MFC/.github/workflows/claude-code-review.yml at 17fe9579ce60ecd9358a967f6a951c12de6ece8b · MFlowCode/MFC · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
name: Claude Code Review

on:
  pull_request_target:
    types: [opened, synchronize, ready_for_review, reopened, labeled]
  issue_comment:
    types: [created]

jobs:
  claude-review:
    if: >
      (
        github.event_name == 'pull_request_target' &&
        (
          github.event.action == 'opened' ||
          github.event.action == 'ready_for_review' ||
          github.event.action == 'reopened' ||
          github.event.action == 'synchronize' ||
          (
            github.event.action == 'labeled' &&
            github.event.label.name == 'claude-full-review'
          )
        )
      ) ||
      (
        github.event_name == 'issue_comment' &&
        github.event.issue.pull_request != null &&
        contains(github.event.comment.body, '@claude full review')
      )
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      issues: write
      actions: read
      id-token: write

    steps:
      - name: Install unzip (required by bun setup)
        run: |
          sudo apt-get update
          sudo apt-get install -y unzip

      # Base checkout only
      - name: Checkout base repo (safe)
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Determine PR number and review mode
        id: mode
        shell: bash
        run: |
          if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
            PR_NUMBER="${{ github.event.pull_request.number }}"
            if [[ "${{ github.event.action }}" == "opened" || "${{ github.event.action }}" == "ready_for_review" || "${{ github.event.action }}" == "reopened" ]]; then
              REVIEW_MODE="full"
            elif [[ "${{ github.event.action }}" == "synchronize" ]]; then
              REVIEW_MODE="incremental"
            elif [[ "${{ github.event.action }}" == "labeled" && "${{ github.event.label.name }}" == "claude-full-review" ]]; then
              REVIEW_MODE="full"
            else
              REVIEW_MODE="full"
            fi
          elif [[ "${{ github.event_name }}" == "issue_comment" ]]; then
            PR_NUMBER="${{ github.event.issue.number }}"
            REVIEW_MODE="full"
          else
            REVIEW_MODE="full"
          fi

          echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
          echo "review_mode=${REVIEW_MODE:-full}" >> "$GITHUB_OUTPUT"

      - name: Run Claude Code Review
        uses: anthropics/claude-code-action@v1
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ github.token }}

          plugin_marketplaces: "https://github.com/anthropics/claude-code.git"
          plugins: "code-review@claude-code-plugins"

          claude_args: >
            --dangerously-skip-permissions
            --max-turns 90
            --allowedTools
            "Bash"

          prompt: |
            You are running in pull_request_target / issue_comment automation.

            REVIEW MODE: ${{ steps.mode.outputs.review_mode }}
            PR NUMBER: ${{ steps.mode.outputs.pr_number }}

            DO NOT read or inspect any checked-out PR/fork code. Review ONLY using GitHub API/gh commands.

            You may read local guidance ONLY from:
            - ./CLAUDE.md (root) if present
            - ./.claude/rules/*.md if present (max 10 files)

            Keep tool calls minimal and in this order:

            Phase 1 — Local guidance (base branch only, safe):
            1) ls -1 .claude/rules 2>/dev/null || true
            2) cat CLAUDE.md 2>/dev/null || true
            3) find .claude/rules -maxdepth 1 -name "*.md" -print | head -n 10 | xargs -I{} cat "{}" 2>/dev/null || true

            Phase 2 — PR metadata and diff:
            4) gh pr view ${{ steps.mode.outputs.pr_number }} --repo ${{ github.repository }} --json title,body,files,changedFiles,additions,deletions,headRefOid,comments
            5) gh pr diff ${{ steps.mode.outputs.pr_number }} --repo ${{ github.repository }}

            Phase 3 — Full file context (read via GitHub API, NOT local checkout):
            After reviewing the diff, fetch full contents of changed files to understand
            surrounding context. This is critical for catching issues the diff alone hides
            (e.g., duplicate code, broken callers, missing cleanup, variable shadowing).

            Use this pattern to fetch file contents at the PR head SHA:
              gh api repos/${{ github.repository }}/contents/{path}?ref={head_sha} --jq '.content' | base64 -d

            Rules for Phase 3:
            - Get the head SHA from step 4's headRefOid field.
            - Fetch up to 15 changed files (skip files >500 lines or binary files).
            - Prioritize: source code (.fpp, .f90, .py, .yml) over docs/config.
            - For Fortran/Fypp files: also fetch files that the changed file imports
              (look for "use m_<name>" or "#:include" in the fetched content) if they
              seem relevant to the review. Limit to 5 additional related files.
            - Do NOT fetch files that are unchanged and unrelated to the diff.
            - If a file fetch fails (404, too large), skip it and continue.

            Review policy:
            - FULL mode:
              - Review the current PR normally.
              - Post or update ONE top-level PR comment titled "Claude Code Review".
            - INCREMENTAL mode:
              - Find the most recent prior Claude review comment on this PR.
              - Look for a hidden marker in the form:
                <!-- claude-review: reviewed_sha=<sha>; mode=<mode> -->
              - Compare the prior reviewed SHA to the current head SHA.
              - Review ONLY for newly introduced issues since the previous Claude-reviewed SHA.
              - DO NOT repeat earlier findings.
              - DO NOT restate the full PR summary.
              - If there are no new high-confidence findings, DO NOT post a new comment. STOP.
              - If there are new findings, update the existing Claude review comment if possible; otherwise post one new top-level comment.

            Re-review policy:
            - A full review is explicitly requested only when:
              - the workflow was triggered by PR label "claude-full-review", or
              - the workflow was triggered by an issue comment containing "@claude full review"

            Output format for FULL mode:
            Claude Code Review

            Head SHA: <sha>

            Files changed:
            - <count>
            - <up to 10 paths>

            Summary:
            - <3-6 minimal bullets>

            Findings:
            - <file + line numbers when possible>
            - <minimal, high-confidence only>

            Output format for INCREMENTAL mode:
            Claude Code Review

            Incremental review from: <previous_sha>
            Head SHA: <current_sha>

            New findings since last Claude review:
            - <only genuinely new issues, file + line numbers when possible>

            When posting a comment, include this hidden marker at the end:
            <!-- claude-review: reviewed_sha=<current_head_sha>; mode=${{ steps.mode.outputs.review_mode }} -->

            If posting is blocked, write the full review to the GitHub Actions job summary instead, then STOP.

          additional_permissions: |
            actions: read