Skip to content

Add Claude review action #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
genedna merged 2 commits into from
Jan 13, 2026
Merged

Add Claude review action #5

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
10510df
Add Claude review action
genedna Jan 13, 2026
d24f5ad
Update claude review
genedna Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 51 additions & 10 deletions .github/workflows/claude-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,45 +1,86 @@
name: Claude Code
name: Claude Code Review with Progress Tracking

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created, synchronize, ready_for_review, reopened]
types: [created, edited, deleted]
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Incorrect event types for pull_request_review_comment

The pull_request_review_comment event only supports created, edited, and deleted types. However, synchronize, ready_for_review, and reopened are not valid for this event type - they belong to the pull_request or pull_request_target events.

This will cause the workflow to never trigger on those invalid event types for this event.

Recommendation: Remove synchronize, ready_for_review, and reopened from line 7, or move them to a pull_request event trigger.

Suggested change
types: [created, edited, deleted]
types: [created, edited, deleted]

GitHub Actions Events Documentation

issues:
types: [opened, assigned]
Comment on lines 8 to 9
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issues trigger on line 8-9 is configured to run the Claude review when issues are opened or assigned. However, this workflow is designed for pull request reviews, not general issue reviews. The conditional logic on lines 25-51 doesn't include any condition for the issues event, so this trigger would cause the workflow to run but then immediately skip due to the if condition. Consider removing the issues trigger if it's not intentionally used.

Suggested change
issues:
types: [opened, assigned]

Copilot uses AI. Check for mistakes.
pull_request_review:
types: [submitted]
pull_request_target:
types: [opened, synchronize, closed]

permissions:
contents: read
pull-requests: write
issues: read
issues: write
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Changed from issues: read to issues: write

The permission was escalated from read to write. While this may be intentional for the progress tracking feature, it's worth noting:

Security consideration:

  • issues: write allows creating, editing, and deleting issues
  • If this is only needed for commenting on issues, that's already covered by the action's behavior
  • Consider if read is sufficient for your use case

If you need to update comments on issues, the pull-requests: write permission already covers that for PR-related comments.

actions: write
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Concern: Overly permissive actions: write permission

The actions: write permission grants the ability to manage GitHub Actions workflows and workflow runs. This is a broad permission that could be exploited if the workflow is compromised.

Questions:

  • Is this permission actually needed? I don't see it being used in the workflow steps.
  • If it's not required, it should be removed following the principle of least privilege.

Recommendation: Remove actions: write unless you have a specific use case that requires it.


Comment on lines +19 to 20
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actions: write permission on line 19 appears to be unnecessary for this workflow. The workflow doesn't cancel workflows, create workflow dispatches, or perform other actions that require this permission. Including unnecessary permissions violates the principle of least privilege. Consider removing this permission unless there's a specific requirement for it.

Suggested change
actions: write

Copilot uses AI. Check for mistakes.
jobs:
claude-review-with-tracking:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write

# Only run for:
# 1. PRs from trusted users (OWNER/MEMBER/COLLABORATOR)
# 2. Comments mentioning @claude from trusted users
# 3. PR reviews mentioning @claude from trusted users
if: |
(
github.event_name == 'pull_request_target' &&
(
github.event.pull_request.author_association == 'OWNER' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.author_association == 'COLLABORATOR'
)
) ||
(
(github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') &&
contains(github.event.comment.body, '@claude') &&
(
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
)
) ||
(
github.event_name == 'pull_request_review' &&
contains(github.event.review.body, '@claude') &&
(
github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR'
)
)

steps:
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deprecation Warning: actions/checkout@v4 vs @v5

You've downgraded from actions/checkout@v5 (in the old version) to @v4. While v4 is still supported, v5 is the latest version with improvements and bug fixes.

Recommendation: Use actions/checkout@v5 for the latest features and security updates unless you have a specific reason to use v4.

- name: Checkout repository
uses: actions/checkout@v5
uses: actions/checkout@v4
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The downgrade from actions/checkout@v5 to @v4 is inconsistent with best practices. Unless there's a specific compatibility issue with v5, workflows should use the latest stable version to benefit from security patches and improvements. Consider using actions/checkout@v5 or document the reason for the downgrade.

Suggested change
uses: actions/checkout@v4
uses: actions/checkout@v5

Copilot uses AI. Check for mistakes.
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good Practice: fetch-depth: 0 for full history

✅ Good change! This fetches the full git history, which is important for:

  • Accurate diff comparisons
  • Understanding PR context
  • Accessing commit history

The previous fetch-depth: 1 was too shallow for comprehensive PR reviews.

with:
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential Issue: github.event.pull_request.head.sha may not exist for all event types

The ref selection logic:

ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}

This works for pull_request_target, but for other event types (like issue_comment), this will fall back to github.sha, which might not be the PR's HEAD if the comment is on a PR.

Recommendation: The subsequent step (lines 59-65) handles PR checkout for comment events, so this is probably fine. But consider adding a comment to clarify this two-step checkout strategy.

fetch-depth: 1
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull_request_target event is used with untrusted code checkout, which is a critical security risk. Line 58 checks out the PR head SHA directly, which means untrusted code from external contributors could be executed with access to repository secrets (ANTHROPIC_API_KEY, GITHUB_TOKEN). Since the conditional only checks author_association, malicious actors could become collaborators or the association check could be bypassed. Consider using a two-job approach: one job with pull_request_target to get tokens, and another with pull_request to run untrusted code without secret access.

Suggested change
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}

Copilot uses AI. Check for mistakes.

- name: Checkout PR Branch (for comments)
if: ${{ github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' || github.event_name == 'pull_request_review' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr checkout ${{ github.event.issue.number || github.event.pull_request.number }}
Comment on lines +63 to +69
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic Issue: PR checkout step may fail for non-PR events

This step attempts to checkout a PR branch, but the condition might not cover all cases correctly:

Problems:

  1. github.event.issue.number won't exist for pull_request_review_comment events (it's github.event.pull_request.number instead)
  2. The gh pr checkout command requires the PR number, but for regular issue comments (non-PR), github.event.issue.number would be an issue number, not a PR number
  3. This step will run for issue comments, but issue comments aren't always on PRs

Recommendation: Add better conditionals to ensure this only runs for PR-related comment events:

      - name: Checkout PR Branch (for comments)
        if: ${{ (github.event_name == 'issue_comment' && github.event.issue.pull_request) || github.event_name == 'pull_request_review_comment' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh pr checkout ${{ github.event.issue.number || github.event.pull_request.number }}

Comment on lines +64 to +69
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Guard issue_comment events to only run on PRs

The job runs on any issue_comment with @claude, which includes comments on plain issues. For those events the payload has no pull_request, yet the workflow still executes gh pr checkout ${{ github.event.issue.number || github.event.pull_request.number }}. That leaves no PR to resolve and the job will fail for non‑PR issues that mention @claude. Consider gating this step (or the whole job) on github.event.issue.pull_request or restricting the trigger to PR-only comments.

Useful? React with 👍 / 👎.

Comment on lines +65 to +69
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Guard issue_comment runs to PRs before checkout

This workflow runs on any issue_comment that contains @claude from a trusted user, even if the comment is on a plain issue. In that case there is no PR associated with the issue number, yet the step still executes gh pr checkout ${{ github.event.issue.number }}, which will fail because that number does not correspond to a PR. This means any @claude comment on a non‑PR issue will reliably break the job. Consider adding a guard for github.event.issue.pull_request or restricting the trigger to PR comments only.

Useful? React with 👍 / 👎.


Comment on lines +64 to 70
Copy link

Copilot AI Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The checkout step in lines 60-65 attempts to use gh pr checkout to switch branches, but this runs after the repository has already been checked out in line 55. This creates conflicting checkout states and may not work as intended. For issue_comment and pull_request_review_comment events, the PR number may not be directly available in github.event.issue.number or github.event.pull_request.number. Additionally, gh pr checkout requires the GitHub CLI to be available, which may not be pre-installed. Consider removing this step and relying on the ref parameter in the first checkout step to handle all cases correctly.

Suggested change
- name: Checkout PR Branch (for comments)
if: ${{ github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr checkout ${{ github.event.issue.number || github.event.pull_request.number }}

Copilot uses AI. Check for mistakes.
- name: PR Review with Progress Tracking
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}

# Enable progress tracking
track_progress: true
show_full_output: true
Copy link

@claude claude bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New Feature: show_full_output: true

This is a new configuration option. Consider:

Documentation:

  • What does this option do?
  • Does it affect security (e.g., by exposing sensitive information in logs)?
  • Is this needed for debugging, or should it be configurable/optional?

If this is purely for debugging, consider whether it should be enabled in production.


# Your custom review instructions
prompt: |
REPO: ${{ github.repository }}
PR NUMBER: ${{ github.event.pull_request.number }}

Perform a comprehensive code review with the following focus areas:

Expand Down Expand Up @@ -73,4 +114,4 @@ jobs:

# Tools for comprehensive PR review
claude_args: |
--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"