Skip to content

feat(code-review): pass confirmed=true when posting inline comments#33472

Merged
km-anthropic merged 1 commit intomainfrom
kashyap/code-review-batch-output
Mar 12, 2026
Merged

feat(code-review): pass confirmed=true when posting inline comments#33472
km-anthropic merged 1 commit intomainfrom
kashyap/code-review-batch-output

Conversation

@km-anthropic
Copy link
Contributor

@km-anthropic km-anthropic commented Mar 12, 2026
edited
Loading

Problem

Subagents inherit mcp__github_inline_comment__create_inline_comment and post test/probe comments on customer PRs after hitting GraphQL permission errors. Recurring since Dec 2025 despite prompt-level guards.

Fix

The inline-comment MCP tool (via anthropics/claude-code-action#1048) now has a confirmed parameter:

  • confirmed: true → posts immediately
  • omitted → posts by default UNLESS body matches obvious probe patterns (buffered instead)
  • confirmed: false → always buffered

This PR updates step 9 to pass confirmed: true when posting final review comments.

Subagent probes that don't pass confirmed either:

  • Match the probe pattern → buffered harmlessly
  • Don't match → still post (residual risk, but the main reported phrasings are caught)

Why this works for existing customers

Both claude-code-action (via @v1 tag) and this skill (loaded at runtime from plugin marketplace) auto-update. Existing customers with old workflow YAML get the fix without re-installing.

Backward compatibility

Against older versions of claude-code-action that don't have the confirmed param, Zod strips unknown fields and the comment posts as before.

Companion action PR: anthropics/claude-code-action#1048

@km-anthropic km-anthropic force-pushed the kashyap/code-review-batch-output branch from b6c1491 to bdb0425 Compare March 12, 2026 04:25
@km-anthropic
feat(code-review): pass confirmed=true when posting inline comments
db8834b 
The inline-comment MCP tool now requires confirmed=true to post (otherwise
calls are buffered). This structurally prevents subagent test/probe
comments from reaching customer PRs — subagents that inherit the tool and
probe it without confirmed=true see their calls harmlessly buffered.

Backward compatible: against older versions of claude-code-action that
don't know the param, the extra field is ignored and the comment posts
as before.
@km-anthropic km-anthropic force-pushed the kashyap/code-review-batch-output branch from bdb0425 to db8834b Compare March 12, 2026 05:16
@km-anthropic km-anthropic mentioned this pull request Mar 12, 2026
Merged
@km-anthropic km-anthropic changed the title feat(code-review): write findings to JSON file instead of posting directly feat(code-review): pass confirmed=true when posting inline comments Mar 12, 2026
@km-anthropic km-anthropic enabled auto-merge March 12, 2026 07:04
@km-anthropic km-anthropic merged commit 2dc1e69 into main Mar 12, 2026
This was referenced Mar 13, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sid374 sid374 sid374 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@km-anthropic @sid374