comment_to_pending_review,mcp__github__submit_pending_pull_request_review,mcp__github__get_pull_request_diff"
+          custom_instructions: |
+            You are a helpful AI assistant for code reviews and issue triage.
+            Respond to comments and issues that mention you with relevant code suggestions or triage actions.
+            If you cannot assist, politely inform the user. In your responses, don't be overly complimentary.
+            Stick to the facts and provide actionable advice.

From b2ae85fc00513027388481b1341bd459738f593f Mon Sep 17 00:00:00 2001
From: ian-flores <iflores.siaca@posit.co>
Date: Mon, 9 Feb 2026 15:46:55 -0800
Subject: [PATCH 2/3] ci: restrict claude workflow to org members and
 collaborators

---
 .github/workflows/claude.yml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index ad4597d4..b8d4585e 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -16,9 +16,21 @@ env:
 jobs:
   claude-code-action:
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'issues' && contains(github.event.issue.body, '@claude'))
+      (
+        github.event_name == 'issue_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+      ) ||
+      (
+        github.event_name == 'pull_request_review_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+      ) ||
+      (
+        github.event_name == 'issues' &&
+        contains(github.event.issue.body, '@claude') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+      )
     runs-on: ubuntu-latest
     permissions:
       contents: read

From 457a8986c13100c8ce664b5d377edfb395643f64 Mon Sep 17 00:00:00 2001
From: ian-flores <iflores.siaca@posit.co>
Date: Tue, 10 Feb 2026 07:53:29 -0800
Subject: [PATCH 3/3] fix: replace author_association with repo permission API
 check

author_association may be removed from GitHub event payloads.
Use the repo collaborators permission API instead to verify
the actor has write or admin access before running.
---
 .github/workflows/claude.yml | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index b8d4585e..3542a668 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -18,18 +18,15 @@ jobs:
     if: |
       (
         github.event_name == 'issue_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+        contains(github.event.comment.body, '@claude')
       ) ||
       (
         github.event_name == 'pull_request_review_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+        contains(github.event.comment.body, '@claude')
       ) ||
       (
         github.event_name == 'issues' &&
-        contains(github.event.issue.body, '@claude') &&
-        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+        contains(github.event.issue.body, '@claude')
       )
     runs-on: ubuntu-latest
     permissions:
@@ -38,6 +35,17 @@ jobs:
       issues: write
       id-token: write
     steps:
+      - name: Check actor has write permission
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission')
+          if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "write" ]]; then
+            echo "::error::Actor ${{ github.actor }} has '$PERMISSION' permission, requires 'write' or 'admin'"
+            exit 1
+          fi
+          echo "Actor ${{ github.actor }} authorized with '$PERMISSION' permission"
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with: