MFC/.github/workflows/claude-code-review.yml at d9ac8365ad35d95b987352d2c3d7204abf11894f · MFlowCode/MFC · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: Claude Code Review

on:
  pull_request_target:
    types: [opened, synchronize, ready_for_review, reopened]

jobs:
  claude-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      issues: read
      actions: read
      id-token: write

    steps:
      - name: Checkout PR head (fork)
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 1

      - name: Run Claude Code Review
        id: claude-review
        uses: anthropics/claude-code-action@v1
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ github.token }}

          # (Optional) Useful while debugging; can expose secrets in logs
          show_full_output: true

          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
          plugins: 'code-review@claude-code-plugins'

          # IMPORTANT: allow exactly what the review flow uses
          claude_args: >
            --allowedTools
            "Bash(gh pr view:*)"
            "Bash(gh pr diff:*)"
            "Bash(gh api:*)"
            "Bash(gh search code:*)"
            "Bash(cat:*)"
            "Bash(ls:*)"
            "Bash(grep:*)"
            "Bash(python3:*)"
            "Bash(git:*)"

          prompt: |
            /code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}
            Post the results as one top-level PR comment titled "Claude Code Review".
            If you cannot access the diff/files, say so explicitly and explain what was blocked.

          additional_permissions: |
            actions: read