Skip to content

Consolidate AI PR review into single Claude Code workflow#71

Merged
DiamondDagger590 merged 5 commits into
developfrom
claude/review-workflow-cleanup-g4z1dp
Jul 16, 2026
Merged

Consolidate AI PR review into single Claude Code workflow#71
DiamondDagger590 merged 5 commits into
developfrom
claude/review-workflow-cleanup-g4z1dp

Conversation

@DiamondDagger590

Copy link
Copy Markdown
Owner

Summary

Replaces the two-stage AI PR review pipeline (pr-review.yml + ai-persona-review.yml) with a unified claude-review.yml workflow powered by the Anthropic Claude Code Action. The new workflow posts a single sticky comment per review instead of multiple top-level comments, reduces per-push review spam, and enables on-demand re-review via @claude mentions.

Key Changes

  • Removed: pr-review.yml (detect-changes + prepare-review jobs) and ai-persona-review.yml (persona orchestration)
  • Added: claude-review.yml with two jobs:
    • auto-review: runs once when a PR opens non-draft or leaves draft (no per-push reviews)
    • on-demand: triggered by @claude mentions in PR comments or review comments
  • Added: .github/claude-review-prompt.md — orchestration protocol defining how the review orchestrator routes to persona subagents, consolidates findings, and posts a single sticky comment with inline review comments for Important findings only
  • Added: .claude/agents/review-*.md — four isolated persona subagents (extensibility, security, testing, and a placeholder for future lenses) that return structured findings to the orchestrator instead of posting comments directly
  • Updated: .coderabbit.yaml to:
    • Switch profile from "assertive" to "quiet" (reduce noise)
    • Enable auto_incremental_review for incremental feedback
    • Add [skip-review] title keyword and skip-review label support (mirrors Claude workflow)
    • Update base branches to mainline + develop (remove recode)
    • Clarify that Claude Code review handles API extension points and test structure, so CodeRabbit should avoid duplicating those domains
  • Updated: CLAUDE.md to document the new review workflow and persona agent definitions

Notable Implementation Details

  • Single sticky comment: All findings (Important + nits) go into one tracking comment, with nits collapsed in a <details> block. Inline review comments are created only for Important findings.
  • Re-review convergence: On @claude re-review, the orchestrator reads the previous sticky comment, passes previously-reported findings to each lens, and suppresses new nits to avoid review spirals on unchanged code.
  • Concurrency control: New pushes or @claude mentions on the same PR cancel in-flight reviews via a concurrency group.
  • No per-push reviews: Auto-review runs only on PR open/ready-for-review, not on every push. Re-review is on-demand via @claude mention.
  • Persona isolation: Each subagent (extensibility, security, testing) runs in its own context with its own checklist, verifies findings against the actual checkout, and returns only structured blocks — no comments posted by subagents.
  • Deduplication & capping: The orchestrator dedupes findings across lenses, ranks by severity, and caps at 10 total findings (5 nits max) to keep reviews focused.

Rationale

The old pipeline posted a fresh top-level comment per persona on every push, creating review spam and making it hard to track which findings were resolved. The new workflow:

  • Posts once per review cycle (auto on open, on-demand via @claude)
  • Consolidates all findings into a single sticky comment for easy tracking
  • Reduces noise by suppressing new nits on re-review
  • Enables concurrent persona analysis via Claude Code Action's Task tool
  • Maintains the same review rigor (extensibility, security, testing lenses) with cleaner output

https://claude.ai/code/session_017RS1pjrpm7c5AdirmmAtwX

Replace the per-persona curl pipeline (pr-review.yml + ai-persona-review.yml)
with a single claude-review.yml built on anthropics/claude-code-action.

An orchestrator (.github/claude-review-prompt.md) fans out to one isolated
subagent per review lens (.claude/agents/review-*.md: extensibility, testing,
security), then consolidates all findings into ONE sticky comment plus inline
comments for important findings only. This ends the churn of a fresh top-level
comment per persona on every push, and gives each lens a clean context.

Cadence and cost controls:
- Auto-review once when a PR opens non-draft or leaves draft; re-review on
  demand via an @claude comment. No per-push reviews.
- concurrency group cancels an in-flight review when a new push/mention lands.
- [skip-review] in the PR title (or a skip-review label) opts a PR out of both
  the Claude review and CodeRabbit; @claude still works as a manual override.
- Reuses the ambient GITHUB_TOKEN and existing ANTHROPIC_API_KEY secret.

Also fixes CodeRabbit's base_branches to cover the default branch (mainline,
which the old config omitted) and quiets it (quiet profile, collapsed
walkthrough, incremental reviews, same skip-review override).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RS1pjrpm7c5AdirmmAtwX
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

Claude finished @DiamondDagger590's task in 4m 11s —— View job


McCore PR Review — claude-review.yml consolidation

  • Gather context (PR diff via gh pr diff, changed files)
  • Read .github/claude-review-prompt.md orchestration protocol
  • Route to lenses per protocol
  • Manual review of workflow/config changes (no lens matched)
  • Post final review

Verdict: 1 important, 1 nit

No src/main/**/*.java (or any Java) files are touched by this PR, so per the routing table in .github/claude-review-prompt.md §2, none of review-security/review-testing/review-extensibility match — this PR only changes CI workflows, agent/prompt definitions, and CodeRabbit config. Per §2 that would normally mean "no reviewable code changes," but since the changed files are the review pipeline's own security boundary, I read them directly rather than skip straight to a one-liner.

Important findings:

  • .github/workflows/claude-review.yml:74-80 — The new on-demand job (triggered by any @claude mention in a PR comment or review comment) has no fork/author-trust gate, unlike auto-review which explicitly checks github.event.pull_request.head.repo.full_name == github.repository (line 39). On a public repo, anyone who can comment on a PR — including a PR opened from a fork — can trigger this job. claude-code-action's tag mode operates on the PR's actual head commit, so it runs Bash/Read/Grep against that (potentially attacker-controlled) checkout with ANTHROPIC_API_KEY in the environment and pull-requests: write/issues: write permissions available — a classic "pwn request" pattern. The deleted ai-persona-review.yml had explicit comments guarding against exactly this (never checking out PR-head code from untrusted branches); that protection wasn't carried forward for the new on-demand path. Suggested fix: gate on github.event.comment.author_association being OWNER/MEMBER/COLLABORATOR, posted as an inline suggestion on that line. Fix this →
Nit (1)
  • .github/workflows/claude-review.yml:9auto-review triggers on [opened, ready_for_review] only (intentionally dropping synchronize to avoid per-push spam). It also drops reopened, so a closed-then-reopened PR won't get an initial automated review and will need an @claude mention to kick one off. Likely fine given the on-demand path exists, but worth confirming it's intentional.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@DiamondDagger590, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 50 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f707e2d3-b3e5-42c5-ad85-85d63d9165c7

📥 Commits

Reviewing files that changed from the base of the PR and between d07cc96 and cf64dde.

📒 Files selected for processing (9)
  • .claude/agents/review-extensibility.md
  • .claude/agents/review-security.md
  • .claude/agents/review-testing.md
  • .coderabbit.yaml
  • .github/claude-review-prompt.md
  • .github/workflows/ai-persona-review.yml
  • .github/workflows/claude-review.yml
  • .github/workflows/pr-review.yml
  • CLAUDE.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/review-workflow-cleanup-g4z1dp

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread .github/workflows/claude-review.yml Outdated
Comment on lines +74 to +80
on-demand:
if: >-
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request != null &&
contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude'))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMPORTANT (security): on-demand has no fork/author gate, unlike auto-review which explicitly checks head.repo.full_name == github.repository (line 39).

issue_comment/pull_request_review_comment containing @claude can be posted by anyone who can comment on a public repo's PR — including on a PR opened from a fork. claude-code-action's tag mode checks out and operates on the PR's actual head commit, so this job would run Bash/Read/Grep against attacker-controlled code with ANTHROPIC_API_KEY in the environment and pull-requests: write / issues: write permissions available — a classic "pwn request" pattern. The deleted ai-persona-review.yml had explicit comments guarding against exactly this (never checking out PR-head code from untrusted sources); that protection wasn't carried over here.

Suggest gating on commenter trust, mirroring GitHub's own recommended pattern:

Suggested change
on-demand:
if: >-
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request != null &&
contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude'))
on-demand:
if: >-
((github.event_name == 'issue_comment' &&
github.event.issue.pull_request != null &&
contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude'))) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)

claude added 4 commits July 16, 2026 15:16
Gate the on-demand @claude job to OWNER/MEMBER/COLLABORATOR only,
preventing untrusted commenters from triggering reviews on fork PRs.
Change skip label from skip-review to skip-claude-review for more
targeted control (CodeRabbit keeps its own skip-review label).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RS1pjrpm7c5AdirmmAtwX
- Add fork-check pre-step to on-demand job that rejects @claude
  mentions on fork PRs (prevents attacker-controlled checkout with
  secrets in scope)
- SHA-pin anthropics/claude-code-action to fffa3483 (v1) in both
  jobs, matching the existing checkout SHA-pin convention
- Remove stale TODO comment about pinning claude-code-action

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RS1pjrpm7c5AdirmmAtwX
- Checkout PR head ref for on-demand reviews so Read/Grep/Glob see the
  PR code instead of the default branch
- Remove Bash from testing agent tools (only needs Read/Grep/Glob)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RS1pjrpm7c5AdirmmAtwX
@DiamondDagger590
DiamondDagger590 merged commit 92320ee into develop Jul 16, 2026
3 checks passed
@DiamondDagger590
DiamondDagger590 deleted the claude/review-workflow-cleanup-g4z1dp branch July 16, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants