ci: refactor Claude review to reusable org-wide workflow by danielewood · Pull Request #43 · sensiblebit/certkit

danielewood · 2026-02-16T18:26:23Z

Summary

Replace inline Claude review workflow with a thin caller to a reusable workflow in sensiblebit/.github
Any repo in the org can get Claude reviews with a 14-line caller + the CLAUDE_CODE_OAUTH_TOKEN secret
All review logic (skip detection, comment minimization, always-comment enforcement) is centralized

Test plan

Workflow parses correctly (no startup_failure)
Skip detection works when workflow file is modified
Normal review works on a PR that doesn't touch the workflow file (testable after merge)

🤖 Generated with Claude Code

danielewood · 2026-02-16T18:40:21Z

@copilot please review this pull request.

Copilot · 2026-02-16T18:40:29Z

@danielewood I've opened a new pull request, #44, to work on those changes. Once the pull request is ready, I'll request review from you.

github-advanced-security · 2026-02-16T18:59:35Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Copilot

Pull request overview

Updates CI automation to avoid failing Claude’s OAuth validation when the Claude review workflow itself is part of the PR diff, and adds a new CodeQL workflow.

Changes:

Add a pre-check in claude-code-review.yml to detect edits to the workflow and skip the Claude review run.
Post a PR comment explaining the skip when the workflow is modified.
Add a new codeql.yml workflow to run CodeQL analysis for Go on pushes/PRs and a weekly schedule.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/claude-code-review.yml	Adds early “workflow modified” detection, skip notice/comment, and gates the Claude action run.
.github/workflows/codeql.yml	Introduces a CodeQL GitHub Actions workflow for Go analysis.

Copilot · 2026-02-16T19:00:16Z

.github/workflows/claude-code-review.yml

+      - name: Minimize previous review comments
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |


The PR description says the workflow should "skip all review steps" to save runner time when claude-code-review.yml is modified, but the "Minimize previous review comments" step still runs even when skip=true. Gate this step with the same if: steps.check.outputs.skip != 'true' (or move it after the skip check) to avoid extra API calls/time on skipped runs.

Copilot · 2026-02-16T19:00:16Z

.github/workflows/claude-code-review.yml

+          gh -R ${{ github.repository }} pr view ${{ github.event.pull_request.number }} \
            --json comments \
-            --jq '.comments[] | select(.author.login == "claude") | .id' \
+            --jq '.comments[] | select(.author.login == "claude" or .author.login == "github-actions") | .id' \


This minimization query targets any PR comments authored by github-actions. That can unintentionally minimize comments posted by other workflows/bots (release notes, CI summaries, etc.) since they often also appear as github-actions. Narrow the filter to only comments created by this workflow (e.g., match a unique body prefix/header like ## Code review), or store the node_id of the comment you posted and only minimize those.

Suggested change

--jq '.comments[] | select(.author.login == "claude" or .author.login == "github-actions") | .id' \

--jq '.comments[] | select(.author.login == "claude" or (.author.login == "github-actions" and (.body | startswith("## Code review")))) | .id' \

Copilot · 2026-02-16T19:00:16Z

.github/workflows/codeql.yml

+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1" # Weekly on Monday at 06:00 UTC


This PR introduces a new codeql.yml workflow, but the PR title/description only discuss skipping Claude review when its workflow is modified. Either update the PR description to include the CodeQL addition (and rationale) or split this into a separate PR to keep changes scoped and reviewable.

Copilot · 2026-02-16T19:00:17Z

.github/workflows/claude-code-review.yml

+            --body "## Code review
+
+          Skipped — this PR modifies \`claude-code-review.yml\`. The OAuth token exchange requires the workflow file to match the default branch, so the review cannot run until this change is merged."
+


The --body string includes leading spaces before Skipped — ... (because of YAML indentation), which will render as a Markdown code block in the PR comment. Consider removing the leading indentation (or use a heredoc/cat <<'EOF' style) so the message renders as normal text.

Suggested change

--body "## Code review

Skipped — this PR modifies \`claude-code-review.yml\`. The OAuth token exchange requires the workflow file to match the default branch, so the review cannot run until this change is merged."

--body $'## Code review\n\nSkipped — this PR modifies `claude-code-review.yml`. The OAuth token exchange requires the workflow file to match the default branch, so the review cannot run until this change is merged.'

Copilot

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Copilot · 2026-02-16T19:09:37Z

.github/workflows/claude-code-review.yml

+    uses: sensiblebit/.github/.github/workflows/claude-code-review.yml@main
+    secrets:
+      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}


The PR description states "Add an early check that detects when claude-code-review.yml is in the PR diff" and "Skip all review steps gracefully (exit green with a notice)". However, the actual implementation replaces the entire inline workflow with a call to a reusable workflow in a separate repository (sensiblebit/.github).

This is not adding an early check to the current workflow - it's delegating the entire workflow to an external repository. If the skip logic exists, it would be in the reusable workflow at sensiblebit/.github/.github/workflows/claude-code-review.yml, not in this file. The PR description should accurately describe this as "refactor to use shared reusable workflow" rather than implying that skip logic is being added to this file.

Copilot · 2026-02-16T19:09:38Z

.github/workflows/claude-code-review.yml

-            Do NOT skip the review for any reason — never treat a PR as "trivial" or
-            "obviously correct." Always run the full review pipeline and post a comment
-            with the results. If no issues are found, post the "No issues found" summary.
+    uses: sensiblebit/.github/.github/workflows/claude-code-review.yml@main


The original workflow defined explicit permissions (contents: read, pull-requests: write, issues: read, id-token: write). When calling a reusable workflow, these permissions need to be explicitly passed using the permissions: key at the job level, or the reusable workflow must define them itself using permissions: at the workflow level.

Without explicit permissions, the reusable workflow will either fail or use default permissions which may be too broad. You should either:

Add a permissions: block to this job that matches the original permissions, OR

Verify that the reusable workflow at sensiblebit/.github has appropriate workflow-level permissions defined

According to GitHub documentation, when calling a reusable workflow, the caller must explicitly grant permissions if the reusable workflow needs them.

Suggested change

uses: sensiblebit/.github/.github/workflows/claude-code-review.yml@main

uses: sensiblebit/.github/.github/workflows/claude-code-review.yml@main

permissions:

contents: read

pull-requests: write

issues: read

id-token: write

Copilot · 2026-02-16T19:09:38Z

.github/workflows/claude-code-review.yml

+    uses: sensiblebit/.github/.github/workflows/claude-code-review.yml@main
+    secrets:
+      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}


According to rule CL-1 in CLAUDE.md, every commit changing behavior must update CHANGELOG.md under the Unreleased section. This PR changes CI behavior by replacing an inline workflow with a reusable workflow call (and according to the description, adds skip logic for self-modifications). However, there's no corresponding entry in CHANGELOG.md.

An entry should be added to the "Changed" section describing this CI workflow modification, something like: "Replace inline Claude Code Review workflow with reusable workflow from sensiblebit/.github"

The OAuth token exchange validates that the workflow file matches main exactly, so PRs that modify claude-code-review.yml always fail. Add an early check that detects this and skips the review gracefully instead of burning runner time on an inevitable 401. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

github-actions · 2026-02-16T19:10:34Z

Code review

Skipped — this PR modifies the review workflow. The OAuth token exchange requires the workflow file to match the default branch, so the review cannot run until this change is merged.

danielewood force-pushed the ci/skip-review-on-workflow-change branch 3 times, most recently from 65704c4 to a565e72 Compare February 16, 2026 18:34