From 890a9852409e6df150ea6296e0a4c55a6a5d13bc Mon Sep 17 00:00:00 2001 From: Leigh <351529+leighmcculloch@users.noreply.github.com> Date: Fri, 8 May 2026 07:41:03 +1000 Subject: [PATCH 1/2] add claude review workflow --- .github/workflows/claude-review.yml | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/claude-review.yml diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml new file mode 100644 index 0000000000..955a8fca5d --- /dev/null +++ b/.github/workflows/claude-review.yml @@ -0,0 +1,40 @@ +name: Claude Review +on: + pull_request: + types: [opened, synchronize, ready_for_review, reopened] + +concurrency: + group: claude-review-${{ github.event.pull_request.number }} + cancel-in-progress: true + +jobs: + review: + if: github.event.pull_request.draft == false && github.event.pull_request.head.repo.fork == false + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 1 + + - uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + track_progress: true + prompt: | + REPO: ${{ github.repository }} + PR NUMBER: ${{ github.event.pull_request.number }} + + Please review this pull request with a focus on: + - Code quality and best practices + - Potential bugs or issues + - Security implications + - Performance considerations + + Provide detailed feedback using inline comments for specific issues. + + claude_args: | + --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" From 70925fdf4081c82b474b661973e4e88140996b17 Mon Sep 17 00:00:00 2001 From: Leigh <351529+leighmcculloch@users.noreply.github.com> Date: Fri, 8 May 2026 14:36:43 +0000 Subject: [PATCH 2/2] harden claude review workflow security --- .github/workflows/claude-review.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index 955a8fca5d..5466c4cad7 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -7,6 +7,8 @@ concurrency: group: claude-review-${{ github.event.pull_request.number }} cancel-in-progress: true +permissions: {} + jobs: review: if: github.event.pull_request.draft == false && github.event.pull_request.head.repo.fork == false @@ -36,5 +38,9 @@ jobs: Provide detailed feedback using inline comments for specific issues. + # --max-turns caps how many tool-use cycles Claude can run, which + # bounds token spend per invocation. The allowed `gh pr` commands are + # scoped to this PR's number so a misfire can't reach into another PR. claude_args: | - --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" + --max-turns 30 + --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment ${{ github.event.pull_request.number }}:*),Bash(gh pr diff ${{ github.event.pull_request.number }}:*),Bash(gh pr view ${{ github.event.pull_request.number }}:*)"