feat(sandbox): E2B cloud sandbox execution — ralph --sandbox e2b (#75) #308
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude Code Review | |
| on: | |
| # Using pull_request_target to run with base repo permissions (access to secrets) | |
| # This allows the workflow to run for fork PRs after maintainer approval | |
| # Security: This workflow only READS PR code for review, it does NOT execute it | |
| pull_request_target: | |
| types: [opened, synchronize] | |
| # Skip review for documentation and config-only changes | |
| paths-ignore: | |
| - "**/*.md" | |
| - ".github/**" | |
| - ".gitignore" | |
| - "pyproject.toml" | |
| # Cancel in-progress runs for the same PR to avoid duplicate reviews | |
| concurrency: | |
| group: claude-code-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| claude-review: | |
| # Only review PRs from known/trusted authors. author_association is maintained | |
| # automatically by GitHub: anyone who has had a PR merged becomes CONTRIBUTOR, | |
| # so the trust list grows on its own with no manual upkeep. First-time/unknown | |
| # authors are skipped (safe default) until their first PR lands. This gate is | |
| # what makes the per-author `allowed_non_write_users` below safe — only authors | |
| # who pass this association check ever reach the action. | |
| if: | | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR","CONTRIBUTOR"]'), github.event.pull_request.author_association) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write # Needed to post review comments | |
| issues: read | |
| id-token: write | |
| steps: | |
| - name: Calculate total changes | |
| id: calc | |
| run: | | |
| additions=${{ github.event.pull_request.additions }} | |
| deletions=${{ github.event.pull_request.deletions }} | |
| total=$((additions + deletions)) | |
| echo "total=$total" >> $GITHUB_OUTPUT | |
| - name: Checkout PR code for review | |
| # Only review substantial changes (5+ files OR 20+ lines changed) | |
| if: | | |
| github.event.pull_request.changed_files >= 5 || | |
| steps.calc.outputs.total >= 20 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| # Checkout the PR head commit (pull_request_target defaults to base branch) | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 1 | |
| # Review is read-only; gh commands use GH_TOKEN, not git credentials. | |
| # Especially important under pull_request_target with PR-head code (#282) | |
| persist-credentials: false | |
| - name: Run Claude Code Review | |
| # Only review substantial changes (5+ files OR 20+ lines changed) | |
| if: | | |
| github.event.pull_request.changed_files >= 5 || | |
| steps.calc.outputs.total >= 20 | |
| id: claude-review | |
| uses: anthropics/claude-code-action@fbda2eb1bdc90d319b8d853f5deb53bca199a7c1 # v1.0.140 | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| # Explicit github_token needed for pull_request_target (OIDC doesn't work) | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| # By default the action only runs for users with write access, which blocks | |
| # external fork contributors (they only have read). Rather than a blanket '*' | |
| # bypass, allow exactly one user: the author of THIS PR. Because the job-level | |
| # `if:` above has already confirmed that author is a trusted association | |
| # (CONTRIBUTOR and up), this permits only an already-vetted individual per run — | |
| # never a wildcard. Combined with minimal permissions + read-only allowed-tools, | |
| # this lets Claude review fork PRs from known contributors without opening the | |
| # door to arbitrary actors. See docs/security.md in the action repo. | |
| allowed_non_write_users: ${{ github.event.pull_request.user.login }} | |
| prompt: | | |
| REPO: ${{ github.repository }} | |
| PR NUMBER: ${{ github.event.pull_request.number }} | |
| Please review this pull request and provide feedback on: | |
| - Code quality and best practices | |
| - Potential bugs or issues | |
| - Performance considerations | |
| - Security concerns | |
| - Test coverage | |
| NOTE: review the other comments on the pull request - including yours. | |
| If you are reviewing changes or enhancements beyond the first creation of the pull request, | |
| make sure your comments are consistent with your previous reviews, or are | |
| referring to them in a consistent way. | |
| IMPORTANT FORMATTING NOTE: The use of the number symbol, '#', has a specific meaning in GitHub. It creates a link to an existing GitHub | |
| Issue or PR. If you plan to make that link, feel free to use # as a symbole in text. However, if you're simply referring to a numbered item | |
| in your own text, do not use the # symbol because it will link to an issue or PR which isn't related. Just write 'Number' or "No.". | |
| There's no need to repeat information unless it is critical and not | |
| being reflected in comments or code. Be aware of your prior reviews and that the new file information | |
| may reflect changes because of previous reviews. | |
| Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. | |
| Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. | |
| # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md | |
| # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options | |
| claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"' | |