Skip to content

[origin] added claude code review CI workflow #33040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
igorkorsukov wants to merge 1 commit into
base: master
Choose a base branch
from
+71 −0
Open

[origin] added claude code review CI workflow #33040

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/workflows/check_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: 'Check: Code Review'
on:
pull_request:
types: [opened, synchronize]
Comment on lines +2 to +4
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub Actions pull_request event secrets not available from forks

💡 Result:

Yes, in GitHub Actions, repository secrets (other than GITHUB_TOKEN) are not available to workflows triggered by the pull_request event when the PR originates from a fork. This is a security feature to prevent malicious actors from accessing secrets via PRs from forked repositories. Key points: - For pull_request event from forks: No access to base repo secrets. GITHUB_TOKEN is read-only. - This applies to both public and private repos (private repos have an opt-in setting for write tokens but secrets remain unavailable). - Fork repo's own secrets are also not passed to the base repo workflow. - To access secrets, use pull_request_target event, which runs in the base repo context with secrets access. However, this is risky: do not checkout or execute untrusted PR code without safeguards (e.g., check user permissions, require approval). - Alternatives: Use workflow_run triggered after a pull_request workflow completes, or OIDC for cloud auth without long-lived secrets. - Enable repo settings like "Require approval for first-time contributors" and read-only GITHUB_TOKEN by default. This behavior is unchanged as of 2026.

Citations:

🏁 Script executed:

# Check the full content of the check_review.yml workflow file
cat -n .github/workflows/check_review.yml

Repository: musescore/MuseScore

Length of output: 601

🏁 Script executed:

# List all workflow files to understand patterns
ls -la .github/workflows/

# Check if there's any documentation about PR workflows
cat README.md | grep -i "fork\|pull request\|workflow" || echo "No matches in README"

# Check if there are other review-related workflows
grep -l "pull_request" .github/workflows/*.yml

Repository: musescore/MuseScore

Length of output: 2774

🏁 Script executed:

# Check triage_prs.yml (mentioned in learnings as having mutable refs intentionally)
cat -n .github/workflows/triage_prs.yml

# Check if there's a claude.yml that might be related
cat -n .github/workflows/claude.yml

Repository: musescore/MuseScore

Length of output: 3435

🏁 Script executed:

# Check git history or comments about check_review.yml
git log --oneline -n 20 -- .github/workflows/check_review.yml 2>/dev/null || echo "No git history available"

# Check if there are any other references to ANTHROPIC_API_KEY in the repo
rg "ANTHROPIC_API_KEY" --type yaml

# Check triage_issues.yml for comparison
cat -n .github/workflows/triage_issues.yml | head -30

Repository: musescore/MuseScore

Length of output: 1158

This workflow will not function for external contributors submitting PRs from forks.

On pull_request events from forked repositories, GitHub does not expose repository secrets (including ANTHROPIC_API_KEY), so the workflow will fail silently for the majority of external contributors. Since your README explicitly invites fork contributions ("Fork and make pull requests!"), this is a significant limitation.

Options:

  • Switch to pull_request_targetrequires careful security review, as it runs base-branch code with write permissions and secret access; the Claude action must be properly sandboxed and the PR code must never be executed.
  • Use a two-workflow pattern: pull_request (no secrets) uploads the diff as an artifact, then a workflow_run-triggered workflow processes it with secrets.
  • Restrict to same-repo branches and document the limitation clearly (trusted contributor PRs only).

See triage_prs.yml for how your repo already handles fork PRs with secrets in similar workflows.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check_review.yml around lines 2 - 4, The current
check_review.yml triggers on "on: pull_request" which cannot access repository
secrets for forked PRs (e.g., ANTHROPIC_API_KEY) and so will fail for external
contributors; to fix this, either change the trigger to "pull_request_target"
(ensure you do NOT execute untrusted PR code and thoroughly sandbox any step
invoking PR content) or implement the two-workflow pattern: keep
check_review.yml on "pull_request" with no secrets to upload the PR diff as an
artifact, then create a second workflow that runs on "workflow_run" (or a
dedicated dispatch) which consumes that artifact and runs the secret-requiring
steps with ANTHROPIC_API_KEY; reference the existing triage_prs.yml for an
example and update the workflow triggers (replace "on: pull_request" or add "on:
workflow_run") and steps that reference ANTHROPIC_API_KEY accordingly.

jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: "Review this pull request for code quality, correctness, and security. Analyze the diff, then post your findings as review comments."
claude_args: "--max-turns 5"
Comment on lines +5 to +13
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Add concurrency control to avoid duplicate reviews on rapid pushes.

synchronize fires on every push to the PR branch. Without concurrency, successive pushes spawn parallel Claude runs that duplicate work and burn API credits. Cancel in-progress runs per PR:

♻️ Proposed addition 
 jobs:
   review:
     runs-on: ubuntu-latest
+    concurrency:
+      group: claude-review-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
     steps:
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check_review.yml around lines 5 - 13, The workflow spawns
parallel Claude runs on every push to a PR; add GitHub Actions concurrency to
the review job to cancel in-progress runs for the same PR to avoid duplicate
reviews and wasted API credits. Update the job named "review" to include a
concurrency block that uses a unique group string derived from the PR identifier
(e.g., github.event.pull_request.number or github.ref) and set
cancel-in-progress: true so ongoing runs for that group are canceled when a new
push triggers the job; leave the existing steps (the
anthropics/claude-code-action@v1 step and its inputs like prompt and
claude_args) unchanged.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

anthropics/claude-code-action v1 required GitHub token permissions for posting PR review comments

💡 Result:

The anthropics/claude-code-action v1 primarily uses the official Claude Code GitHub App for GitHub API operations, including posting PR review comments. This app requires Pull Requests: Read & Write permissions (along with Contents and Issues Read & Write). When using a custom GitHub token via the github_token input (e.g., for custom GitHub Apps), the token must have equivalent repo-scoped permissions: pull-requests: write (minimum for posting comments), plus contents: write and issues: write for full functionality like code changes and issue responses. Workflow permissions must also include pull-requests: write and typically id-token: write for OIDC auth, contents: read/write, and issues: read/write as shown in examples.

Citations:

Add permissions block — action cannot post review comments without explicit permissions.

The job lacks explicit permissions, so GITHUB_TOKEN inherits default permissions which may be read-only. For anthropics/claude-code-action@v1 to post PR review comments, it requires pull-requests: write at minimum (with contents: read and issues: write for full functionality).

Proposed fix 
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/check_review.yml around lines 5 - 13, The GitHub Actions
job "review" is missing a permissions block so the GITHUB_TOKEN may lack rights
to post PR review comments; add a permissions section for the job (or workflow)
that grants at minimum pull-requests: write (and optionally contents: read and
issues: write) so the step using anthropics/claude-code-action@v1 can create
review comments; update the "review" job definition to include this permissions
block immediately under the job name to ensure the action has required scopes.

58 changes: 58 additions & 0 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Claude Code

on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]

jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
Comment on lines +13 to +20
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider adding concurrency control to prevent overlapping runs.

Rapid successive events (e.g., multiple @claude comments or review submissions) will spawn parallel jobs, potentially racing on the same PR/issue and consuming API credits unnecessarily. Consider scoping concurrency per issue/PR:

♻️ Proposed addition 
 jobs:
   claude:
+    concurrency:
+      group: claude-${{ github.event.issue.number || github.event.pull_request.number }}
+      cancel-in-progress: false
     if: |
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 13 - 20, Add per-PR/issue
concurrency to the claude job to avoid overlapping runs: update the claude job
in .github/workflows/claude.yml to include a concurrency block keyed by the
target resource (e.g., use github.event.issue.number or
github.event.pull_request.number or fallback to github.sha) and set
cancel-in-progress as desired; this ensures the claude job (job name "claude")
for the same PR/issue is serialized and prevents parallel executions and API
race conditions.

permissions:
contents: write
pull-requests: write
issues: write
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

# Optional: Customize the trigger phrase (default: @claude)
# trigger_phrase: "/claude"

# Optional: Trigger when specific user is assigned to an issue
# assignee_trigger: "claude-bot"

# Optional: Configure Claude's behavior with CLI arguments
# claude_args: |
# --model claude-opus-4-1-20250805
# --max-turns 10
# --allowedTools "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)"
# --system-prompt "Follow our coding standards. Ensure all new code has tests. Use TypeScript for new files."

# Optional: Advanced settings configuration
# settings: |
# {
# "env": {
# "NODE_ENV": "test"
# }
# }
Loading