|
| 1 | +# Automated PR review using Claude (anthropics/claude-code-action). |
| 2 | +# Requires repository secret: ANTHROPIC_API_KEY |
| 3 | +# |
| 4 | +# - PRs from branches containing dependabot/: |
| 5 | +# Reviews dependency changelogs and usage in code for breaking changes and upgrade risks. |
| 6 | +# - All other PRs: |
| 7 | +# General code review (quality, edge cases, bugs, readability, maintainability, tests). |
| 8 | + |
| 9 | +name: Claude PR Review |
| 10 | + |
| 11 | +on: |
| 12 | + pull_request: |
| 13 | + types: [opened, synchronize, reopened] |
| 14 | + |
| 15 | +concurrency: |
| 16 | + group: claude-pr-review-${{ github.event.pull_request.number }} |
| 17 | + cancel-in-progress: true |
| 18 | + |
| 19 | +jobs: |
| 20 | + review-dependency-updates: |
| 21 | + if: >- |
| 22 | + contains(github.head_ref, 'dependabot/') |
| 23 | + runs-on: ubuntu-latest |
| 24 | + timeout-minutes: 30 |
| 25 | + permissions: |
| 26 | + id-token: write |
| 27 | + contents: read |
| 28 | + pull-requests: write |
| 29 | + steps: |
| 30 | + - name: Checkout |
| 31 | + uses: actions/checkout@v6 |
| 32 | + with: |
| 33 | + fetch-depth: 0 |
| 34 | + |
| 35 | + - name: Claude review (dependency updates) |
| 36 | + uses: anthropics/claude-code-action@v1 |
| 37 | + |
| 38 | + env: |
| 39 | + GH_TOKEN: ${{ github.token }} |
| 40 | + with: |
| 41 | + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} |
| 42 | + track_progress: true |
| 43 | + use_sticky_comment: true |
| 44 | + allowed_bots: ci-signed-commit-bot |
| 45 | + claude_args: | |
| 46 | + --max-turns 30 |
| 47 | + --model claude-opus-4-6 |
| 48 | + --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" |
| 49 | + prompt: | |
| 50 | + REPO: ${{ github.repository }} |
| 51 | + PR NUMBER: ${{ github.event.pull_request.number }} |
| 52 | +
|
| 53 | + This PR updates dependencies. Please: |
| 54 | +
|
| 55 | + 1. Identify which dependencies changed. |
| 56 | + 2. For each changed dependency, consider changelogs, release notes, and semver: look for breaking changes, deprecations, and behavior changes that could affect this codebase. |
| 57 | + 3. Search the repo for how each upgraded dependency is used (imports, config, APIs). Flag any usage that might break or behave differently after the upgrade. |
| 58 | + 4. Call out specific risks (e.g. API changes, removed features, new defaults) and suggest follow-up checks or tests if needed. |
| 59 | + 5. If the scope is large, prioritize the most widely used or critical dependencies. |
| 60 | +
|
| 61 | + Note: The PR branch is already checked out in the current working directory. |
| 62 | + Focus on upgrade safety and actionable concerns; keep the review concise and scoped to this PR. |
| 63 | +
|
| 64 | + Use `gh pr comment` for top-level feedback. |
| 65 | + Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues. |
| 66 | + Only post GitHub comments - don't submit review text as messages. |
| 67 | +
|
| 68 | + review-general: |
| 69 | + if: >- |
| 70 | + !contains(github.head_ref, 'dependabot/') |
| 71 | + runs-on: ubuntu-latest |
| 72 | + timeout-minutes: 30 |
| 73 | + permissions: |
| 74 | + id-token: write |
| 75 | + contents: read |
| 76 | + pull-requests: write |
| 77 | + steps: |
| 78 | + - name: Checkout |
| 79 | + uses: actions/checkout@v6 |
| 80 | + with: |
| 81 | + fetch-depth: 0 |
| 82 | + |
| 83 | + - name: Claude review (general) |
| 84 | + uses: anthropics/claude-code-action@v1 |
| 85 | + env: |
| 86 | + GH_TOKEN: ${{ github.token }} |
| 87 | + with: |
| 88 | + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} |
| 89 | + track_progress: true |
| 90 | + use_sticky_comment: true |
| 91 | + allowed_bots: kosli-ai-agent |
| 92 | + claude_args: | |
| 93 | + --max-turns 30 |
| 94 | + --model claude-opus-4-6 |
| 95 | + --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)" |
| 96 | +
|
| 97 | + prompt: | |
| 98 | + REPO: ${{ github.repository }} |
| 99 | + PR NUMBER: ${{ github.event.pull_request.number }} |
| 100 | +
|
| 101 | + Review this PR for: |
| 102 | +
|
| 103 | + 1. **Code quality** – clarity, consistency with the rest of the codebase, and adherence to existing patterns. |
| 104 | + 2. **Edge and corner cases** – missing null/empty checks, boundary conditions, error paths, and invalid inputs. |
| 105 | + 3. **Possible bugs** – logic errors, race conditions, misuse of APIs, and incorrect assumptions. |
| 106 | + 4. **Readability and maintainability** – naming, structure, comments where needed, and ease of future changes. |
| 107 | + 5. **Testability and testing** – whether new/changed behavior is testable and whether tests are present and sufficient; suggest extra tests or coverage gaps where relevant. |
| 108 | + 6. **Security implications** – potential security vulnerabilities, data exposure, and other security risks. |
| 109 | + 7. **Performance considerations** – potential performance bottlenecks, scalability issues, and other performance risks. |
| 110 | +
|
| 111 | + Note: The PR branch is already checked out in the current working directory. |
| 112 | + Be concise and actionable. Prefer inline suggestions where possible; add a short summary at the end. |
| 113 | +
|
| 114 | + Use `gh pr comment` for top-level feedback. |
| 115 | + Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues. |
| 116 | + Only post GitHub comments - don't submit review text as messages. |
0 commit comments