Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/claude-code-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Claude Code Review

on:
pull_request:
types: [opened, synchronize, ready_for_review, reopened]

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow will trigger for every PR including this one, which could cause it to run immediately after merging. Since the PR description states "@claude mentions won't work until after the merge is complete," it would be better to either:

  1. Add a condition to skip running on PRs that modify workflow files
  2. Add an if condition to exclude the initial PR (e.g., checking labels or PR title)
  3. Keep the workflow commented out initially and enable it in a follow-up PR

This prevents the automated review from running on its own setup PR and consuming unnecessary CI resources.

Suggested change
types: [opened, synchronize, ready_for_review, reopened]
types: [opened, synchronize, ready_for_review, reopened]
paths-ignore:
- ".github/workflows/**"

Copilot uses AI. Check for mistakes.
# Optional: Only run on specific file changes
# paths:
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"
Comment on lines +8 to +11

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commented path filters reference "src//*.ts", "src//.tsx", "src/**/.js", and "src//*.jsx", but this repository doesn't have a "src/" directory at the root level. The repository structure uses "v2/" and "v3/" directories for different versions. If path filtering is needed, update these to match the actual repository structure, such as "v2//.go", "v3/**/.go", etc.

Suggested change
# - "src/**/*.ts"
# - "src/**/*.tsx"
# - "src/**/*.js"
# - "src/**/*.jsx"
# - "v2/**/*.go"
# - "v3/**/*.go"
# - "v2/**"
# - "v3/**"

Copilot uses AI. Check for mistakes.

jobs:
claude-review:
# Optional: Filter by PR author
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permissions are set to read-only, but the claude-code-review workflow needs to post review comments on pull requests. Add pull-requests: write permission to enable Claude to create review comments with its findings.

Suggested change
pull-requests: read
pull-requests: write

Copilot uses AI. Check for mistakes.
issues: read
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code Review
id: claude-review
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
plugins: 'code-review@claude-code-plugins'
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an extra blank line at the end of the file. While this doesn't affect functionality, it's inconsistent with typical YAML formatting conventions.

Suggested change

Copilot uses AI. Check for mistakes.
50 changes: 50 additions & 0 deletions .github/workflows/claude.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
Comment on lines +8 to +9

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow triggers on issues: [opened, assigned] which means it will run when an issue is opened or assigned, even if no @claude mention is present. The condition check on line 19 filters for @claude mentions, but the workflow will still be queued and consume resources before being skipped. Consider removing the issues trigger types from line 8-9 to only trigger on actual comments where @claude is mentioned, or ensure this behavior is intentional.

Copilot uses AI. Check for mistakes.
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
Comment on lines +16 to +19

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow can be triggered by any user who can create comments on issues or PRs, including external contributors on public repositories. The PR description claims "Only users with write access to the repository can trigger the workflow," but there's no access control check in the workflow. While GitHub Actions provides some protection through permission scoping, consider adding an explicit check to verify the user has write access before executing Claude:

if: |
  github.event_name != 'issue_comment' || 
  github.event.comment.author_association == 'OWNER' || 
  github.event.comment.author_association == 'MEMBER' || 
  github.event.comment.author_association == 'COLLABORATOR'

This prevents unauthorized users from consuming API quota or triggering potentially expensive operations.

Suggested change
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
(
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
) && (
github.event_name != 'issue_comment' ||
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
) && (
github.event_name != 'pull_request_review_comment' ||
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'
) && (
github.event_name != 'pull_request_review' ||
github.event.review.author_association == 'OWNER' ||
github.event.review.author_association == 'MEMBER' ||
github.event.review.author_association == 'COLLABORATOR'
) && (
github.event_name != 'issues' ||
github.event.issue.author_association == 'OWNER' ||
github.event.issue.author_association == 'MEMBER' ||
github.event.issue.author_association == 'COLLABORATOR'
)

Copilot uses AI. Check for mistakes.
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
Comment on lines +22 to +24

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permissions are set to read-only, but according to the PR description, Claude should be able to "create comments, branches, and commits." To enable Claude to perform these actions, the workflow needs write permissions. Consider adding:

  • pull-requests: write (for creating PR comments)
  • issues: write (for creating issue comments)
  • contents: write (for creating branches and commits)

Without these write permissions, Claude will only be able to read the repository but won't be able to execute actions or respond with comments.

Suggested change
contents: read
pull-requests: read
issues: read
contents: write
pull-requests: write
issues: write

Copilot uses AI. Check for mistakes.
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the workflow is triggered by an issue_comment event on a regular issue (not a PR), the checkout will fetch the default branch code, not the PR code. This could lead to Claude operating on the wrong codebase context when mentioned in issue comments that reference PRs. Consider adding logic to detect if the comment is on a PR and checkout the PR branch accordingly, or document that @claude mentions on issues will work with the default branch context.

Suggested change
with:
with:
# Note: For `issue_comment` events on regular issues (not PRs), this will check out the default branch.
# @claude mentions in such issues therefore operate on the default branch codebase, even if the comment references a PR.

Copilot uses AI. Check for mistakes.
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

Comment on lines +39 to +42

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The additional_permissions parameter duplicates the actions: read permission that's already declared at the job level (line 26). This duplication is unnecessary and could lead to confusion. Remove either the job-level permission or the additional_permissions configuration.

Suggested change
# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read

Copilot uses AI. Check for mistakes.
# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'

Copilot AI Feb 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an extra blank line at the end of the file. While this doesn't affect functionality, it's inconsistent with typical YAML formatting conventions.

Suggested change

Copilot uses AI. Check for mistakes.
Loading