From 6bbd710cd1593ef83ae572cd3033224f9dc40833 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 19:38:25 +0200 Subject: [PATCH 01/31] D-170526: Add GH OIDC permission for Bedrock --- tofu/iam.github_oidc.tofu | 59 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/tofu/iam.github_oidc.tofu b/tofu/iam.github_oidc.tofu index 684f66f..4d24196 100644 --- a/tofu/iam.github_oidc.tofu +++ b/tofu/iam.github_oidc.tofu @@ -1,3 +1,8 @@ +# ===== Description ===== +# IAM self-assumption and scoped-down policy principals have been followed in Github OIDC implementation +# More details: https://dev.to/aws-builders/understanding-self-assumption-and-scoped-down-policy-in-aws-iam-2io +# ====== + module "iam_github_oidc_provider" { source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider" version = local.vars.iam.version @@ -13,6 +18,8 @@ module "iam_github_oidc_role" { subjects = local.vars.iam.github_oidc.repos } +# ===== hariprasad.dev Cloudfront deployment ===== + module "iam_github_portfolio_website_s3_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" version = local.vars.iam.version @@ -66,6 +73,8 @@ module "iam_assumable_role_github_portfolio_website" { ] } +# ===== awsing OpenTofu deployment ===== + module "iam_assumable_role_github_awsing" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" version = local.vars.iam.version @@ -83,4 +92,54 @@ module "iam_assumable_role_github_awsing" { custom_role_policy_arns = [ "arn:aws:iam::aws:policy/AdministratorAccess" ] +} + +# ===== PR review using Bedrock claude ===== + +module "iam_github_portfolio_bedrock_claude_policy" { + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = local.vars.iam.version + + name = "${terraform.workspace}-github-portfolio-bedrock-claude-policy" + path = "/" + description = "IAM policy for GitHub OIDC role to access ${terraform.workspace}-bedrock-claude policy" + + policy = < Date: Sun, 17 May 2026 20:04:33 +0200 Subject: [PATCH 02/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 50c79ac..2165bb1 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -34,7 +34,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} role-session-name: gh_set_aws_credentials - - name: AWS - Assume Role + - name: AWS - Assume Awsing Role id: aws_assume_role uses: aws-actions/configure-aws-credentials@v5.1.1 with: @@ -54,6 +54,20 @@ jobs: run: tofu fmt -check continue-on-error: false + - name: AWS - Assume Bedrock Claude Role + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} + aws-region: ${{ vars.AWS_REGION }} + role-session-name: github_action_bedrock_claude + role-chaining: true + + - uses: anthropics/claude-code-action@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + use_bedrock: "true" + claude_args: '--model us.anthropic.claude-sonnet-4-6 --max-turns 10' + - name: OpenTofu apply working-directory: tofu run: | From 8759e3f046040b8f544f7a9294d3b801ba340f84 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:08:06 +0200 Subject: [PATCH 03/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 2165bb1..2cd33fe 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -32,7 +32,7 @@ jobs: with: aws-region: ${{ vars.AWS_REGION }} role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} - role-session-name: gh_set_aws_credentials + role-session-name: github_action_oidc_role - name: AWS - Assume Awsing Role id: aws_assume_role @@ -40,7 +40,7 @@ jobs: with: aws-region: ${{ vars.AWS_REGION }} role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }} - role-session-name: github_action + role-session-name: github_action_awsing role-chaining: true - name: Setup opentofu @@ -54,6 +54,13 @@ jobs: run: tofu fmt -check continue-on-error: false + - name: AWS Bedrock Claude Github OIDC + uses: aws-actions/configure-aws-credentials@v5.1.1 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} + role-session-name: github_action_oidc_role + - name: AWS - Assume Bedrock Claude Role uses: aws-actions/configure-aws-credentials@v4 with: From 95a9735225610093ce435fb88d6aa6224711a7d8 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:11:08 +0200 Subject: [PATCH 04/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 38 ++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 2cd33fe..d246e7d 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -17,7 +17,11 @@ on: permissions: id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + # contents: read # This is required for actions/checkout + contents: write + pull-requests: write + issues: write + id-token: write jobs: TOFU-APPLY: @@ -27,22 +31,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 - - name: AWS - Set AWS Credentials - uses: aws-actions/configure-aws-credentials@v5.1.1 - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} - role-session-name: github_action_oidc_role - - - name: AWS - Assume Awsing Role - id: aws_assume_role - uses: aws-actions/configure-aws-credentials@v5.1.1 - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }} - role-session-name: github_action_awsing - role-chaining: true - - name: Setup opentofu uses: opentofu/setup-opentofu@v2 with: @@ -75,6 +63,22 @@ jobs: use_bedrock: "true" claude_args: '--model us.anthropic.claude-sonnet-4-6 --max-turns 10' + - name: AWS - Set AWS Credentials + uses: aws-actions/configure-aws-credentials@v5.1.1 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} + role-session-name: github_action_oidc_role + + - name: AWS - Assume Awsing Role + id: aws_assume_role + uses: aws-actions/configure-aws-credentials@v5.1.1 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }} + role-session-name: github_action_awsing + role-chaining: true + - name: OpenTofu apply working-directory: tofu run: | From ce54b2725e67da83c7392ecff525be5d03d2bee0 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:11:54 +0200 Subject: [PATCH 05/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index d246e7d..beda01e 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -21,7 +21,6 @@ permissions: contents: write pull-requests: write issues: write - id-token: write jobs: TOFU-APPLY: From 6ed5151badae1047b5937aba4b4f2ca0cd2fc772 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:15:09 +0200 Subject: [PATCH 06/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index beda01e..00f9876 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,6 +61,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} use_bedrock: "true" claude_args: '--model us.anthropic.claude-sonnet-4-6 --max-turns 10' + direct_prompt: "Review this PR" - name: AWS - Set AWS Credentials uses: aws-actions/configure-aws-credentials@v5.1.1 From 6f2f3e8f027a56915c5185c8d104633a3889692e Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:22:42 +0200 Subject: [PATCH 07/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- tofu/iam.github_oidc.tofu | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 00f9876..d268330 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} use_bedrock: "true" claude_args: '--model us.anthropic.claude-sonnet-4-6 --max-turns 10' - direct_prompt: "Review this PR" + prompt: "Review this PR" - name: AWS - Set AWS Credentials uses: aws-actions/configure-aws-credentials@v5.1.1 diff --git a/tofu/iam.github_oidc.tofu b/tofu/iam.github_oidc.tofu index 4d24196..9639642 100644 --- a/tofu/iam.github_oidc.tofu +++ b/tofu/iam.github_oidc.tofu @@ -100,7 +100,7 @@ module "iam_github_portfolio_bedrock_claude_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" version = local.vars.iam.version - name = "${terraform.workspace}-github-portfolio-bedrock-claude-policy" + name = "${terraform.workspace}-github-bedrock-claude-policy" path = "/" description = "IAM policy for GitHub OIDC role to access ${terraform.workspace}-bedrock-claude policy" From 23e4b195f31e4517624a5747efba5d005db43260 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:24:30 +0200 Subject: [PATCH 08/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index d268330..5b20103 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -60,7 +60,7 @@ jobs: with: github_token: ${{ secrets.GITHUB_TOKEN }} use_bedrock: "true" - claude_args: '--model us.anthropic.claude-sonnet-4-6 --max-turns 10' + claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10' prompt: "Review this PR" - name: AWS - Set AWS Credentials From 918d755a235a84f410c01c30417698fe8dc9aaad Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:37:57 +0200 Subject: [PATCH 09/31] D-170526: Add GH OIDC permission for Bedrock --- tofu/iam.github_oidc.tofu | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tofu/iam.github_oidc.tofu b/tofu/iam.github_oidc.tofu index 9639642..67350e4 100644 --- a/tofu/iam.github_oidc.tofu +++ b/tofu/iam.github_oidc.tofu @@ -117,7 +117,11 @@ module "iam_github_portfolio_bedrock_claude_policy" { "bedrock:ListFoundationModels", "bedrock:GetFoundationModel", "bedrock:ListInferenceProfiles", - "bedrock:GetInferenceProfile" + "bedrock:GetInferenceProfile", + # Enable AWS Marketplace subscription for a model + "aws-marketplace:ViewSubscriptions", + "aws-marketplace:Subscribe", + "aws-marketplace:Unsubscribe" ], "Resource": "*" } From e94bc65a39086f3195b12f64a23ac57be9d76235 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:38:19 +0200 Subject: [PATCH 10/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 38 ++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 5b20103..395f60f 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -41,27 +41,27 @@ jobs: run: tofu fmt -check continue-on-error: false - - name: AWS Bedrock Claude Github OIDC - uses: aws-actions/configure-aws-credentials@v5.1.1 - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} - role-session-name: github_action_oidc_role + # - name: AWS Bedrock Claude Github OIDC + # uses: aws-actions/configure-aws-credentials@v5.1.1 + # with: + # aws-region: ${{ vars.AWS_REGION }} + # role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} + # role-session-name: github_action_oidc_role - - name: AWS - Assume Bedrock Claude Role - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} - aws-region: ${{ vars.AWS_REGION }} - role-session-name: github_action_bedrock_claude - role-chaining: true + # - name: AWS - Assume Bedrock Claude Role + # uses: aws-actions/configure-aws-credentials@v4 + # with: + # role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} + # aws-region: ${{ vars.AWS_REGION }} + # role-session-name: github_action_bedrock_claude + # role-chaining: true - - uses: anthropics/claude-code-action@v1 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - use_bedrock: "true" - claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10' - prompt: "Review this PR" + # - uses: anthropics/claude-code-action@v1 + # with: + # github_token: ${{ secrets.GITHUB_TOKEN }} + # use_bedrock: "true" + # claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10' + # prompt: "Review this PR" - name: AWS - Set AWS Credentials uses: aws-actions/configure-aws-credentials@v5.1.1 From ebafab956a7f52b6c65ae8f38922d4509238c456 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:40:47 +0200 Subject: [PATCH 11/31] D-170526: Add GH OIDC permission for Bedrock --- tofu/iam.github_oidc.tofu | 1 - 1 file changed, 1 deletion(-) diff --git a/tofu/iam.github_oidc.tofu b/tofu/iam.github_oidc.tofu index 67350e4..1951512 100644 --- a/tofu/iam.github_oidc.tofu +++ b/tofu/iam.github_oidc.tofu @@ -118,7 +118,6 @@ module "iam_github_portfolio_bedrock_claude_policy" { "bedrock:GetFoundationModel", "bedrock:ListInferenceProfiles", "bedrock:GetInferenceProfile", - # Enable AWS Marketplace subscription for a model "aws-marketplace:ViewSubscriptions", "aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe" From e442b4af26f6bd2ec44b0ee19b51212887a0be1a Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 20:43:10 +0200 Subject: [PATCH 12/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 38 ++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 395f60f..5b20103 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -41,27 +41,27 @@ jobs: run: tofu fmt -check continue-on-error: false - # - name: AWS Bedrock Claude Github OIDC - # uses: aws-actions/configure-aws-credentials@v5.1.1 - # with: - # aws-region: ${{ vars.AWS_REGION }} - # role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} - # role-session-name: github_action_oidc_role + - name: AWS Bedrock Claude Github OIDC + uses: aws-actions/configure-aws-credentials@v5.1.1 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} + role-session-name: github_action_oidc_role - # - name: AWS - Assume Bedrock Claude Role - # uses: aws-actions/configure-aws-credentials@v4 - # with: - # role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} - # aws-region: ${{ vars.AWS_REGION }} - # role-session-name: github_action_bedrock_claude - # role-chaining: true + - name: AWS - Assume Bedrock Claude Role + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} + aws-region: ${{ vars.AWS_REGION }} + role-session-name: github_action_bedrock_claude + role-chaining: true - # - uses: anthropics/claude-code-action@v1 - # with: - # github_token: ${{ secrets.GITHUB_TOKEN }} - # use_bedrock: "true" - # claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10' - # prompt: "Review this PR" + - uses: anthropics/claude-code-action@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + use_bedrock: "true" + claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10' + prompt: "Review this PR" - name: AWS - Set AWS Credentials uses: aws-actions/configure-aws-credentials@v5.1.1 From b5da4f0e8d41c38e4346caa6aff9b9deeed105d3 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:17:10 +0200 Subject: [PATCH 13/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 5b20103..cf78543 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -60,7 +60,7 @@ jobs: with: github_token: ${{ secrets.GITHUB_TOKEN }} use_bedrock: "true" - claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 10' + claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 30' prompt: "Review this PR" - name: AWS - Set AWS Credentials From 125c58d7a9640240424917236dfb4e11b7cfb532 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:24:31 +0200 Subject: [PATCH 14/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index cf78543..4fe78e0 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -58,10 +58,26 @@ jobs: - uses: anthropics/claude-code-action@v1 with: + use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} - use_bedrock: "true" - claude_args: '--model eu.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 30' - prompt: "Review this PR" + claude_args: | + --model eu.anthropic.claude-sonnet-4-5-20250514-v1:0 + --max-turns 30 + settings: | + { + "permissions": { + "allow": ["Bash(git:*)", "Read", "Glob", "Grep"], + "deny": [] + } + } + prompt: | + Review the changes in this PR using git diff HEAD~1. + Check for bugs, security issues, code style, and missing tests. + Post a single consolidated review comment when done. + + - name: Debug Claude output + if: always() + run: cat /home/runner/work/_temp/claude-execution-output.json - name: AWS - Set AWS Credentials uses: aws-actions/configure-aws-credentials@v5.1.1 From 99bf061da7c17443feac8923746412b4bc4a8d63 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:25:02 +0200 Subject: [PATCH 15/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 4fe78e0..3cb9497 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -76,8 +76,8 @@ jobs: Post a single consolidated review comment when done. - name: Debug Claude output - if: always() - run: cat /home/runner/work/_temp/claude-execution-output.json + if: always() + run: cat /home/runner/work/_temp/claude-execution-output.json - name: AWS - Set AWS Credentials uses: aws-actions/configure-aws-credentials@v5.1.1 From 1122be15ca1909dfaf99457c720ee4504d3afe2f Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:27:16 +0200 Subject: [PATCH 16/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 3cb9497..b6b230e 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model eu.anthropic.claude-sonnet-4-5-20250514-v1:0 + --model eu.anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 settings: | { From 268d906e3724b03a77ef523ef6dd2a46b78f717c Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:34:42 +0200 Subject: [PATCH 17/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index b6b230e..0cdc0c4 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model eu.anthropic.claude-sonnet-4-20250514-v1:0 + --model anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 30 settings: | { From df0a5115dd2df316d1b0e088a701cf5284e48ef1 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:42:19 +0200 Subject: [PATCH 18/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 0cdc0c4..4298aba 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model anthropic.claude-sonnet-4-5-20250929-v1:0 + --model arn:aws:bedrock:eu-west-3::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 settings: | { From 2d5771ab1ef4cd95efc19fc92276d2859202a078 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:43:54 +0200 Subject: [PATCH 19/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 4298aba..c640471 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model arn:aws:bedrock:eu-west-3::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0 + --model arn:aws:bedrock:${{ vars.AWS_REGION }}::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 settings: | { From 6436e276f9b7caf07db1cd6ace2c3965632bc29c Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:45:25 +0200 Subject: [PATCH 20/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index c640471..b6b230e 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model arn:aws:bedrock:${{ vars.AWS_REGION }}::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0 + --model eu.anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 settings: | { From 38300d3bbb4b1bbb4ccc794f1276638e9069c16b Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:48:48 +0200 Subject: [PATCH 21/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index b6b230e..6557258 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model eu.anthropic.claude-sonnet-4-20250514-v1:0 + --model anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 settings: | { From f19373311ac2c12ea5172f64d5b477652d11cc25 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:53:13 +0200 Subject: [PATCH 22/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 6557258..b6b230e 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -61,7 +61,7 @@ jobs: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model anthropic.claude-sonnet-4-20250514-v1:0 + --model eu.anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 settings: | { From 203add239774a4b65e1cc289da9f96778de93cf0 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 21:58:50 +0200 Subject: [PATCH 23/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index b6b230e..3d5ea31 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -56,6 +56,8 @@ jobs: role-session-name: github_action_bedrock_claude role-chaining: true + - run: aws sts get-caller-identity && aws configure get region + - uses: anthropics/claude-code-action@v1 with: use_bedrock: "true" From afdf97446037c379ae12d47dc0e41256b13008c1 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:00:48 +0200 Subject: [PATCH 24/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 3d5ea31..2227c4d 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -52,11 +52,11 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} - aws-region: ${{ vars.AWS_REGION }} + aws-region: eu-west-1 role-session-name: github_action_bedrock_claude role-chaining: true - - run: aws sts get-caller-identity && aws configure get region + # - run: aws sts get-caller-identity && aws configure get region - uses: anthropics/claude-code-action@v1 with: From 26cc4dbbbf718d530f146ae4a036bcb31432685f Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:07:05 +0200 Subject: [PATCH 25/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 2227c4d..a447451 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -41,41 +41,32 @@ jobs: run: tofu fmt -check continue-on-error: false - - name: AWS Bedrock Claude Github OIDC + - name: AWS Bedrock Claude Github OIDC uses: aws-actions/configure-aws-credentials@v5.1.1 with: - aws-region: ${{ vars.AWS_REGION }} + aws-region: eu-west-1 role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} role-session-name: github_action_oidc_role - name: AWS - Assume Bedrock Claude Role - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5.1.1 with: role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }} aws-region: eu-west-1 role-session-name: github_action_bedrock_claude role-chaining: true - # - run: aws sts get-caller-identity && aws configure get region + - run: | + aws sts get-caller-identity + aws bedrock list-foundation-models --by-provider anthropic --region eu-west-1 - uses: anthropics/claude-code-action@v1 with: use_bedrock: "true" github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | - --model eu.anthropic.claude-sonnet-4-20250514-v1:0 + --model anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 - settings: | - { - "permissions": { - "allow": ["Bash(git:*)", "Read", "Glob", "Grep"], - "deny": [] - } - } - prompt: | - Review the changes in this PR using git diff HEAD~1. - Check for bugs, security issues, code style, and missing tests. - Post a single consolidated review comment when done. - name: Debug Claude output if: always() From c5dc88cec5b6b5907245fd87004c87a738f950fa Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:07:35 +0200 Subject: [PATCH 26/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index a447451..0fd550b 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -57,8 +57,8 @@ jobs: role-chaining: true - run: | - aws sts get-caller-identity - aws bedrock list-foundation-models --by-provider anthropic --region eu-west-1 + aws sts get-caller-identity + aws bedrock list-foundation-models --by-provider anthropic --region eu-west-1 - uses: anthropics/claude-code-action@v1 with: From a6132bfa9949f5754dcc1683d484ed4d630078b7 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:10:53 +0200 Subject: [PATCH 27/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 0fd550b..158d072 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Setup opentofu uses: opentofu/setup-opentofu@v2 @@ -63,6 +65,7 @@ jobs: - uses: anthropics/claude-code-action@v1 with: use_bedrock: "true" + mode: review github_token: ${{ secrets.GITHUB_TOKEN }} claude_args: | --model anthropic.claude-sonnet-4-20250514-v1:0 From 90981fcb9c9b495ef5e426e62de15166aa23a573 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:13:24 +0200 Subject: [PATCH 28/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 158d072..1108e43 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -65,12 +65,33 @@ jobs: - uses: anthropics/claude-code-action@v1 with: use_bedrock: "true" - mode: review github_token: ${{ secrets.GITHUB_TOKEN }} + + # Run automatically on PRs + trigger_phrase: "" + claude_args: | --model anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 + settings: | + { + "permissions": { + "allow": ["Bash(git:*)", "Read", "Glob", "Grep"], + "deny": [] + } + } + + prompt: | + Review the changes in this PR using git diff origin/${{ github.base_ref }}...HEAD. + Check for: + - bugs + - security issues + - code style + - missing tests + + Post a single consolidated review comment. + - name: Debug Claude output if: always() run: cat /home/runner/work/_temp/claude-execution-output.json From ca941e0479c98a58720617c078658577d28fa8be Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:14:14 +0200 Subject: [PATCH 29/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 1108e43..90b7784 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -82,15 +82,15 @@ jobs: } } - prompt: | - Review the changes in this PR using git diff origin/${{ github.base_ref }}...HEAD. - Check for: - - bugs - - security issues - - code style - - missing tests - - Post a single consolidated review comment. + prompt: | + Review the changes in this PR using git diff origin/${{ github.base_ref }}...HEAD. + Check for: + - bugs + - security issues + - code style + - missing tests + + Post a single consolidated review comment. - name: Debug Claude output if: always() From b327e1e47f310e2825a598aa43b98aae0ef8b239 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:17:55 +0200 Subject: [PATCH 30/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 30 ++++++++---------------------- 1 file changed, 8 insertions(+), 22 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 90b7784..0d96afe 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -29,8 +29,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 - with: - fetch-depth: 0 - name: Setup opentofu uses: opentofu/setup-opentofu@v2 @@ -65,33 +63,21 @@ jobs: - uses: anthropics/claude-code-action@v1 with: use_bedrock: "true" + mode: review github_token: ${{ secrets.GITHUB_TOKEN }} + prompt: | + REPO: ${{ github.repository }} + BRANCH: ${{ github.ref_name }} + + Analyze the latest commit in this repository. - # Run automatically on PRs - trigger_phrase: "" + ${{ github.event.inputs.analysis_type == 'summarize-commit' && 'Task: Provide a clear, concise summary of what changed in the latest commit. Include the commit message, files changed, and the purpose of the changes.' || '' }} + ${{ github.event.inputs.analysis_type == 'security-review' && 'Task: Review the latest commit for potential security vulnerabilities. Check for exposed secrets, insecure coding patterns, dependency vulnerabilities, or any other security concerns. Provide specific recommendations if issues are found.' || '' }} claude_args: | --model anthropic.claude-sonnet-4-20250514-v1:0 --max-turns 30 - settings: | - { - "permissions": { - "allow": ["Bash(git:*)", "Read", "Glob", "Grep"], - "deny": [] - } - } - - prompt: | - Review the changes in this PR using git diff origin/${{ github.base_ref }}...HEAD. - Check for: - - bugs - - security issues - - code style - - missing tests - - Post a single consolidated review comment. - - name: Debug Claude output if: always() run: cat /home/runner/work/_temp/claude-execution-output.json From bb73d9188042bfb8e31a601ed1bfb34cb1f6d619 Mon Sep 17 00:00:00 2001 From: harik8 Date: Sun, 17 May 2026 22:20:42 +0200 Subject: [PATCH 31/31] D-170526: Add GH OIDC permission for Bedrock --- .github/workflows/tofu.yaml | 87 +++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 46 deletions(-) diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml index 0d96afe..7e46cd0 100644 --- a/.github/workflows/tofu.yaml +++ b/.github/workflows/tofu.yaml @@ -30,16 +30,16 @@ jobs: - name: Checkout repository uses: actions/checkout@v6 - - name: Setup opentofu - uses: opentofu/setup-opentofu@v2 - with: - tofu_version: 1.11.2 - cache: true + # - name: Setup opentofu + # uses: opentofu/setup-opentofu@v2 + # with: + # tofu_version: 1.11.2 + # cache: true - - name: OpenTofu fmt - working-directory: tofu - run: tofu fmt -check - continue-on-error: false + # - name: OpenTofu fmt + # working-directory: tofu + # run: tofu fmt -check + # continue-on-error: false - name: AWS Bedrock Claude Github OIDC uses: aws-actions/configure-aws-credentials@v5.1.1 @@ -56,57 +56,52 @@ jobs: role-session-name: github_action_bedrock_claude role-chaining: true - - run: | - aws sts get-caller-identity - aws bedrock list-foundation-models --by-provider anthropic --region eu-west-1 + # - run: | + # aws sts get-caller-identity + # aws bedrock list-foundation-models --by-provider anthropic --region eu-west-1 - uses: anthropics/claude-code-action@v1 with: use_bedrock: "true" - mode: review github_token: ${{ secrets.GITHUB_TOKEN }} prompt: | REPO: ${{ github.repository }} BRANCH: ${{ github.ref_name }} Analyze the latest commit in this repository. - - ${{ github.event.inputs.analysis_type == 'summarize-commit' && 'Task: Provide a clear, concise summary of what changed in the latest commit. Include the commit message, files changed, and the purpose of the changes.' || '' }} - - ${{ github.event.inputs.analysis_type == 'security-review' && 'Task: Review the latest commit for potential security vulnerabilities. Check for exposed secrets, insecure coding patterns, dependency vulnerabilities, or any other security concerns. Provide specific recommendations if issues are found.' || '' }} claude_args: | - --model anthropic.claude-sonnet-4-20250514-v1:0 + --model eu.anthropic.claude-haiku-4-5-20251001-v1:0 --max-turns 30 - name: Debug Claude output if: always() run: cat /home/runner/work/_temp/claude-execution-output.json - - name: AWS - Set AWS Credentials - uses: aws-actions/configure-aws-credentials@v5.1.1 - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} - role-session-name: github_action_oidc_role - - - name: AWS - Assume Awsing Role - id: aws_assume_role - uses: aws-actions/configure-aws-credentials@v5.1.1 - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }} - role-session-name: github_action_awsing - role-chaining: true - - - name: OpenTofu apply - working-directory: tofu - run: | - export TF_VAR_aws_region=${{ vars.AWS_REGION }} - export TF_VAR_s3_backend=${{ secrets.TF_VAR_S3_BACKEND }} - export TF_VAR_iac_role=${{ secrets.TF_VAR_IAC_ROLE }} - export TF_VAR_account_id=${{ secrets.TF_VAR_ACCOUNT_ID }} - - tofu init - tofu workspace select ${{ vars.TOFU_WORKSPACE }} - tofu plan - tofu apply -auto-approve + # - name: AWS - Set AWS Credentials + # uses: aws-actions/configure-aws-credentials@v5.1.1 + # with: + # aws-region: ${{ vars.AWS_REGION }} + # role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }} + # role-session-name: github_action_oidc_role + + # - name: AWS - Assume Awsing Role + # id: aws_assume_role + # uses: aws-actions/configure-aws-credentials@v5.1.1 + # with: + # aws-region: ${{ vars.AWS_REGION }} + # role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }} + # role-session-name: github_action_awsing + # role-chaining: true + + # - name: OpenTofu apply + # working-directory: tofu + # run: | + # export TF_VAR_aws_region=${{ vars.AWS_REGION }} + # export TF_VAR_s3_backend=${{ secrets.TF_VAR_S3_BACKEND }} + # export TF_VAR_iac_role=${{ secrets.TF_VAR_IAC_ROLE }} + # export TF_VAR_account_id=${{ secrets.TF_VAR_ACCOUNT_ID }} + + # tofu init + # tofu workspace select ${{ vars.TOFU_WORKSPACE }} + # tofu plan + # tofu apply -auto-approve