From: Daan De Meyer <daan@amutable.com>
Date: Mon, 13 Apr 2026 14:27:10 +0000 (+0200)
Subject: ci: Two claude-review fixes
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8383d033ccac39dd6cbaf32b0122c8b3ec99fe84;p=thirdparty%2Fsystemd.git

ci: Two claude-review fixes

- Use persist-credentials: false for actions/checkout, so we don't
  leak the github token credentials to subsequent jobs.
- Remove one / from the Edit/Write permissions. Currently, with the
  absolute path from github.workspace, we expand to three slashes while
  we only need two.
---

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index bf20e7d51e9..3829313cf97 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -150,6 +150,7 @@ jobs:
         with:
           # Need full history for git worktree add to work on all PR commits.
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Download PR context
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
@@ -200,8 +201,8 @@ jobs:
               "allow": [
                 "Bash",
                 "Read",
-                "Edit(//${{ github.workspace }}/**)",
-                "Write(//${{ github.workspace }}/**)",
+                "Edit(/${{ github.workspace }}/**)",
+                "Write(/${{ github.workspace }}/**)",
                 "Grep",
                 "Glob",
                 "Agent",