Summary
The on-demand "Claude Code" workflow (each repo's .github/workflows/claude.yml → Utilified/.github/.github/workflows/reusable-claude.yml@main) is hitting startup_failure on issues / issue_comment / pull_request_review / pull_request_review_comment events across the consuming repos. A startup_failure occurs before the job if: is evaluated, so this is not the normal non-@claude skip (those correctly show skipped).
Evidence it's a real regression, not skip-noise
- Normal
@claude-guard non-invocations show skipped, and there are genuine historical skipped/success runs — so the guard, secret, and action ref are fundamentally sound.
- ums-portal flipped from
skipped → 100% startup_failure on 2026-05-08 with no caller change → a startup-time regression in this repo's shared reusable, most likely the workflow_call job's permissions: / secret-inheritance contract (possibly triggered by an org runner-policy change, e.g. an added step-security/harden-runner).
CLAUDE_CODE_OAUTH_TOKEN is present in all 5 repos and the action ref resolves — ruling those out.
Impact
- platform-api and ums-web are now 100%
startup_failure — the on-demand @claude assistant is effectively dead in the two primary repos; the others are intermittently broken.
- This is the on-demand
@claude workflow — distinct from the automatic claude-review PR-review check.
Suggested fix (one place fixes all repos)
- Reconcile the reusable
claude job's permissions: block with what callers grant — a workflow_call job cannot request permissions the caller didn't grant, which surfaces as startup_failure.
- Consider moving the
@claude if: guard up to the caller job level so non-invocations skip cleanly instead of starting the reusable.
- Diff
Utilified/.github history around the 2026-05-08 onset (last content edit 2026-05-19; the trigger may be an org policy / runner-policy change rather than a file edit).
Acceptance criteria
Context
Found during CI-health review (2026-06-06). The consuming claude.yml is byte-identical across platform-api, ums-web, ums-portal, platform-infra, platform-mcp.
Summary
The on-demand "Claude Code" workflow (each repo's
.github/workflows/claude.yml→Utilified/.github/.github/workflows/reusable-claude.yml@main) is hittingstartup_failureonissues/issue_comment/pull_request_review/pull_request_review_commentevents across the consuming repos. Astartup_failureoccurs before the jobif:is evaluated, so this is not the normal non-@claudeskip (those correctly showskipped).Evidence it's a real regression, not skip-noise
@claude-guard non-invocations showskipped, and there are genuine historicalskipped/successruns — so the guard, secret, and action ref are fundamentally sound.skipped→ 100%startup_failureon 2026-05-08 with no caller change → a startup-time regression in this repo's shared reusable, most likely theworkflow_calljob'spermissions:/ secret-inheritance contract (possibly triggered by an org runner-policy change, e.g. an addedstep-security/harden-runner).CLAUDE_CODE_OAUTH_TOKENis present in all 5 repos and the action ref resolves — ruling those out.Impact
startup_failure— the on-demand@claudeassistant is effectively dead in the two primary repos; the others are intermittently broken.@claudeworkflow — distinct from the automaticclaude-reviewPR-review check.Suggested fix (one place fixes all repos)
claudejob'spermissions:block with what callers grant — aworkflow_calljob cannot request permissions the caller didn't grant, which surfaces asstartup_failure.@claudeif:guard up to the caller job level so non-invocationsskipcleanly instead of starting the reusable.Utilified/.githubhistory around the 2026-05-08 onset (last content edit 2026-05-19; the trigger may be an org policy / runner-policy change rather than a file edit).Acceptance criteria
@claudeevent showsskipped(notstartup_failure).@claude-mention comment in platform-api and ums-web successfully starts and runs the workflow.startup_failureClaude Code runs across the consuming repos for a week.Context
Found during CI-health review (2026-06-06). The consuming
claude.ymlis byte-identical across platform-api, ums-web, ums-portal, platform-infra, platform-mcp.