-
Notifications
You must be signed in to change notification settings - Fork 0
ci: refactor Claude review to reusable org-wide workflow #43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,50 +4,17 @@ on: | |
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| issues: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| claude-review: | ||
| if: | | ||
| github.event.pull_request.draft == false && | ||
| github.event.pull_request.head.repo.full_name == github.repository | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| issues: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Minimize previous Claude review comments | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh pr view ${{ github.event.pull_request.number }} \ | ||
| --json comments \ | ||
| --jq '.comments[] | select(.author.login == "claude") | .id' \ | ||
| | while read -r node_id; do | ||
| gh api graphql -f query=' | ||
| mutation { | ||
| minimizeComment(input: {subjectId: "'"$node_id"'", classifier: OUTDATED}) { | ||
| minimizedComment { isMinimized } | ||
| } | ||
| }' | ||
| done | ||
|
|
||
| - name: Run Claude Code Review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: | | ||
| /code-review:code-review --comment ${{ github.repository }}/pull/${{ github.event.pull_request.number }} | ||
|
|
||
| IMPORTANT: You MUST always post a PR comment, even if no issues are found. | ||
| Do NOT skip the review for any reason — never treat a PR as "trivial" or | ||
| "obviously correct." Always run the full review pipeline and post a comment | ||
| with the results. If no issues are found, post the "No issues found" summary. | ||
| uses: sensiblebit/.github/.github/workflows/claude-code-review.yml@main | ||
| secrets: | ||
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
|
Comment on lines
+18
to
+20
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original workflow defined explicit permissions (contents: read, pull-requests: write, issues: read, id-token: write). When calling a reusable workflow, these permissions need to be explicitly passed using the
permissions:key at the job level, or the reusable workflow must define them itself usingpermissions:at the workflow level.Without explicit permissions, the reusable workflow will either fail or use default permissions which may be too broad. You should either:
permissions:block to this job that matches the original permissions, ORsensiblebit/.githubhas appropriate workflow-level permissions definedAccording to GitHub documentation, when calling a reusable workflow, the caller must explicitly grant permissions if the reusable workflow needs them.