55 types : [created]
66 pull_request :
77 types : [labeled, synchronize]
8+ pull_request_target :
9+ types : [labeled, synchronize]
810
911jobs :
1012 claude-review :
@@ -46,10 +48,82 @@ jobs:
4648 - Security concerns
4749 - Test coverage
4850
49- Use the repository's CLAUDE .md for guidance on style and conventions. Be constructive and helpful in your feedback.
51+ Use the repository's AGENTS .md for guidance on style and conventions. Be constructive and helpful in your feedback.
5052
5153 Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
5254
5355# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
5456 # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
55- claude_args : ' --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
57+ claude_args : ' --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
58+
59+ claude-approve :
60+ if : |
61+ github.event_name == 'pull_request_target' &&
62+ contains(github.event.pull_request.labels.*.name, 'low-risk') &&
63+ (github.event.action == 'labeled' || github.event.action == 'synchronize')
64+ runs-on : ubuntu-latest
65+ permissions :
66+ contents : read
67+ pull-requests : write
68+ issues : read
69+ id-token : write
70+
71+ steps :
72+ - name : Checkout repository
73+ uses : actions/checkout@v4
74+ with :
75+ fetch-depth : 1
76+
77+ - name : Run Claude Code Review and Approve
78+ id : claude-approve
79+ uses : anthropics/claude-code-action@v1
80+ with :
81+ claude_code_oauth_token : ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
82+ prompt : |
83+ REPO: ${{ github.repository }}
84+ PR NUMBER: ${{ github.event.pull_request.number }}
85+
86+ Review this pull request thoroughly, checking for:
87+ - Code quality and best practices
88+ - Potential bugs or issues
89+ - Performance considerations
90+ - Security concerns
91+ - Test coverage
92+
93+ Use the repository's AGENTS.md for guidance on style and conventions.
94+
95+ Classify the PR's intrinsic risk severity using one of:
96+ - critical: must block merge
97+ - high: large blast radius or very sensitive code paths
98+ - medium: meaningful production or maintainability risk
99+ - low: constrained blast radius and straightforward rollback
100+
101+ Intrinsic risk is about the impact and sensitivity of changed code,
102+ even when no concrete bug is found.
103+ Any changes touching fund movement, signing/sweeping, swap state
104+ transitions, security/authz/authn logic, secrets handling, or DB
105+ schema/migrations are at least medium risk.
106+
107+ Also classify each finding using one of:
108+ - critical
109+ - high
110+ - medium
111+ - low
112+ - nit
113+
114+ Decision rule:
115+ - Approve ONLY if intrinsic PR risk is low AND highest finding
116+ severity is low or nit.
117+ - If intrinsic PR risk is medium/high/critical, DO NOT approve and
118+ submit a changes-requested review.
119+ - If any finding is medium/high/critical, DO NOT approve and submit
120+ a changes-requested review.
121+ - If uncertain, treat as medium risk.
122+
123+ If approving:
124+ gh pr review ${{ github.event.pull_request.number }} --approve --body "Claude review: intrinsic PR risk low and findings low/nit; safe for low-risk path."
125+
126+ If NOT approving:
127+ gh pr review ${{ github.event.pull_request.number }} --request-changes --body "Claude review: not eligible for low-risk auto-approval. Include intrinsic PR risk and findings with severities."
128+
129+ claude_args : ' --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh pr review:*)"'
0 commit comments