Skip to content

Modify CLAUDE code review workflow settings #1261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbryngelson merged 1 commit into from
Feb 24, 2026
Merged

Modify CLAUDE code review workflow settings #1261

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 21 additions & 19 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ jobs:
id-token: write

steps:
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removed comment "# IMPORTANT: checkout BASE repo only (safe on forks)" provided valuable security context for why this step is safe in pull_request_target workflows. Removing it makes the workflow less self-documenting. Consider keeping this comment as it explains a critical security consideration.

Suggested change
steps:
steps:
# IMPORTANT: checkout BASE repo only (safe on forks)

Copilot uses AI. Check for mistakes.
# IMPORTANT: checkout BASE repo only (safe on forks)
- name: Checkout base repo (safe)
uses: actions/checkout@v4
with:
Expand All @@ -32,16 +31,14 @@ jobs:

claude_args: >
--dangerously-skip-permissions
--max-turns 30
--max-turns 60
--allowedTools
"Bash(gh pr view:*)"
"Bash(gh pr diff:*)"
"Bash(gh pr comment:*)"
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of gh pr list, gh pr status, and gh issue comment from the allowed tools reduces flexibility. If the Claude reviewer needs to list PRs for context or check PR status, it will be unable to do so. Consider whether these capabilities are genuinely unnecessary or if they might be useful for comprehensive reviews.

Suggested change
"Bash(gh pr comment:*)"
"Bash(gh pr comment:*)"
"Bash(gh pr list:*)"
"Bash(gh pr status:*)"
"Bash(gh issue comment:*)"

Copilot uses AI. Check for mistakes.
"Bash(gh pr list:*)"
"Bash(gh pr status:*)"
"Bash(gh issue comment:*)"
"Bash(gh api:*)"
"Bash(cat:*)"
"Bash(cat CLAUDE.md:*)"
"Bash(cat .claude/rules/*:*)"
Comment on lines +40 to +41
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The restricted cat tool permissions (from "Bash(cat:)" to "Bash(cat CLAUDE.md:)" and "Bash(cat .claude/rules/:)") improve security by preventing arbitrary file reads. However, this might be too restrictive if the reviewer needs to examine other documentation files or configuration files (like .github/workflows/*.yml for context). Verify that these restrictions won't hinder the reviewer's ability to gather necessary context.

Copilot uses AI. Check for mistakes.
"Bash(ls:*)"
"Bash(grep:*)"
"Bash(find:*)"
Expand All @@ -58,26 +55,31 @@ jobs:
"Bash(python3:*)"

prompt: |
You are running in pull_request_target. DO NOT execute or inspect the fork's checked-out code.
You are running in pull_request_target. DO NOT execute or inspect PR fork code.
Review ONLY via GitHub API/gh commands.

Always use numeric PR form with --repo:
- gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json files,title,body
- gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}
Read local guidance ONLY from:
- CLAUDE.md (root) if present
- .claude/rules/*.md if present
Do NOT read any other workspace files.

If CLAUDE.md exists in the base repo checkout, read it with:
- cat CLAUDE.md
Prefer jq/python3 for JSON parsing instead of shell loops.
Keep tool calls minimal:
1) ls .claude/rules || true
2) If CLAUDE.md exists: cat CLAUDE.md
3) If .claude/rules exists: cat each .md file directly (no loops; at most 10 files)
4) gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json title,body,files,changedFiles,additions,deletions,headRefOid
5) gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}
6) Post ONE top-level comment.

Output requirements (even if no issues):
- Files changed count + list up to 15 file paths
Output format:
- Head SHA
- Files changed count + list up to 10 file paths
- Summary (3–6 bullets)
- Findings:
- If issues: include file + line numbers when possible
- If no issues: at least 3 concrete improvement opportunities with file paths
- Findings with file + line numbers when possible
- If no issues: 0–3 improvement opportunities (only if confident)
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instruction "If no issues: 0–3 improvement opportunities (only if confident)" is ambiguous. The range "0–3" suggests the reviewer can choose to provide zero improvement opportunities, but the parenthetical "(only if confident)" could be interpreted as applying only when providing opportunities or as a general qualifier. Consider clarifying this to "If no issues: provide 0–3 improvement opportunities (only suggest if confident they would be valuable)" or similar wording.

Suggested change
- If no issues: 0–3 improvement opportunities (only if confident)
- If no issues: provide 0–3 improvement opportunities (only suggest if confident they would be valuable)

Copilot uses AI. Check for mistakes.

Post ONE top-level PR comment titled "Claude Code Review".
If posting a PR comment is blocked, write the full review to the GitHub Actions job summary instead.
Then stop.
Comment on lines 81 to +82
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the fallback instruction "If posting a PR comment is blocked, write the full review to the GitHub Actions job summary instead" eliminates a useful error handling mechanism. If the gh pr comment command fails due to permissions issues or API errors, the review results will be lost. Consider keeping this fallback to ensure review feedback is always captured somewhere.

Copilot uses AI. Check for mistakes.

additional_permissions: |
actions: read