@@ -43,18 +43,63 @@ jobs:
4343 REPO: ${{ github.repository }}
4444 PR NUMBER: ${{ github.event.pull_request.number }}
4545
46- Please review this pull request and provide feedback on:
47- - Code quality and best practices
48- - Potential bugs or issues
49- - Performance considerations
50- - Security concerns
51- - Test coverage
46+ ## Before reviewing
5247
53- Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
48+ 1. Run `gh pr diff ${{ github.event.pull_request.number }}` to get the full diff.
49+ 2. Run `gh pr view ${{ github.event.pull_request.number }} --comments` to read existing comments. Do NOT repeat issues that have already been raised.
50+ 3. For each changed file, read surrounding context beyond the diff to understand how changes fit into the codebase.
51+ 4. Use grep/glob to trace callers, imports, and dependencies of changed functions to verify nothing is broken.
52+
53+ ## What to check
54+
55+ ### Correctness
56+ - Logic errors, off-by-one mistakes, missing edge cases
57+ - Null/undefined handling
58+ - Broken callers — if a function signature, return type, or API response shape changed, check that all call sites are updated
59+ - Dead code left behind (unused imports, unreachable branches, orphaned functions)
60+
61+ ### Security
62+ - SQL injection, XSS, command injection (OWASP top 10)
63+ - Authentication/authorization bypasses
64+ - Exposed secrets or credentials
65+ - Unsafe user input handling
66+
67+ ### Database
68+ - Destructive changes (DROP, column removal) that could lose data
69+ - Query performance: missing indexes, N+1 queries, full table scans
70+ - Transaction safety in concurrent environments
71+
72+ ### Breaking changes
73+ - API contract changes (added/removed/renamed fields in request or response)
74+ - Changed database schema that other code depends on
75+ - Removed or renamed exports or hooks
76+
77+ ### WordPress & Disciple.Tools patterns
78+ - Proper use of DT_Posts API, field definitions, and post type registration
79+ - Translation: all user-facing strings use esc_html_e(), __(), etc. with 'disciple_tools' text domain
80+ - REST endpoint authentication and capability checks
81+
82+ ## Severity — only report High and Medium
83+
84+ **High**: Will cause bugs, data loss, security vulnerabilities, or broken functionality.
85+ **Medium**: May cause problems under certain conditions, hurt maintainability, or deviate from established patterns.
86+
87+ Skip nitpicks, style issues, and low-severity items entirely.
88+
89+ ## Rules
90+ - Do NOT suggest changes beyond what the PR is trying to do — review the changes, don't expand scope.
91+ - Do NOT flag things that are intentionally removed or refactored as "missing" — understand the intent.
92+ - Be specific. Reference `file_path:line_number`. Explain what the issue is and what would trigger it.
93+ - Read surrounding code before flagging — the answer may already be handled nearby.
94+ - Use the repository's CLAUDE.md for guidance on conventions.
95+
96+ ## Output
97+
98+ Group findings by severity (High, then Medium). End with a one-sentence summary of whether the PR looks ready to merge.
5499
55100 Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
56101
57102# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
58103 # or https://code.claude.com/docs/en/cli-reference for available options
59- claude_args : ' --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
104+ claude_args : ' --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh api:*) "'
60105
0 commit comments