ci: 更新 CI workflow — setup-uv v7、locked sync、push trigger #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude Code Review(手動備援) | |
| # 使用時機:qodo-code-review 免費額度用完時的備援 code review | |
| # 觸發方式: | |
| # 1. 在 PR 留言輸入 `/claude review`(需為 repo collaborator) | |
| # 2. 至 GitHub Actions 頁面手動執行,輸入 PR number | |
| on: | |
| issue_comment: | |
| types: [created] | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: "PR number to review (e.g. 42)" | |
| required: true | |
| type: string | |
| jobs: | |
| claude-review: | |
| name: Claude Code Review | |
| runs-on: ubuntu-latest | |
| # Trigger conditions: | |
| # - workflow_dispatch: manual execution | |
| # - issue_comment: comment starts with "/claude review", author is collaborator or above | |
| if: | | |
| github.event_name == 'workflow_dispatch' || | |
| ( | |
| github.event_name == 'issue_comment' && | |
| github.event.issue.pull_request != null && | |
| startsWith(github.event.comment.body, '/claude review') && | |
| ( | |
| github.event.comment.author_association == 'OWNER' || | |
| github.event.comment.author_association == 'MEMBER' || | |
| github.event.comment.author_association == 'COLLABORATOR' | |
| ) | |
| ) | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| steps: | |
| - name: Checkout repository (base branch) | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # Save prompt to /tmp before PR checkout to prevent PR author from overriding the prompt file. | |
| # Note: this prompt lives in .github/prompts/ (not app/prompts/) because it is a CI tooling | |
| # prompt for GitHub Actions, not an LLM prompt template used by the application runtime. | |
| # The app/prompts/ rule in CLAUDE.md applies to RAG/LLM templates in the backend service. | |
| # If prompt_file were read after gh pr checkout, the PR branch version would take effect, | |
| # allowing the PR author to weaken or bypass review rules. | |
| - name: Save prompt file before PR checkout | |
| run: cp .github/prompts/claude-review.md /tmp/claude-review-prompt.md | |
| # Merge PR number from both trigger sources via env var to prevent expression injection. | |
| - name: Checkout PR branch | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # workflow_dispatch: use inputs.pr_number; issue_comment: use issue number | |
| PR_NUMBER: ${{ github.event_name == 'workflow_dispatch' && inputs.pr_number || github.event.issue.number }} | |
| run: gh pr checkout "$PR_NUMBER" | |
| # Post status comment to PR when triggered via issue_comment | |
| - name: Post "reviewing" comment | |
| if: github.event_name == 'issue_comment' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| run: | | |
| gh pr comment "$ISSUE_NUMBER" \ | |
| --body "Claude Code Review started. Results will be posted shortly." | |
| - name: Run Claude Code Review | |
| # pin to SHA: tracked in issue #35 | |
| # https://github.com/singyichen/labor-law-assistant/issues/35 | |
| uses: anthropics/claude-code-action@beta | |
| with: | |
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| # Use the prompt saved before PR checkout to prevent prompt tampering. | |
| prompt_file: /tmp/claude-review-prompt.md | |
| # Allow read-only operations and full PR diff (base..HEAD covers all commits in the PR). | |
| allowed_tools: "Read,Glob,Grep,Bash(git diff origin/main...HEAD,git log --oneline origin/main..HEAD)" |