qlean/.github/workflows/claude-review.yml at e95651dbb5ad89c40b9ea8f828e9ccfc56387aa0 · buck2hub/qlean · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Claude Code Review with Progress Tracking

# Trigger Claude review on PR lifecycle events and explicit mentions

on:
  # Trigger when a new issue comment is created (for @claude mentions)
  issue_comment:
    types: [created]
  # Trigger when a PR review comment is created/edited/deleted (for @claude mentions)
  pull_request_review_comment:
    types: [created, edited, deleted]
  # Trigger on new or assigned issues (for future extension or automation)
  issues:
    types: [opened, assigned]
  # Trigger when a PR review is submitted (for @claude in the review body)
  pull_request_review:
    types: [submitted]
  # Main trigger for PR events, using pull_request_target for elevated permissions
  pull_request_target:
    types: [opened, synchronize, reopened]

permissions:
  # Read repository contents needed for code review
  contents: read
  # Allow Claude to post review comments on pull requests
  pull-requests: write
  # Allow Claude to interact with issues if needed
  issues: write
  # Allow this workflow to manage its own actions if required
  actions: write

jobs:
  claude-review-with-tracking:
    runs-on: ubuntu-latest

    # Only run for trusted authors or when explicitly mentioned by them
    if: |
          (
            github.event_name == 'pull_request_target' &&
            (
              github.event.pull_request.author_association == 'OWNER' ||
              github.event.pull_request.author_association == 'MEMBER' ||
              github.event.pull_request.author_association == 'COLLABORATOR'
            )
          ) ||
          (
            (github.event_name == 'issue_comment' || github.event_name == 'pull_request_review_comment') &&
            contains(github.event.comment.body, '@claude') &&
            (
              github.event.comment.author_association == 'OWNER' ||
              github.event.comment.author_association == 'MEMBER' ||
              github.event.comment.author_association == 'COLLABORATOR'
            )
          ) ||
          (
            github.event_name == 'pull_request_review' &&
            contains(github.event.review.body, '@claude') &&
            (
              github.event.review.author_association == 'OWNER' ||
              github.event.review.author_association == 'MEMBER' ||
              github.event.review.author_association == 'COLLABORATOR'
            )
          )

    steps:
      # Checkout the repository at the appropriate commit for review
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          # Use PR head SHA for pull_request_target to review the actual PR code
          # For comment events, this will default to the base branch (PR context is inferred by Claude action)
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 1

      # Invoke Claude to perform an automated PR review with progress tracking
      - name: PR Review with Progress Tracking
        uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          github_token: ${{ secrets.GITHUB_TOKEN }}

          # Enable progress tracking and show full Claude output in logs
          track_progress: true

          # Custom review instructions passed to Claude
          prompt: |
            REPO: ${{ github.repository }}

            Perform a comprehensive code review with the following focus areas:

            1. **Code Quality**
               - Clean code principles and best practices
               - Proper error handling and edge cases
               - Code readability and maintainability

            2. **Security**
               - Check for potential security vulnerabilities
               - Validate input sanitization
               - Review authentication/authorization logic

            3. **Performance**
               - Identify potential performance bottlenecks
               - Review database queries for efficiency
               - Check for memory leaks or resource issues

            4. **Testing**
               - Verify adequate test coverage
               - Review test quality and edge cases
               - Check for missing test scenarios

            5. **Documentation**
               - Ensure code is properly documented
               - Verify README updates for new features
               - Check API documentation accuracy

            Provide detailed feedback using inline comments for specific issues.
            Use top-level comments for general observations or praise.

          # Restrict tools that Claude can use during the review
          claude_args: |
            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"