MFC/.github/workflows/claude-code-review.yml at 8c3eb47c9de9818d8763f015501bb4ebcc76c818 · MFlowCode/MFC · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Claude Code Review

on:
  pull_request_target:
    types: [opened, synchronize, ready_for_review, reopened]

jobs:
  claude-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      issues: write
      actions: read
      id-token: write

    steps:
      # IMPORTANT: checkout BASE repo only (safe on forks)
      - name: Checkout base repo (safe)
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Run Claude Code Review
        uses: anthropics/claude-code-action@v1
        env:
          # Ensure the action can execute the Claude CLI it installs.
          PATH: /home/runner/.local/bin:${{ env.PATH }}
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ github.token }}

          plugin_marketplaces: "https://github.com/anthropics/claude-code.git"
          plugins: "code-review@claude-code-plugins"

          claude_args: >
            --dangerously-skip-permissions
            --max-turns 80
            --allowedTools
            "Bash(gh pr view:*)"
            "Bash(gh pr diff:*)"
            "Bash(gh pr comment:*)"
            "Bash(gh api:*)"
            "Bash(cat:*)"
            "Bash(ls:*)"
            "Bash(find:*)"
            "Bash(grep:*)"
            "Bash(sed:*)"
            "Bash(awk:*)"
            "Bash(head:*)"
            "Bash(tail:*)"
            "Bash(wc:*)"
            "Bash(sort:*)"
            "Bash(uniq:*)"
            "Bash(cut:*)"
            "Bash(xargs:*)"
            "Bash(jq:*)"
            "Bash(python3:*)"

          prompt: |
            You are running in pull_request_target.
            DO NOT read or inspect any checked-out PR/fork code. Review ONLY using GitHub API/gh commands.

            You may read local guidance ONLY from:
            - ./CLAUDE.md (root) if present
            - ./.claude/rules/*.md if present (max 10 files)

            Keep tool calls minimal and in this order:
            1) ls -1 .claude/rules 2>/dev/null || true
            2) cat CLAUDE.md 2>/dev/null || true
            3) find .claude/rules -maxdepth 1 -name "*.md" -print | head -n 10 | xargs -I{} cat "{}" 2>/dev/null || true
            4) gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json title,body,files,changedFiles,additions,deletions,headRefOid
            5) gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}
            6) Post ONE top-level PR comment, then STOP.

            Output format:
            - Head SHA
            - Files changed count + list up to 10 file paths
            - Summary (3–6 bullets, minimal)
            - Findings with file + line numbers when possible
            - If no issues: 0–3 improvement opportunities (only if confident)

            Post ONE top-level PR comment titled "Claude Code Review".
            If posting is blocked, write the full review to the GitHub Actions job summary instead, then STOP.

          additional_permissions: |
            actions: read