feat: add Claude code review workflow with per-repo API key security

- Add reusable claude-code-review.yml workflow with configurable review focus
- Require each repository to provide its own ANTHROPIC_API_KEY secret
- Implement cost tracking and security isolation through per-repo API keys
- Add comprehensive documentation with setup instructions
- Include example workflow for consuming repositories
- Enhance test validation to check secret requirements in reusable workflows

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: sfreudenthaler

.github/workflows/claude-code-review.yml

@@ -0,0 +1,150 @@
+name: Claude Code Review
+
+on:
+  workflow_call:
+    inputs:
+      files_to_review:
+        description: 'Comma-separated list of files to review (optional - defaults to all changed files)'
+        required: false
+        type: string
+        default: ''
+      review_focus:
+        description: 'Specific focus for the review (e.g., security, performance, best-practices)'
+        required: false
+        type: string
+        default: 'general'
+      max_files:
+        description: 'Maximum number of files to review in a single run'
+        required: false
+        type: number
+        default: 10
+    secrets:
+      ANTHROPIC_API_KEY:
+        description: 'Anthropic API key for Claude access'
+        required: true
+
+jobs:
+  claude-review:
+    name: Claude Code Review
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        run: |
+          if [ -n "${{ inputs.files_to_review }}" ]; then
+            echo "files=${{ inputs.files_to_review }}" >> $GITHUB_OUTPUT
+          else
+            # Get changed files from PR or push
+            if [ "${{ github.event_name }}" = "pull_request" ]; then
+              files=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | head -${{ inputs.max_files }} | tr '\n' ',' | sed 's/,$//')
+            else
+              files=$(git diff --name-only HEAD~1 HEAD | head -${{ inputs.max_files }} | tr '\n' ',' | sed 's/,$//')
+            fi
+            echo "files=$files" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install Claude CLI
+        run: |
+          npm install -g @anthropic-ai/claude-cli
+
+      - name: Configure Claude CLI
+        run: |
+          echo "${{ secrets.ANTHROPIC_API_KEY }}" | claude auth login --api-key-stdin
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+
+      - name: Run Claude Code Review
+        id: review
+        run: |
+          files="${{ steps.changed-files.outputs.files }}"
+          focus="${{ inputs.review_focus }}"
+          
+          if [ -z "$files" ]; then
+            echo "No files to review"
+            exit 0
+          fi
+          
+          # Create review prompt based on focus
+          case "$focus" in
+            "security")
+              prompt="Please review these files for security vulnerabilities, potential exploits, and security best practices. Focus on: authentication, authorization, input validation, data sanitization, and secrets handling."
+              ;;
+            "performance")
+              prompt="Please review these files for performance issues, inefficient algorithms, memory leaks, and optimization opportunities."
+              ;;
+            "best-practices")
+              prompt="Please review these files for code quality, maintainability, and adherence to best practices for the respective languages and frameworks."
+              ;;
+            *)
+              prompt="Please review these files for code quality, potential bugs, security issues, and suggest improvements."
+              ;;
+          esac
+          
+          # Run Claude review
+          echo "Reviewing files: $files"
+          echo "Review focus: $focus"
+          
+          # Split files and review each one
+          IFS=',' read -ra FILE_ARRAY <<< "$files"
+          review_output=""
+          
+          for file in "${FILE_ARRAY[@]}"; do
+            if [ -f "$file" ]; then
+              echo "Reviewing: $file"
+              file_review=$(claude "$prompt" --file "$file" 2>&1 || echo "Error reviewing $file")
+              review_output="$review_output\n\n## Review of $file\n$file_review"
+            fi
+          done
+          
+          # Save review to file
+          echo -e "$review_output" > claude_review.md
+          
+          # Set output for comment
+          echo "review_completed=true" >> $GITHUB_OUTPUT
+
+      - name: Comment on PR
+        if: github.event_name == 'pull_request' && steps.review.outputs.review_completed == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = 'claude_review.md';
+            
+            if (fs.existsSync(path)) {
+              const review = fs.readFileSync(path, 'utf8');
+              const comment = `## 🤖 Claude Code Review
+              
+              **Review Focus:** ${{ inputs.review_focus }}
+              **Files Reviewed:** ${{ steps.changed-files.outputs.files }}
+              
+              ${review}
+              
+              ---
+              *This review was generated by Claude AI. Please use it as a guide and apply your own judgment.*`;
+              
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: comment
+              });
+            }
+
+      - name: Upload review artifact
+        if: steps.review.outputs.review_completed == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: claude-review-${{ github.run_id }}
+          path: claude_review.md
+          retention-days: 30

.github/workflows/test.yml

@@ -64,4 +64,24 @@ jobs:
                 exit 1
               fi
             fi
+          done
+
+      - name: Validate secret requirements in reusable workflows
+        run: |
+          # Check that reusable workflows properly define required secrets
+          for file in .github/workflows/*.yml .github/workflows/*.yaml; do
+            if [ -f "$file" ] && grep -q "workflow_call:" "$file"; then
+              echo "Validating reusable workflow secrets in $file"
+              
+              # Check if workflow uses secrets but doesn't declare them
+              if grep -q "secrets\." "$file" && ! grep -q "secrets:" "$file"; then
+                echo "ERROR: $file uses secrets but doesn't declare them in workflow_call"
+                exit 1
+              fi
+              
+              # Check for required ANTHROPIC_API_KEY if Claude CLI is used
+              if grep -q "claude\|anthropic" "$file" && ! grep -q "ANTHROPIC_API_KEY" "$file"; then
+                echo "WARNING: $file appears to use Claude but doesn't require ANTHROPIC_API_KEY secret"
+              fi
+            fi
           done

README.md

@@ -1,2 +1,103 @@
 # claude-workflows
 Reusable Claude AI GitHub Actions workflows and config for dotCMS and related projects
+
+## Important: Security and Cost Management
+
+**⚠️ API Key Requirement**: All workflows in this repository require each consuming repository to provide its own Anthropic API key. This is a mandatory security and cost management requirement.
+
+**Why we require per-repository API keys:**
+
+1. **Cost Tracking & Accountability**: Each repository's Claude AI usage is tracked separately in the Anthropic console, allowing for detailed cost attribution and budget management per project.
+
+2. **Security Isolation**: If a repository experiences unauthorized or excessive usage, it only affects that repository's API key and budget, not a shared organizational key.
+
+3. **Usage Control**: Individual repositories can set their own API limits and monitoring, preventing runaway costs from affecting other projects.
+
+4. **Compliance**: Many organizations require API key isolation for audit trails and security compliance.
+
+**What this means for you:**
+- You **must** configure an `ANTHROPIC_API_KEY` secret in your repository
+- You **must** pass this secret to the reusable workflow in the `secrets:` section
+- The workflow will **fail** if the API key is not provided
+- Each repository is responsible for its own API costs and usage
+
+## Available Workflows
+
+### Claude Code Review (`claude-code-review.yml`)
+Provides AI-powered code review using Claude AI for pull requests and commits.
+
+**Features:**
+- Reviews changed files in PRs automatically
+- Configurable review focus (general, security, performance, best-practices)
+- Posts review comments directly on PRs
+- Supports custom file selection
+- Uploads review artifacts
+
+## Setup Instructions
+
+### 1. Repository Secret Configuration
+Each consuming repository must configure its own Anthropic API key:
+
+1. Go to your repository's Settings → Secrets and variables → Actions
+2. Create a new repository secret named `ANTHROPIC_API_KEY`
+3. Set the value to your Anthropic API key
+
+**Benefits of per-repository API keys:**
+- **Cost Tracking**: Each repository's usage is tracked separately in the Anthropic console
+- **Security Isolation**: Unauthorized usage in one repo won't affect others
+- **Usage Control**: Individual repos can manage their own API limits
+
+### 2. Using the Claude Code Review Workflow
+
+Create a workflow file in your repository at `.github/workflows/claude-review.yml`:
+
+```yaml
+name: PR Code Review with Claude
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [ main, develop ]
+
+jobs:
+  claude-review:
+    name: Claude AI Code Review
+    uses: dotCMS/claude-workflows/.github/workflows/claude-code-review.yml@main
+    with:
+      # Optional: Set review focus
+      review_focus: 'security'  # Options: general, security, performance, best-practices
+      
+      # Optional: Maximum number of files to review
+      max_files: 15
+      
+      # Optional: Specify specific files (defaults to all changed files)
+      # files_to_review: 'src/main.js,src/utils.js'
+    secrets:
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+### 3. Workflow Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `files_to_review` | Comma-separated list of specific files to review | No | All changed files |
+| `review_focus` | Review focus area | No | `general` |
+| `max_files` | Maximum number of files to review | No | `10` |
+
+**Review Focus Options:**
+- `general`: Overall code quality, bugs, and improvements
+- `security`: Security vulnerabilities and best practices
+- `performance`: Performance issues and optimizations
+- `best-practices`: Code quality and maintainability
+
+### 4. Required Secrets
+
+| Secret | Description | Required | Notes |
+|--------|-------------|----------|-------|
+| `ANTHROPIC_API_KEY` | Your repository's Anthropic API key | **Yes** | Must be configured in each consuming repository. The workflow will fail without this secret. |
+
+**⚠️ Critical**: The `ANTHROPIC_API_KEY` secret is mandatory and must be passed to the reusable workflow. This is not optional - it's a security and cost management requirement. See the "Security and Cost Management" section above for details.
+
+## Examples
+
+See the `examples/` directory for complete workflow examples.

examples/consumer-repo-workflow.yml

@@ -0,0 +1,26 @@
+# Example workflow for a consumer repository
+# This file should be placed in .github/workflows/ in the consuming repository
+
+name: PR Code Review with Claude
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [ main, develop ]
+
+jobs:
+  claude-review:
+    name: Claude AI Code Review
+    uses: dotCMS/claude-workflows/.github/workflows/claude-code-review.yml@main
+    with:
+      # Optional: Specify files to review (defaults to all changed files)
+      # files_to_review: 'src/main.js,src/utils.js'
+      
+      # Optional: Set review focus (general, security, performance, best-practices)
+      review_focus: 'security'
+      
+      # Optional: Maximum number of files to review
+      max_files: 15
+    secrets:
+      # Pass the repository's own Anthropic API key
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}