Skip to content

gha: add claude-code-review.yml workflow #29488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andrewhsu wants to merge 4 commits into
base: dev
Choose a base branch
from
+60 −0
Open

gha: add claude-code-review.yml workflow #29488

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3aa58c2
gha: add claude-code-review.yml workflow
andrewhsu Feb 2, 2026
b7fd37c
gha: add final review comment
andrewhsu Feb 4, 2026
accd93e
gha: fix claude-review job condition
andrewhsu Feb 4, 2026
3f5db03
gha: change claude-review job condition to edge-triggered
andrewhsu Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
---
name: claude-code-review
on:
pull_request:
types: [labeled]
jobs:
claude-review:
if: github.event.label.name == 'claude-review'
runs-on: ubuntu-24.04
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Best practice: Consider using ubuntu-latest instead of ubuntu-24.04 for better maintainability. This is consistent with other workflows in the repository (e.g., lint-python.yml, lint-cpp.yml) and avoids needing to update the workflow when newer runners become available.

Suggested change
runs-on: ubuntu-24.04
runs-on: ubuntu-latest

Copy link
Member Author

@andrewhsu andrewhsu Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

next ubuntu release may have breaking changes like ubuntu-24.04 did from prev release, so conservatively pegging to 24.04

permissions:
contents: read
pull-requests: write
id-token: write
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security consideration: The id-token: write permission is typically used for OIDC token authentication (e.g., with cloud providers). If use_commit_signing doesn't require this permission, consider removing it to follow the principle of least privilege. If it is required for commit signing, this is fine.

Note: Please verify whether this permission is actually needed by the claude-code-action.

actions: read
steps:
- uses: actions/checkout@v6
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consistency suggestion: Other workflows in this repository use actions/checkout@v4, but this workflow uses @v6. Consider using @v4 for consistency with other workflows, or update all workflows together if migrating to v6.

Suggested change
- uses: actions/checkout@v6
- uses: actions/checkout@v4

Copy link
Member Author

@andrewhsu andrewhsu Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v6 is intentional to use latest supported version of that action and to get onto node24 before node20 eol

with:
fetch-depth: 1
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting fetch-depth: 1 may limit Claude's ability to analyze code context and history. Consider using fetch-depth: 0 or a higher value to provide more comprehensive context for the code review, especially for understanding changes across multiple commits.

Suggested change
fetch-depth: 1
fetch-depth: 0

Copilot uses AI. Check for mistakes.
persist-credentials: false
- run: gh auth setup-git
env:
GH_TOKEN: ${{ github.token }}
Comment on lines +20 to +22
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential cleanup: Since persist-credentials: false is set on checkout (line 19) and the claude-code-action likely handles its own git authentication, this gh auth setup-git step may be unnecessary. The action's documentation should clarify whether this step is required.

Consider testing without this step to simplify the workflow.

- uses: anthropics/claude-code-action@v1
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version pinning suggestion: Using @v1 will automatically get new minor/patch versions, which could introduce unexpected behavior changes. Consider pinning to a specific version (e.g., @v1.0.43 as referenced in the PR description) for more predictable behavior, especially since this is a cost-sensitive workflow.

Suggested change
- uses: anthropics/claude-code-action@v1
- uses: anthropics/claude-code-action@v1.0.43

Copy link
Member Author

@andrewhsu andrewhsu Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this action updates frequently with bug fixes and i trust anthropic's adherence to semver major version so intentionally used float version v1

env:
GITHUB_TOKEN: ${{ github.token }}
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
allowed_bots: ""
Comment on lines +27 to +28
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The empty strings for allowed_bots and allowed_non_write_users suggest restricted access, but this configuration is not documented. Consider adding comments explaining why these are explicitly set to empty strings and what the security implications are.

Suggested change
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
allowed_bots: ""
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
# Explicitly disallow any additional bot accounts from being used by this action.
# Leaving this empty ensures only the GitHub Actions bot associated with this workflow
# can perform automated changes, reducing the risk of unintended or spoofed bot activity.
allowed_bots: ""
# Explicitly prevent non-write collaborators from triggering code-modifying reviews.
# This avoids granting users without write access the ability to have Claude propose or
# apply changes with the repository's write permissions, reducing privilege escalation risk.

Copilot uses AI. Check for mistakes.
allowed_non_write_users: ""
github_token: ${{ github.token }} # needed to test changes to this file in a PR before merge
show_full_output: false
track_progress: false
use_commit_signing: true
additional_permissions: |
actions: read
claude_args: >
--model opus
--max-turns 30
Copy link
Member Author

@andrewhsu andrewhsu Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for reference: this claude-code review took 17 turns

--disallowed-tools "WebFetch,WebSearch"
--allowed-tools "
mcp__github_inline_comment__create_inline_comment,
mcp__github_ci__get_ci_status,
mcp__github_ci__get_workflow_run_details,
mcp__github_ci__download_job_log,
Bash(gh issue *),
Bash(gh pr *),
Bash(gh search *)"
Comment on lines +39 to +47
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security consideration: The allowed Bash commands (gh issue *, gh pr *, gh search *) are quite permissive. While these are read operations, some gh pr subcommands can be write operations (e.g., gh pr comment, gh pr edit, gh pr merge).

If the intent is read-only access, consider being more specific:

  • Bash(gh issue view *)
  • Bash(gh pr view *)
  • Bash(gh pr diff *)
  • Bash(gh search issues *)
  • Bash(gh search prs *)

However, if write access to PRs is intentional (e.g., for posting review comments via gh pr comment), this is acceptable. The PR description mentions Claude will "comment inline" which may utilize these permissions.

Copy link
Member Author

@andrewhsu andrewhsu Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

intentional to allow comment inline

prompt: |
REPO: ${{ github.repository }}
PR NUMBER: ${{ github.event.pull_request.number }}
WORKFLOW RUN URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

Please review this pull request with a focus on:
- Code quality and best practices
- Potential bugs or issues
- Security implications
- Performance considerations

Provide detailed feedback using inline comments for specific issues.
Include a link to workflow run URL in the final review comment.
Comment on lines +48 to +60
Copy link

@github-actions github-actions bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enhancement suggestion: The prompt could be more specific to the Redpanda codebase by referencing the CLAUDE.md file guidelines. This would help ensure reviews align with project-specific standards (C++ coding guidelines, naming conventions, Seastar patterns, etc.).

For example, adding a line like:

Follow the coding guidelines documented in CLAUDE.md when reviewing.

This would make the AI reviewer more effective at catching project-specific issues like:

  • Missing ss:: namespace prefix for Seastar types
  • Use of std::vector where chunked_vector should be used
  • Missing format_to member functions instead of operator<< overloads

Loading