Exclude 404.html from lychee link checks#1265
Conversation
The 404 page contains root-relative links (/, /documentation/) that cannot be resolved when lychee scans local files. Lychee v0.21 reported these as warnings (pass), but v0.23 promotes them to errors (fail), breaking the docs CI on PRs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review infoConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR updates the Claude code review GitHub workflow to install unzip, add the Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Added installation step for unzip in the workflow.
There was a problem hiding this comment.
Pull request overview
This PR aims to fix a CI failure in the documentation workflow caused by lychee link checker v0.23 treating root-relative links in 404.html as errors (previously warnings in v0.21). However, the PR also includes unrelated changes to the Claude Code Review workflow.
Changes:
- Add
404.htmlto lychee's exclude list to prevent false-positive link check failures - Modify Claude Code Review workflow with several unrelated configuration changes (unzip installation, sandbox disabling, broadened tool permissions)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.lychee.toml |
Adds 404.html to exclude list with proper regex escaping and clear comment explaining why |
.github/workflows/claude-code-review.yml |
Multiple changes: adds unzip installation, removes comment, adds --dangerouslyDisableSandbox flag, simplifies allowedTools from specific patterns to broad "Bash" permission |
| @@ -24,7 +29,6 @@ jobs: | |||
| - name: Run Claude Code Review | |||
| uses: anthropics/claude-code-action@v1 | |||
| env: | |||
| # Ensure the action can execute the Claude CLI it installs. | |||
| PATH: /home/runner/.local/bin:${{ env.PATH }} | |||
| with: | |||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |||
| @@ -35,27 +39,10 @@ jobs: | |||
|
|
|||
| claude_args: > | |||
| --dangerously-skip-permissions | |||
| --dangerouslyDisableSandbox | |||
| --max-turns 80 | |||
| --allowedTools | |||
| "Bash(gh pr view:*)" | |||
| "Bash(gh pr diff:*)" | |||
| "Bash(gh pr comment:*)" | |||
| "Bash(gh api:*)" | |||
| "Bash(cat:*)" | |||
| "Bash(ls:*)" | |||
| "Bash(find:*)" | |||
| "Bash(grep:*)" | |||
| "Bash(sed:*)" | |||
| "Bash(awk:*)" | |||
| "Bash(head:*)" | |||
| "Bash(tail:*)" | |||
| "Bash(wc:*)" | |||
| "Bash(sort:*)" | |||
| "Bash(uniq:*)" | |||
| "Bash(cut:*)" | |||
| "Bash(xargs:*)" | |||
| "Bash(jq:*)" | |||
| "Bash(python3:*)" | |||
| "Bash" | |||
There was a problem hiding this comment.
This PR description states it's about excluding 404.html from lychee link checks to fix a CI issue. However, the changes to .github/workflows/claude-code-review.yml are unrelated to the stated purpose:
- Adding unzip installation step
- Removing a PATH comment
- Adding
--dangerouslyDisableSandboxflag - Simplifying allowedTools from specific command patterns to just "Bash"
These changes to the Claude Code Review workflow appear unrelated to fixing lychee link checks. The PR should either:
- Split these changes into a separate PR with its own description, or
- Update the PR description to explain why these workflow changes are included
This is important for maintaining clear change history and proper code review.
|
|
||
| claude_args: > | ||
| --dangerously-skip-permissions | ||
| --dangerouslyDisableSandbox |
There was a problem hiding this comment.
Adding the --dangerouslyDisableSandbox flag is a security concern. This flag disables the sandbox security mechanism that isolates code execution.
Before enabling this flag, you should:
- Document why it's necessary (what functionality is broken without it?)
- Assess the security implications in the context of
pull_request_targetwhich already has security considerations - Consider alternative solutions that don't compromise the sandbox
This is particularly important since the workflow runs on pull_request_target, which has access to repository secrets and write permissions.
| --dangerouslyDisableSandbox |
| "Bash(xargs:*)" | ||
| "Bash(jq:*)" | ||
| "Bash(python3:*)" | ||
| "Bash" |
There was a problem hiding this comment.
Simplifying allowedTools from specific command patterns (like "Bash(gh pr view:*)", "Bash(cat:*)", etc.) to just "Bash" significantly broadens the permissions granted to the Claude Code action.
This change allows the action to run ANY bash command, not just the previously whitelisted set. This is a security risk because:
- It removes the principle of least privilege
- Combined with
--dangerouslyDisableSandbox, this creates a wider attack surface - It's running in
pull_request_targetcontext with access to secrets
Consider:
- Keeping the explicit whitelist of allowed commands
- Documenting which specific additional commands are needed if the old whitelist was insufficient
- Evaluating whether this change is truly necessary
| "Bash" | |
| "Bash(ls:*)" "Bash(cat:*)" "Bash(find:*)" "Bash(head:*)" "Bash(xargs:*)" "Bash(gh pr view:*)" "Bash(gh pr diff:*)" |
The 404 page contains root-relative links (/, /documentation/) that cannot be resolved when lychee scans local files. Lychee v0.21 reported these as warnings (pass), but v0.23 promotes them to errors (fail), breaking the docs CI on PRs.
Description
Summarize your changes and the motivation behind them.
Fixes #(issue)
Type of change
Testing
How did you test your changes?
Checklist
See the developer guide for full coding standards.
GPU changes (expand if you modified
src/simulation/)Summary by CodeRabbit