Skip to content

fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/#1186

Open
matanbaruch wants to merge 1 commit intoanthropics:mainfrom
matanbaruch:fix/cpSync-symlink-dereference
Open

fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/#1186
matanbaruch wants to merge 1 commit intoanthropics:mainfrom
matanbaruch:fix/cpSync-symlink-dereference

Conversation

@matanbaruch
Copy link
Copy Markdown

@matanbaruch matanbaruch commented Apr 6, 2026
edited
Loading

Summary

  • Adds dereference: true to the cpSync call that snapshots PR-authored sensitive paths into .claude-pr/
  • Fixes ENOENT: no such file or directory, symlink crash when a sensitive path (e.g. CLAUDE.md) is a symlink

Problem

cpSync defaults to dereference: false, which means it tries to recreate symlinks at the destination rather than copying file contents. When a sensitive path like CLAUDE.md is a symlink (e.g. CLAUDE.md -> AGENTS.md), the copy fails because cpSync calls symlink() without ensuring the parent .claude-pr/ directory exists first.

Error:

Restoring .claude, .mcp.json, .claude.json, .gitmodules, .ripgreprc, CLAUDE.md, CLAUDE.local.md, .husky from origin/main (PR head is untrusted)
ENOENT: no such file or directory, symlink

Fix

Adding dereference: true follows symlinks and copies the actual file contents instead of recreating the symlink. This is also the correct semantic behavior — review agents need to inspect the real content, not a symlink that may not resolve correctly from .claude-pr/.

Test plan

  • Verify the action works on a repo where CLAUDE.md is a symlink to another file
  • Verify the action still works on repos with regular (non-symlink) sensitive paths

@matanbaruch
fix: dereference symlinks when snapshotting sensitive paths to .claud…
cabcba7 
…e-pr/

`cpSync` defaults to `dereference: false`, which means it tries to
recreate symlinks at the destination rather than copying file contents.
When a sensitive path (e.g. CLAUDE.md) is a symlink, this fails with
`ENOENT: no such file or directory, symlink` because `cpSync` attempts
to call `symlink()` without ensuring the parent `.claude-pr/` directory
exists first.

Adding `dereference: true` fixes this by following symlinks and copying
the actual file contents, which is also the correct semantic behavior —
review agents need to inspect the real content, not a symlink that may
not resolve correctly from `.claude-pr/`.

Fixes the action crash when repositories use symlinked CLAUDE.md
(e.g. CLAUDE.md -> AGENTS.md).
@matanbaruch
Copy link
Copy Markdown
Author

matanbaruch commented Apr 6, 2026
edited
Loading

cc @ashwin-ant @dicksontsai - this fixes a regression introduced in #1174. The cpSync call added there uses the default dereference: false, which crashes with ENOENT: no such file or directory, symlink when any sensitive path (e.g. CLAUDE.md) is a symlink (e.g. CLAUDE.md -> AGENTS.md).

@matanbaruch matanbaruch mentioned this pull request Apr 6, 2026
Open
@forklady42 forklady42 mentioned this pull request Apr 7, 2026
Merged
4 tasks
forklady42 added a commit to Quantum-Accelerators/electrai that referenced this pull request Apr 7, 2026
@forklady42
Pin claude-code-action to v1.0.88 to dodge symlink ENOENT (#117)
8c69c69 
## Summary

- Pin `anthropics/claude-code-action` to `v1.0.88` in
`.github/workflows/claude.yml`
- Works around anthropics/claude-code-action#1187 — v1.0.89's
`restoreConfigFromBase` crashes with `ENOENT: no such file or directory,
symlink` because our `CLAUDE.md` is a symlink to `AGENTS.md` (from #91)
- Every `@claude` trigger has failed since v1.0.89 went out on
2026-04-05; most recent failure:
https://github.com/Quantum-Accelerators/electrai/actions/runs/24089849192

## Why v1.0.88

- Last release before the regression (#1172 / #1174 landed in v1.0.89)
- Upstream fix is anthropics/claude-code-action#1186 but it is still
open; once that ships we can revert the pin back to `@v1`

## Test plan

Note: `@claude`-ing this PR won't test the fix — `issue_comment`
workflows are always resolved from the default branch, so the broken
`@v1` on `main` would still run. The test has to happen post-merge.

- [ ] Merge to `main`
- [ ] Retrigger `@claude review once more` on #84 (it's already failing
on v1.0.89)
- [ ] Confirm the workflow run gets past `Restoring ... from origin/main
(PR head is untrusted)` without an `ENOENT: no such file or directory,
symlink` error
- [ ] Once anthropics/claude-code-action#1186 ships, revert the pin back
to `@v1`
@Troublor Troublor mentioned this pull request Apr 8, 2026
Merged
This was referenced Apr 8, 2026
Closed
Merged
davidpoblador added a commit to alltuner/vibetuner that referenced this pull request Apr 8, 2026
@davidpoblador @claude
fix: pin claude-code-action to v1.0.88 to avoid symlink ENOENT bug (#…
b8846bb 
…1613)

## Summary

- Pins `anthropics/claude-code-action` to `v1.0.88` in both workflow
files
- v1.0.89 introduced a regression where `cpSync` with
`dereference:false` fails on repos
  with symlinked `CLAUDE.md` (anthropics/claude-code-action#1187)
- Applies to both `.github/workflows/claude-code-review.yml` and the
template copy

## Test plan

- [ ] Verify code review workflow runs successfully on this PR
- [ ] Unpin to `@v1` once upstream fix
(anthropics/claude-code-action#1186) ships

Closes #1612

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@davidpoblador davidpoblador mentioned this pull request Apr 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matanbaruch