chore(ci): attempt to re-implement CC review as an action

boneskull · boneskull · commit d15b19588422 · 2026-04-12T18:29:41.000-07:00
diff --git a/.github/actions/claude-code-review/action.yml b/.github/actions/claude-code-review/action.yml
@@ -0,0 +1,39 @@
+name: Claude Code Review
+description: Runs Claude AI code review on a pull request
+
+inputs:
+  claude_code_oauth_token:
+    description: OAuth token for Claude Code
+    required: true
+  repository:
+    description: Repository in owner/repo format
+    required: true
+  pr_number:
+    description: Pull request number
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Harden-Runner
+      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      with:
+        egress-policy: audit
+
+    - name: Checkout repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        fetch-depth: 1
+
+    - name: Run Claude Code Review
+      id: claude-review
+      # Pinned to v1 for supply-chain safety
+      uses: anthropics/claude-code-action@b2fdd80112e5f140e097b11d7a3d9edf0b226fd0
+      with:
+        allowed_bots: 'renovate[bot]'
+        claude_args: |
+          --max-turns 10
+        track_progress: true
+        claude_code_oauth_token: ${{ inputs.claude_code_oauth_token }}
+        # Uses vendored code-review skill from .claude/commands/code-review.md
+        prompt: '/project:code-review --comment ${{ inputs.repository }}/pull/${{ inputs.pr_number }}'
diff --git a/.github/workflows/claude-code-review-reusable.yml b/.github/workflows/claude-code-review-reusable.yml
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -8,6 +8,22 @@ jobs:
   claude-review:
     # only run when PR is from this repository (fork PRs don't receive secrets)
     if: github.event.pull_request.head.repo.full_name == github.repository
-    # Job body always comes from main so edits to these workflows on a PR cannot break the check.
-    uses: boneskull/gh-stack/.github/workflows/claude-code-review-reusable.yml@1aa24a5ca8eaddc47822b2d799e772255dcf2c6b # main
-    secrets: inherit
+    concurrency:
+      group: claude-review-${{ github.repository }}-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+
+    steps:
+      # Action definition is always fetched from main, so PRs that edit it
+      # don't affect the running version until merged.
+      - name: Run Claude Code Review
+        uses: boneskull/gh-stack/.github/actions/claude-code-review@main
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          repository: ${{ github.repository }}
+          pr_number: ${{ github.event.pull_request.number }}
