Skip to content

Add Claude Code automated PR review workflow#1276

Open
rlho wants to merge 3 commits intomainfrom
feat/claude-code-review
Open

Add Claude Code automated PR review workflow#1276
rlho wants to merge 3 commits intomainfrom
feat/claude-code-review

Conversation

@rlho
Copy link
Collaborator

@rlho rlho commented Mar 9, 2026

Summary of Changes

Uses anthropics/claude-code-action with Max plan OAuth token to automatically review PRs for critical bugs, potential issues, and design concerns.

Checklist

  • I checked for existing implementations and confirmed there is no duplication
  • I thoroughly tested this feature locally
  • I added or updated unit tests (or explained why not in the PR description)
  • I attached screenshots or a video demonstrating the feature
  • I incorporated Copilot's feedback (or explained why not in the PR description), and marked conversation as resolved
  • I confirmed my PR passed all unit and end-to-end (E2E) tests
  • I confirmed there are no conflicts
  • I requested a code review from at least one other teammate

Screenshots / Video

@rlho @claude
Add Claude Code automated PR review workflow
c08dc01 
Uses anthropics/claude-code-action with Max plan OAuth token to
automatically review PRs for critical bugs, potential issues, and
design concerns.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 9, 2026 16:40
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions workflow to automatically run Anthropic’s Claude Code review action on pull requests, posting review feedback back to the PR.

Changes:

  • Introduces a new Claude Code Review workflow triggered on PR open/synchronize events.
  • Grants the workflow pull-requests: write permission to publish review feedback.
  • Configures the Claude prompt to focus on critical bugs, potential bugs, and design concerns.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/claude-review.yml
Comment on lines +21 to +25
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
prompt: |
Review this PR. Focus only on:
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow will run on all pull_request events, but secrets.CLAUDE_CODE_OAUTH_TOKEN will be unavailable for PRs coming from forks. That typically causes the job to fail (or the action to error), potentially blocking external contributions. Consider gating the job/step to only run when the secret is present and/or when github.event.pull_request.head.repo.full_name == github.repository (and otherwise skip cleanly).

Copilot uses AI. Check for mistakes.
rlho and others added 2 commits March 9, 2026 12:45
@rlho @claude
Add id-token: write permission for OIDC authentication
ad0b6a5 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rlho @claude
Add duplication check to Claude review prompt
d7b5872 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 9, 2026 17:36
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/claude-review.yml
with:
fetch-depth: 0

- uses: anthropics/claude-code-action@v1
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

anthropics/claude-code-action@v1 is a third-party action referenced by a mutable tag. Pin it to a specific commit SHA (optionally with a comment indicating the corresponding version) to mitigate supply-chain risk.

Suggested change
- uses: anthropics/claude-code-action@v1
- uses: anthropics/claude-code-action@<PINNED_COMMIT_SHA> # v1

Copilot uses AI. Check for mistakes.
.github/workflows/claude-review.yml
Comment on lines +3 to +6
on:
pull_request:
types: [opened, synchronize]

Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job uses a repository secret and pull-requests: write on the pull_request event. For PRs from forks, secrets.* won’t be provided and GITHUB_TOKEN is read-only, so the action will fail or be unable to post a review. Consider either (a) explicitly skipping forked PRs with an if: guard, or (b) switching to pull_request_target with a safe checkout strategy if you intend to support forks.

Copilot uses AI. Check for mistakes.
.github/workflows/claude-review.yml
permissions:
contents: read
pull-requests: write
id-token: write
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id-token: write grants OIDC token minting. Unless anthropics/claude-code-action explicitly requires OIDC, drop this permission to reduce the workflow’s privilege/attack surface.

Suggested change
id-token: write

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rlho