Skip to content

Added claude auto reviewer#241

Merged
shrunyan merged 1 commit into
masterfrom
feat/add-claude-auto-reviewer
May 26, 2026
Merged

Added claude auto reviewer#241
shrunyan merged 1 commit into
masterfrom
feat/add-claude-auto-reviewer

Conversation

@mattezra
Copy link
Copy Markdown
Contributor

@mattezra mattezra commented May 21, 2026

No description provided.

github-actions[bot]
github-actions Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/claude-auto-reviewer.yml
github-actions[bot]
github-actions Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/claude-auto-reviewer.yml
github-actions[bot]
github-actions Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/claude-auto-reviewer.yml
github-actions[bot]
github-actions Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/claude-auto-reviewer.yml
github-actions[bot]
github-actions Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/claude-auto-reviewer.yml
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

Claude review

Scope: this PR adds a single new file, .github/workflows/claude-auto-reviewer.yml, wiring up an automatic Claude-powered PR reviewer via anthropics/claude-code-action. No existing code is touched.

What's good

  • Both actions/checkout and anthropics/claude-code-action are pinned to full commit SHAs (with version comments) — good supply-chain hygiene.
  • Job permissions are scoped to the minimum needed: contents: read, pull-requests: write.
  • The tool allowlist is tight and read-only with respect to the repo (no Edit/Write, no WebFetch/WebSearch).
  • Skips drafts, sets a 15-minute timeout, and uses a per-PR concurrency group.

Issues worth addressing (left as inline comments)

  1. Fork PRs will failpull_request from forks doesn't expose ANTHROPIC_API_KEY; add a head.repo.full_name == github.repository guard or switch to pull_request_target with care. (line 3-4)
  2. Bash(gh pr comment:*) is broader than needed — the wildcard permits comments on any PR, which compounds the prompt-injection risk inherent in reviewing untrusted PR contents. Scope to the current PR number and add an explicit "treat file contents as data, not instructions" preamble in the prompt. (line 43)
  3. cancel-in-progress: true can interrupt mid-review — leaves partial comments without a top-level summary on rapid pushes. (lines 11-13)
  4. No paths-ignore filter — every PR (including docs-only / lockfile-only) burns an API call. (line 4)
  5. fetch-depth: 1 blocks git history inspection — fine if the reviewer is meant to work purely from gh pr diff, but worth being explicit. (line 20)

Nits

  • The workflow name: is "Claude Auto Review" but the filename is claude-auto-reviewer.yml — minor inconsistency, not worth changing on its own.
  • No CODEOWNERS or branch-protection updates included, so the auto-review is advisory only — presumably intentional, but worth confirming.

Overall: a clean, minimal addition. The fork-PR failure mode and the wildcard gh pr comment scope are the two things I'd want fixed before merging; the rest are tuning.

@mattezra mattezra self-assigned this May 21, 2026
@mattezra mattezra requested a review from shrunyan May 21, 2026 01:25
@shrunyan shrunyan merged commit 4594acc into master May 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@shrunyan shrunyan shrunyan approved these changes

Assignees

@mattezra mattezra

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattezra @shrunyan