[origin] added claude code review CI workflow#33040
[origin] added claude code review CI workflow#33040igorkorsukov wants to merge 1 commit intomasterfrom
Conversation
📝 WalkthroughWalkthroughTwo new GitHub Actions workflows are added to automate code review processes. The first workflow (check_review.yml) triggers automatically on pull request open and synchronize events, executing Claude code review action to analyze code quality, correctness, and security. The second workflow (claude.yml) is triggered when specific text appears in pull request comments, issue comments, and pull request reviews. Both workflows use the Anthropic Claude code action with API key authentication and are configured with specific parameters for code analysis. Combined, these changes add 71 lines of configuration files. 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/check_review.yml:
- Around line 5-13: The workflow spawns parallel Claude runs on every push to a
PR; add GitHub Actions concurrency to the review job to cancel in-progress runs
for the same PR to avoid duplicate reviews and wasted API credits. Update the
job named "review" to include a concurrency block that uses a unique group
string derived from the PR identifier (e.g., github.event.pull_request.number or
github.ref) and set cancel-in-progress: true so ongoing runs for that group are
canceled when a new push triggers the job; leave the existing steps (the
anthropics/claude-code-action@v1 step and its inputs like prompt and
claude_args) unchanged.
- Around line 5-13: The GitHub Actions job "review" is missing a permissions
block so the GITHUB_TOKEN may lack rights to post PR review comments; add a
permissions section for the job (or workflow) that grants at minimum
pull-requests: write (and optionally contents: read and issues: write) so the
step using anthropics/claude-code-action@v1 can create review comments; update
the "review" job definition to include this permissions block immediately under
the job name to ensure the action has required scopes.
- Around line 2-4: The current check_review.yml triggers on "on: pull_request"
which cannot access repository secrets for forked PRs (e.g., ANTHROPIC_API_KEY)
and so will fail for external contributors; to fix this, either change the
trigger to "pull_request_target" (ensure you do NOT execute untrusted PR code
and thoroughly sandbox any step invoking PR content) or implement the
two-workflow pattern: keep check_review.yml on "pull_request" with no secrets to
upload the PR diff as an artifact, then create a second workflow that runs on
"workflow_run" (or a dedicated dispatch) which consumes that artifact and runs
the secret-requiring steps with ANTHROPIC_API_KEY; reference the existing
triage_prs.yml for an example and update the workflow triggers (replace "on:
pull_request" or add "on: workflow_run") and steps that reference
ANTHROPIC_API_KEY accordingly.
In @.github/workflows/claude.yml:
- Around line 13-20: Add per-PR/issue concurrency to the claude job to avoid
overlapping runs: update the claude job in .github/workflows/claude.yml to
include a concurrency block keyed by the target resource (e.g., use
github.event.issue.number or github.event.pull_request.number or fallback to
github.sha) and set cancel-in-progress as desired; this ensures the claude job
(job name "claude") for the same PR/issue is serialized and prevents parallel
executions and API race conditions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: d76df859-43ff-4111-a96c-bc292165d895
📒 Files selected for processing (2)
.github/workflows/check_review.yml.github/workflows/claude.yml
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions pull_request event secrets not available from forks
💡 Result:
Yes, in GitHub Actions, repository secrets (other than GITHUB_TOKEN) are not available to workflows triggered by the pull_request event when the PR originates from a fork. This is a security feature to prevent malicious actors from accessing secrets via PRs from forked repositories. Key points: - For pull_request event from forks: No access to base repo secrets. GITHUB_TOKEN is read-only. - This applies to both public and private repos (private repos have an opt-in setting for write tokens but secrets remain unavailable). - Fork repo's own secrets are also not passed to the base repo workflow. - To access secrets, use pull_request_target event, which runs in the base repo context with secrets access. However, this is risky: do not checkout or execute untrusted PR code without safeguards (e.g., check user permissions, require approval). - Alternatives: Use workflow_run triggered after a pull_request workflow completes, or OIDC for cloud auth without long-lived secrets. - Enable repo settings like "Require approval for first-time contributors" and read-only GITHUB_TOKEN by default. This behavior is unchanged as of 2026.
Citations:
- 1: https://docs.github.com/actions/security-guides/using-secrets-in-github-actions
- 2: https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md
- 3: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md
- 4: https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git
- 5: https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes
- 6: https://runs-on.com/github-actions/pull-request-vs-pull-request-target
🏁 Script executed:
# Check the full content of the check_review.yml workflow file
cat -n .github/workflows/check_review.ymlRepository: musescore/MuseScore
Length of output: 601
🏁 Script executed:
# List all workflow files to understand patterns
ls -la .github/workflows/
# Check if there's any documentation about PR workflows
cat README.md | grep -i "fork\|pull request\|workflow" || echo "No matches in README"
# Check if there are other review-related workflows
grep -l "pull_request" .github/workflows/*.ymlRepository: musescore/MuseScore
Length of output: 2774
🏁 Script executed:
# Check triage_prs.yml (mentioned in learnings as having mutable refs intentionally)
cat -n .github/workflows/triage_prs.yml
# Check if there's a claude.yml that might be related
cat -n .github/workflows/claude.ymlRepository: musescore/MuseScore
Length of output: 3435
🏁 Script executed:
# Check git history or comments about check_review.yml
git log --oneline -n 20 -- .github/workflows/check_review.yml 2>/dev/null || echo "No git history available"
# Check if there are any other references to ANTHROPIC_API_KEY in the repo
rg "ANTHROPIC_API_KEY" --type yaml
# Check triage_issues.yml for comparison
cat -n .github/workflows/triage_issues.yml | head -30Repository: musescore/MuseScore
Length of output: 1158
This workflow will not function for external contributors submitting PRs from forks.
On pull_request events from forked repositories, GitHub does not expose repository secrets (including ANTHROPIC_API_KEY), so the workflow will fail silently for the majority of external contributors. Since your README explicitly invites fork contributions ("Fork and make pull requests!"), this is a significant limitation.
Options:
- Switch to
pull_request_target— requires careful security review, as it runs base-branch code with write permissions and secret access; the Claude action must be properly sandboxed and the PR code must never be executed. - Use a two-workflow pattern:
pull_request(no secrets) uploads the diff as an artifact, then aworkflow_run-triggered workflow processes it with secrets. - Restrict to same-repo branches and document the limitation clearly (trusted contributor PRs only).
See triage_prs.yml for how your repo already handles fork PRs with secrets in similar workflows.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/check_review.yml around lines 2 - 4, The current
check_review.yml triggers on "on: pull_request" which cannot access repository
secrets for forked PRs (e.g., ANTHROPIC_API_KEY) and so will fail for external
contributors; to fix this, either change the trigger to "pull_request_target"
(ensure you do NOT execute untrusted PR code and thoroughly sandbox any step
invoking PR content) or implement the two-workflow pattern: keep
check_review.yml on "pull_request" with no secrets to upload the PR diff as an
artifact, then create a second workflow that runs on "workflow_run" (or a
dedicated dispatch) which consumes that artifact and runs the secret-requiring
steps with ANTHROPIC_API_KEY; reference the existing triage_prs.yml for an
example and update the workflow triggers (replace "on: pull_request" or add "on:
workflow_run") and steps that reference ANTHROPIC_API_KEY accordingly.
| jobs: | ||
| review: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| prompt: "Review this pull request for code quality, correctness, and security. Analyze the diff, then post your findings as review comments." | ||
| claude_args: "--max-turns 5" No newline at end of file |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Add concurrency control to avoid duplicate reviews on rapid pushes.
synchronize fires on every push to the PR branch. Without concurrency, successive pushes spawn parallel Claude runs that duplicate work and burn API credits. Cancel in-progress runs per PR:
♻️ Proposed addition
jobs:
review:
runs-on: ubuntu-latest
+ concurrency:
+ group: claude-review-${{ github.event.pull_request.number }}
+ cancel-in-progress: true
steps:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/check_review.yml around lines 5 - 13, The workflow spawns
parallel Claude runs on every push to a PR; add GitHub Actions concurrency to
the review job to cancel in-progress runs for the same PR to avoid duplicate
reviews and wasted API credits. Update the job named "review" to include a
concurrency block that uses a unique group string derived from the PR identifier
(e.g., github.event.pull_request.number or github.ref) and set
cancel-in-progress: true so ongoing runs for that group are canceled when a new
push triggers the job; leave the existing steps (the
anthropics/claude-code-action@v1 step and its inputs like prompt and
claude_args) unchanged.
🧩 Analysis chain
🌐 Web query:
anthropics/claude-code-action v1 required GitHub token permissions for posting PR review comments
💡 Result:
The anthropics/claude-code-action v1 primarily uses the official Claude Code GitHub App for GitHub API operations, including posting PR review comments. This app requires Pull Requests: Read & Write permissions (along with Contents and Issues Read & Write). When using a custom GitHub token via the github_token input (e.g., for custom GitHub Apps), the token must have equivalent repo-scoped permissions: pull-requests: write (minimum for posting comments), plus contents: write and issues: write for full functionality like code changes and issue responses. Workflow permissions must also include pull-requests: write and typically id-token: write for OIDC auth, contents: read/write, and issues: read/write as shown in examples.
Citations:
- 1: Generated workflows missing id-token:write permission and trigger on bot's own comments anthropics/claude-code-action#625
- 2: https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
- 3: https://github.com/anthropics/claude-code-action
- 4: https://github.com/anthropics/claude-code-action/blob/main/docs/faq.md
- 5: Claude Code will read arbitrary files from the checked-out repository and post their full contents as PR comments anthropics/claude-code-action#957
- 6: https://code.claude.com/docs/en/github-actions?_rsc=1tg4o
- 7: https://github.com/anthropics/claude-code-action/blob/9a3c761f/docs/security.md
- 8: https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
- 9: https://github.com/anthropics/claude-code-action/blob/main/docs/configuration.md
- 10: https://github.com/anthropics/claude-code-action/blob/refs/heads/main/action.yml
- 11: Default actions installed by
/install-github-apphad too broad permissions anthropics/claude-code-action#854
Add permissions block — action cannot post review comments without explicit permissions.
The job lacks explicit permissions, so GITHUB_TOKEN inherits default permissions which may be read-only. For anthropics/claude-code-action@v1 to post PR review comments, it requires pull-requests: write at minimum (with contents: read and issues: write for full functionality).
Proposed fix
jobs:
review:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: write
+ issues: write
steps:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/check_review.yml around lines 5 - 13, The GitHub Actions
job "review" is missing a permissions block so the GITHUB_TOKEN may lack rights
to post PR review comments; add a permissions section for the job (or workflow)
that grants at minimum pull-requests: write (and optionally contents: read and
issues: write) so the step using anthropics/claude-code-action@v1 can create
review comments; update the "review" job definition to include this permissions
block immediately under the job name to ensure the action has required scopes.
| jobs: | ||
| claude: | ||
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider adding concurrency control to prevent overlapping runs.
Rapid successive events (e.g., multiple @claude comments or review submissions) will spawn parallel jobs, potentially racing on the same PR/issue and consuming API credits unnecessarily. Consider scoping concurrency per issue/PR:
♻️ Proposed addition
jobs:
claude:
+ concurrency:
+ group: claude-${{ github.event.issue.number || github.event.pull_request.number }}
+ cancel-in-progress: false
if: |🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude.yml around lines 13 - 20, Add per-PR/issue
concurrency to the claude job to avoid overlapping runs: update the claude job
in .github/workflows/claude.yml to include a concurrency block keyed by the
target resource (e.g., use github.event.issue.number or
github.event.pull_request.number or fallback to github.sha) and set
cancel-in-progress as desired; this ensures the claude job (job name "claude")
for the same PR/issue is serialized and prevents parallel executions and API
race conditions.
1 participant
No description provided.