name: Claude Issue Dedupe description: Automatically dedupe GitHub issues using Claude Code on: issues: types: [opened] workflow_dispatch: inputs: issue_number: description: 'Issue number to process for duplicate detection' required: true type: string jobs: claude-dedupe-issues: runs-on: ubuntu-latest timeout-minutes: 10 permissions: contents: read issues: write steps: - name: Checkout repository uses: actions/checkout@v4 - name: Run Claude Code slash command id: claude uses: anthropics/claude-code-base-action@beta with: prompt: "/dedupe ${{ github.repository }}/issues/${{ github.event.issue.number || inputs.issue_number }}" anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} claude_args: "--model claude-sonnet-4-5-20250929" # Note: GH_TOKEN only provides read access for issue viewing/searching # Comment posting is handled in a separate isolated step below claude_env: | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # SECURITY: This step runs in isolation without access to ANTHROPIC_API_KEY # It only has GITHUB_TOKEN for posting comments, preventing secret exfiltration - name: Post duplicate comment (isolated from API key) if: success() env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ISSUE_NUMBER=${{ github.event.issue.number || inputs.issue_number }} RESULT_FILE="/tmp/dedupe-result.json" if [ ! -f "$RESULT_FILE" ]; then echo "No dedupe result file found, skipping comment" exit 0 fi # Check if we should skip if jq -e '.skip' "$RESULT_FILE" > /dev/null 2>&1; then REASON=$(jq -r '.reason // "unknown"' "$RESULT_FILE") echo "Skipping comment: $REASON" exit 0 fi # Get duplicates array DUPLICATES=$(jq -r '.duplicates // []' "$RESULT_FILE") COUNT=$(echo "$DUPLICATES" | jq 'length') if [ "$COUNT" -eq 0 ]; then echo "No duplicates found, skipping comment" exit 0 fi # Build comment body (limit to 3 duplicates for safety) SAFE_COUNT=$((COUNT > 3 ? 3 : COUNT)) COMMENT="Found $SAFE_COUNT possible duplicate issue" if [ "$SAFE_COUNT" -ne 1 ]; then COMMENT="${COMMENT}s" fi COMMENT="${COMMENT}:" COMMENT="${COMMENT} " for i in $(seq 0 $((SAFE_COUNT - 1))); do URL=$(echo "$DUPLICATES" | jq -r ".[$i]") # Validate URL format to prevent injection if [[ "$URL" =~ ^https://github\.com/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/issues/[0-9]+$ ]]; then COMMENT="${COMMENT} $((i + 1)). $URL" fi done COMMENT="${COMMENT} This issue will be automatically closed as a duplicate in 3 days. - If your issue is a duplicate, please close it and 👍 the existing issue instead - To prevent auto-closure, add a comment or 👎 this comment 🤖 Generated with [Claude Code](https://claude.ai/code)" # Post the comment gh issue comment "$ISSUE_NUMBER" --repo "${{ github.repository }}" --body "$COMMENT" echo "Posted duplicate comment on issue #$ISSUE_NUMBER" - name: Log duplicate comment event to Statsig if: always() env: STATSIG_API_KEY: ${{ secrets.STATSIG_API_KEY }} run: | ISSUE_NUMBER=${{ github.event.issue.number || inputs.issue_number }} REPO=${{ github.repository }} if [ -z "$STATSIG_API_KEY" ]; then echo "STATSIG_API_KEY not found, skipping Statsig logging" exit 0 fi # Prepare the event payload EVENT_PAYLOAD=$(jq -n \ --arg issue_number "$ISSUE_NUMBER" \ --arg repo "$REPO" \ --arg triggered_by "${{ github.event_name }}" \ '{ events: [{ eventName: "github_duplicate_comment_added", value: 1, metadata: { repository: $repo, issue_number: ($issue_number | tonumber), triggered_by: $triggered_by, workflow_run_id: "${{ github.run_id }}" }, time: (now | floor | tostring) }] }') # Send to Statsig API echo "Logging duplicate comment event to Statsig for issue #${ISSUE_NUMBER}" RESPONSE=$(curl -s -w "\n%{http_code}" -X POST https://events.statsigapi.net/v1/log_event \ -H "Content-Type: application/json" \ -H "STATSIG-API-KEY: ${STATSIG_API_KEY}" \ -d "$EVENT_PAYLOAD") HTTP_CODE=$(echo "$RESPONSE" | tail -n1) BODY=$(echo "$RESPONSE" | head -n-1) if [ "$HTTP_CODE" -eq 200 ] || [ "$HTTP_CODE" -eq 202 ]; then echo "Successfully logged duplicate comment event for issue #${ISSUE_NUMBER}" else echo "Failed to log duplicate comment event for issue #${ISSUE_NUMBER}. HTTP ${HTTP_CODE}: ${BODY}" fi