Add GitHub caller workflow for reusable code review

[xdanger]

Summary

• add a pull_request workflow that calls taptap/.github/.github/workflows/code-review.yml
• configure the permissions required by the reusable review workflow
• pass through ANTHROPIC_API_KEY for the review job

Testing

• Not run (not requested)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b788c03ad6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin reusable workflow to immutable revision

Reference taptap/.github/.github/workflows/code-review.yml by a commit SHA instead of @main; using a mutable branch means upstream changes can silently alter this job’s behavior and, in the worst case, execute attacker-controlled workflow logic with this workflow’s write-scoped GITHUB_TOKEN and ANTHROPIC_API_KEY. Pinning to an immutable SHA keeps reviews reproducible and prevents supply-chain drift.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR introduces .github/workflows/code-review.yml, a thin caller workflow that delegates to the reusable taptap/.github/.github/workflows/code-review.yml on every non-draft, non-fork pull request event, passing through ANTHROPIC_API_KEY so that an AI-powered code review can be posted automatically.

Key points:

• The fork/draft guard (head.repo.full_name == github.repository + !pull_request.draft) is well-implemented and correctly prevents secrets from leaking to forked PRs.
• The reusable workflow is referenced at @main, which is a supply-chain security risk — a commit SHA pin is strongly recommended.
• id-token: write is a high-privilege permission; whether it is actually required by the upstream workflow should be confirmed.
• The first clause of the if expression (github.event.pull_request &&) is always true given the trigger and can be dropped for clarity.

Confidence Score: 4/5

Safe to merge with a low-risk configuration, but pinning the upstream workflow to a commit SHA is strongly recommended before merging to production.

The workflow is small and correct in its primary purpose. The fork/draft guard is properly implemented. The main concern (using @main instead of a pinned SHA) is a supply-chain security best practice that doesn't break functionality today but represents a meaningful risk over time. The id-token: write permission question is secondary. Both are style-level follow-ups rather than hard blockers.

.github/workflows/code-review.yml — specifically line 20 (SHA pinning) and line 10 (id-token: write permission).

Important Files Changed

Filename	Overview
.github/workflows/code-review.yml	New caller workflow for a reusable code-review pipeline; correctly guards against fork PRs and draft PRs, but the upstream workflow is pinned to @main (supply-chain risk) and id-token: write may be broader than necessary.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Events
    participant CW as code-review.yml (this repo)
    participant RW as taptap/.github reusable workflow@main
    participant API as Anthropic API

    GH->>CW: pull_request (opened/sync/reopened/ready_for_review)
    CW->>CW: if: non-draft AND same-repo PR
    CW->>RW: uses: code-review.yml@main<br/>secrets: ANTHROPIC_API_KEY
    RW->>API: Review request (ANTHROPIC_API_KEY)
    API-->>RW: Review response
    RW-->>CW: Review comments posted to PR

Loading

_{Reviews (1): Last reviewed commit: "🔧 chore: add code review workflow calle..." | Re-trigger Greptile}

[greptile-apps]

Reusable workflow pinned to @main, not a commit SHA

Referencing an external reusable workflow at @main means any commit pushed to that branch is automatically trusted and executed with this repository's secrets and permissions. If taptap/.github is ever compromised or has a breaking change, this workflow is affected without any explicit approval in this repo — this is a supply-chain security risk.

GitHub's own security hardening guide recommends pinning third-party actions/reusable workflows to a full commit SHA:

Suggested change

	uses: taptap/.github/.github/workflows/code-review.yml@main
	uses: taptap/.github/.github/workflows/code-review.yml@<full-commit-sha>

Replace <full-commit-sha> with the current HEAD SHA of taptap/.github (e.g. uses: taptap/.github/.github/workflows/code-review.yml@a1b2c3d...). This way upgrades are always explicit and auditable.

[greptile-apps]

id-token: write is a highly privileged permission

id-token: write allows the workflow to request an OIDC JWT from GitHub's token endpoint, which can be exchanged for credentials with cloud providers (AWS, GCP, Azure, etc.). Unless taptap/.github/.github/workflows/code-review.yml explicitly needs OIDC authentication, granting this permission unnecessarily widens the attack surface.

If you've confirmed the upstream reusable workflow requires it, this is fine to keep. Otherwise consider removing it.

Suggested change

	id-token: write
	id-token: none

[greptile-apps]

Redundant truthiness check on github.event.pull_request

Because this workflow only triggers on the pull_request event, github.event.pull_request is always a non-null object. The first term of the if expression is always truthy and can be removed to keep the condition cleaner.

Suggested change

	github.event.pull_request &&
	if: >-
	!github.event.pull_request.draft &&
	github.event.pull_request.head.repo.full_name == github.repository

[Copilot]

Pull request overview

Adds a repository-level GitHub Actions workflow that triggers on pull request activity and invokes the shared reusable code review workflow from taptap/.github, passing required permissions and the ANTHROPIC_API_KEY secret.

Changes:

• Introduces a new pull_request workflow to run automated code review on PR events.
• Configures workflow permissions to enable the reusable review workflow to comment/update PRs.
• Passes ANTHROPIC_API_KEY through to the reusable workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The reusable workflow is referenced by a mutable ref (@main). This is a supply-chain risk because behavior can change without review in this repo. Prefer pinning to an immutable commit SHA (or a protected, versioned tag) for the uses: reference.

Suggested change

	uses: taptap/.github/.github/workflows/code-review.yml@main
	uses: taptap/.github/.github/workflows/code-review.yml@3b2c9e1a4f5d6b7c8d9e0f1a2b3c4d5e6f7a8b9c

[Copilot]

Permissions are granted at the workflow level, which applies to all jobs. Since this workflow currently has a single job that calls a reusable workflow, consider moving permissions: under the code-review job (and trimming any scopes that aren’t required by the reusable workflow) to better follow least-privilege principles.

Suggested change

	permissions:
	actions: read
	contents: read
	id-token: write
	issues: write
	pull-requests: write
	jobs:
	code-review:
	if: >-
	github.event.pull_request &&
	!github.event.pull_request.draft &&
	github.event.pull_request.head.repo.full_name == github.repository
	jobs:
	code-review:
	if: >-
	github.event.pull_request &&
	!github.event.pull_request.draft &&
	github.event.pull_request.head.repo.full_name == github.repository
	permissions:
	actions: read
	contents: read
	id-token: write
	issues: write
	pull-requests: write