Skip to content

Fix code review workflow trigger and hardening #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xdanger merged 4 commits into from
Apr 2, 2026
Merged

Fix code review workflow trigger and hardening #7

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8bd0357
🐛 fix: harden reusable code review workflow
xdanger Mar 30, 2026
53023e1
📝 docs: clarify workflow permissions and history
xdanger Apr 2, 2026
c6086a0
🐛 fix(workflow): address review follow-ups
xdanger Apr 2, 2026
0ec5426
🐛 fix(workflow): restore oidc permission
xdanger Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 42 additions & 34 deletions .github/workflows/code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,75 +4,83 @@ on:
pull_request:
types: [opened, ready_for_review, reopened, synchronize]
workflow_call:
# Reusable callers must pass PR context explicitly because `github.event.pull_request`
# is not populated for `workflow_call` runs.
inputs:
pr_number:
description: Pull request number to review when called as a reusable workflow.
required: true
type: number
head_repo_full_name:
description: Head repository full name for same-repo validation.
required: false
type: string
secrets:
ANTHROPIC_API_KEY:
required: true

permissions:
actions: read
contents: read
id-token: write
issues: write
pull-requests: write

concurrency:
group: claude-review-${{ github.event.pull_request.number || github.run_id }}
# Use the PR number when available so repeated reviews for the same PR cancel older runs
# whether this workflow is triggered directly or via `workflow_call`.
group: claude-review-${{ github.repository }}-${{ github.event.pull_request.number || inputs.pr_number || github.run_id }}
cancel-in-progress: true

jobs:
review:
if: >-
github.event.pull_request &&
!github.event.pull_request.draft &&
github.event.pull_request.head.repo.full_name == github.repository
(
github.event_name == 'pull_request' &&
github.event.pull_request &&
!github.event.pull_request.draft &&
github.event.pull_request.head.repo.full_name == github.repository
) || (
github.event_name == 'workflow_call' &&
inputs.pr_number &&
(
!inputs.head_repo_full_name ||
inputs.head_repo_full_name == github.repository
)
)
Comment on lines +51 to +59
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 workflow_call path has no draft-PR guard

The pull_request branch of the if condition correctly checks !github.event.pull_request.draft, but the workflow_call branch has no equivalent. A caller that triggers this workflow for a draft PR will not be blocked.

This is likely intentional (delegating the draft check to callers), but it's an implicit contract that is easy to miss and could lead to unnecessary review runs on in-progress work. Consider either documenting this assumption clearly in the workflow comment, or adding an optional is_draft input so callers can pass the flag and this workflow can enforce it uniformly.

runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Request Copilot review
# Copilot review is optional. Keep Claude review running if this request is unavailable.
continue-on-error: true
run: |
gh pr edit "$PR_NUMBER" -R "$REPO" --add-reviewer @copilot
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
# Support both direct PR-triggered runs and reusable workflow callers.
PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }}
REPO: ${{ github.repository }}

- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 1
fetch-depth: 0
Comment thread
xdanger marked this conversation as resolved.
Outdated

- uses: anthropics/claude-code-action@v1
- uses: anthropics/claude-code-action@e69ec4d5e5868930cecb8da7360a51fa9c4de5d6 # v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt: |
## Handle Previous Review Comments

Before starting your review, check for and resolve your own previous comments:

1. Get all previous top-level inline review comments from claude[bot] (exclude replies):
`gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/comments --paginate --jq '[.[] | select(.user.login == "claude[bot]" and .in_reply_to_id == null)]'`
2. Get the current diff: `gh pr diff ${{ github.event.pull_request.number }}`
3. For each previous comment:
- Read the CURRENT version of the file at the commented line
- If FIXED: reply "Fixed. {brief description}" and resolve the thread
- If STILL EXISTS: reply noting it persists, do NOT create a duplicate inline comment
- If PARTIALLY FIXED: reply explaining what remains
4. Only create NEW inline comments for genuinely new issues not already covered.
5. To resolve fixed comment threads:
a. Query review thread IDs via GraphQL (paginated, all comments per thread):
`gh api graphql --paginate -f query='query($cursor:String){ repository(owner:"${{ github.repository_owner }}", name:"${{ github.event.repository.name }}") { pullRequest(number:${{ github.event.pull_request.number }}) { reviewThreads(first:100, after:$cursor) { pageInfo { hasNextPage endCursor } nodes { id isResolved comments(first:100) { nodes { databaseId body } } } } } } }'`
b. Match each fixed comment's databaseId to find the thread node ID
c. Resolve: `gh api graphql -f query='mutation { resolveReviewThread(input:{threadId:"THREAD_NODE_ID"}) { thread { isResolved } } }'`

## Review Instructions

Review this pull request for code quality, correctness, and security.
Analyze the diff in the context of the full codebase.
Post your findings as review comments on the specific lines where issues are found.
Only report actionable findings that are specific and important.
Use these severity levels in each finding: P1 for blocking or high-risk issues, P2 for meaningful issues, P3 for minor issues.
Skip generated files, lockfiles, vendored code, and style-only nits unless they hide a real bug.
Keep the review concise: at most 10 findings total.
Post findings as inline review comments on the specific lines where issues are found.
Follow the guidelines in REVIEW.md if present.
claude_args: |
--model opus
--allowedTools "Read,Glob,Grep,WebSearch,WebFetch,mcp__github_inline_comment__create_inline_comment,Bash(gh api:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr checks:*),Bash(git log:*),Bash(git blame:*),Bash(git diff:*),"
--max-turns 30
# Keep the tool surface narrow: inline comments plus read-only PR inspection.
Comment thread
xdanger marked this conversation as resolved.
Outdated
Comment thread
xdanger marked this conversation as resolved.
Outdated
--allowedTools "Read,Glob,Grep,mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr checks:*),Bash(git log:*),Bash(git blame:*),Bash(git diff:*)"
env:
GH_TOKEN: ${{ github.token }}
ANTHROPIC_BASE_URL: ${{ vars.ANTHROPIC_BASE_URL }}
Loading