Add Claude PR review and overview workflows

[AndyTWF]

Summary

• Adds claude-review.yml — auto-reviews non-draft PRs on open/reopen/ready_for_review, and responds to @claude mentions in PR comments. Focused on significant concerns (bugs, security, architecture) rather than nitpicks.
• Adds pr-overview.yml — generates a structured PR summary (walkthrough, changes table, review notes) on non-draft PRs.

Both leverage the existing review skill (.claude/skills/ably-review/SKILL.md) and project conventions (CLAUDE.md) as reference material.

Setup required

Three secrets need to be configured in GitHub repo settings (Settings > Secrets and variables > Actions):

• ANTHROPIC_API_KEY — Anthropic API key for Claude
• CLAUDE_APP_ID — GitHub App ID
• CLAUDE_APP_PRIVATE_KEY — GitHub App private key

Test plan

• Configure the three secrets in repo settings
• Open a test PR to verify both workflows trigger
• Verify Claude posts a review summary comment
• Verify Claude posts a PR overview comment
• Test @claude mention in a PR comment triggers a response

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features
  • Automated pull request reviews are now generated and posted to pull requests upon creation and updates.
  • Pull request overview comments are automatically generated, providing walkthrough summaries, categorized changes across different components, and review notes for non-draft pull requests.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Mar 24, 2026 7:59pm

[coderabbitai]

Walkthrough

Two new GitHub Actions workflows are added for automated PR analysis using Claude. The first workflow (claude-review.yml) provides detailed PR reviews triggered by PR creation/reopening and comments mentioning @claude. The second workflow (pr-overview.yml) generates concise PR summaries with structured sections, triggered automatically on PR creation/reopening when not in draft mode. Both workflows authenticate via GitHub App tokens and invoke the Anthropic Claude code action.

Changes

Cohort / File(s)

Summary

GitHub Actions Workflows .github/workflows/claude-review.yml, .github/workflows/pr-overview.yml

Added two new workflows for automated PR analysis. claude-review.yml triggers on PR events and comments to provide detailed reviews when @claude is mentioned. pr-overview.yml generates structured PR overview summaries automatically on PR creation/reopening (non-draft), with sections for Walkthrough, Changes table, and Review Notes. Both use anthropics/claude-code-action@v1 with Anthropic API authentication and claude-sonnet-4-6 model.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hops of joy, our PRs now reviewed,
Claude hops in with insight brewed,
Summaries crafted, feedback so keen,
The finest PR flow we've seen! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: adding two new GitHub Actions workflows for Claude-based PR review and overview functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude-reviewer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/claude-review.yml (1)

6-9: Consider rate limiting or author restrictions for comment triggers.

The workflow triggers on any comment containing @claude, including from external contributors. While GitHub Actions secrets aren't exposed to fork PRs by default, this could still:

1. Consume API quota if many users trigger it
2. Allow anyone to invoke Claude on public PRs

Consider adding an author check (e.g., github.event.comment.author_association in ['MEMBER', 'OWNER', 'COLLABORATOR']) if you want to restrict who can trigger Claude via comments.

Example author restriction

       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
-       contains(github.event.comment.body, '@claude')) ||
+       contains(github.event.comment.body, '@claude') &&
+       contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
       (github.event_name == 'pull_request_review_comment' &&
-       contains(github.event.comment.body, '@claude'))
+       contains(github.event.comment.body, '@claude') &&
+       contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.comment.author_association))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-review.yml around lines 6 - 9, The workflow
currently triggers on issue_comment and pull_request_review_comment for any
created comment; restrict execution by checking
github.event.comment.author_association before running jobs. Update the workflow
jobs to include an if condition that allows only trusted associations (e.g.,
github.event.comment.author_association in ['MEMBER','OWNER','COLLABORATOR']),
or implement an equivalent step that exits early when
github.event.comment.author_association is not in the allowed set, so only
authorized users can trigger the Claude comment handlers.

.github/workflows/pr-overview.yml (1)

3-5: Both workflows trigger simultaneously on the same PR events.

This workflow and claude-review.yml both trigger on pull_request: [opened, reopened, ready_for_review]. When a PR is opened or marked ready, both workflows will run concurrently, potentially posting two separate Claude comments (one overview, one review).

If this is intentional, consider adding a brief delay or coordination mechanism to avoid flooding the PR with simultaneous bot comments. If not intentional, consider differentiating triggers or consolidating into a single workflow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-overview.yml around lines 3 - 5, The PR overview
workflow is configured with the same pull_request trigger (types: [opened,
reopened, ready_for_review]) as claude-review.yml, causing both workflows to run
concurrently; update the on: pull_request block in pr-overview.yml (the line
with types: [opened, reopened, ready_for_review]) to avoid overlap—either narrow
the event types (e.g., only opened), add a distinguishing condition (if:
github.event.pull_request.draft == false or check a label), or sequence the runs
using workflow_run or GitHub Actions concurrency/cancel-in-progress so only one
Claude comment posts at a time.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/claude-review.yml:
- Around line 6-9: The workflow currently triggers on issue_comment and
pull_request_review_comment for any created comment; restrict execution by
checking github.event.comment.author_association before running jobs. Update the
workflow jobs to include an if condition that allows only trusted associations
(e.g., github.event.comment.author_association in
['MEMBER','OWNER','COLLABORATOR']), or implement an equivalent step that exits
early when github.event.comment.author_association is not in the allowed set, so
only authorized users can trigger the Claude comment handlers.

In @.github/workflows/pr-overview.yml:
- Around line 3-5: The PR overview workflow is configured with the same
pull_request trigger (types: [opened, reopened, ready_for_review]) as
claude-review.yml, causing both workflows to run concurrently; update the on:
pull_request block in pr-overview.yml (the line with types: [opened, reopened,
ready_for_review]) to avoid overlap—either narrow the event types (e.g., only
opened), add a distinguishing condition (if: github.event.pull_request.draft ==
false or check a label), or sequence the runs using workflow_run or GitHub
Actions concurrency/cancel-in-progress so only one Claude comment posts at a
time.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a7a7cf16-54f1-4e1a-8d5a-17b1db84f4fe

📥 Commits

Reviewing files that changed from the base of the PR and between f67c148 and 8e11b26.

📒 Files selected for processing (2)

• .github/workflows/claude-review.yml
• .github/workflows/pr-overview.yml