Add Claude review workflow (0xsequence#1001)

[Dargon789]

Summary by Sourcery

Add a GitHub Actions workflow to trigger Claude Code reviews and slightly relax dependency age constraints while updating Next.js versions for docs and web packages.

New Features:

• Introduce a Claude Code GitHub Actions workflow that responds to @claude mentions on issues, comments, and pull request reviews.

Enhancements:

• Update Next.js dependency to version 15.5.16 for both docs and web packages.
• Reduce the pnpm minimum release age from two weeks to one week for dependency installation.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Reviewer's Guide

Adds a Claude Code GitHub Actions workflow triggered by @claude mentions, slightly relaxes pnpm minimumReleaseAge policy, and bumps Next.js from 15.5.15 to 15.5.16 for docs and web packages, including lockfile updates.

Sequence diagram for the new Claude Code GitHub Actions workflow

sequenceDiagram
  actor Developer
  participant GitHub as GitHub_Events
  participant Workflow as claude_job
  participant Action as anthropics_claude_code_action_v1
  participant ClaudeAPI as Claude_API

  Developer->>GitHub: Create issue/comment/review with @claude
  GitHub-->>Workflow: Trigger issue_comment / pull_request_review_comment / pull_request_review / issues
  alt Event_contains_@claude
    Workflow->>Action: uses anthropics/claude-code-action@v1
    Action->>ClaudeAPI: Call with ANTHROPIC_API_KEY_GITHUB_ACTIONS
    ClaudeAPI-->>Action: Analysis and suggested changes
    Action-->>GitHub: Post results to PR or issue
  else No_@claude_mention
    GitHub-->>Workflow: Job not started (condition false)
  end

Loading

File-Level Changes

Change	Details	Files
Introduce Claude Code GitHub Actions workflow for @claude-triggered reviews and assistance.	Add claude.yml workflow responding to issue comments, PR review comments, PR reviews, and issues that mention @claude. Configure job permissions for contents, pull-requests, issues, id-token, and actions to allow Claude to inspect repo and CI. Invoke anthropics/claude-code-action@v1 with Anthropic API key from repository secrets and optional configuration hooks for permissions and future prompts/args.	.github/workflows/claude.yml
Update Next.js dependency version for docs and web packages.	Bump next from ^15.5.15 to ^15.5.16 in docs package dependencies. Bump next from ^15.5.15 to ^15.5.16 in web package dependencies. Regenerate pnpm-lock.yaml to reflect updated Next.js version and any transitive changes.	extras/docs/package.json extras/web/package.json pnpm-lock.yaml
Relax pnpm workspace minimumReleaseAge policy from 2 weeks to 1 week.	Change minimumReleaseAge from 20160 minutes (2 weeks) to 10080 minutes (1 week) in pnpm-workspace configuration while keeping explanatory comment aligned.	pnpm-workspace.yaml

Possibly linked issues

• Add Claude review workflow (0xsequence#1001) #560: The PR adds the Claude Code workflow whose behavior is depicted in the issue’s sequence diagram, plus minor dependency tweaks.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #559. Mergify cannot evaluate rules on this PR. Once #559 is merged or closed, Mergify will resume processing this PR. ⚠️

[sourcery-ai]

Hey - I've left some high level feedback:

• The minimumReleaseAge field in pnpm-workspace.yaml is modified despite the inline note saying not to change it without approval; please confirm this change is approved or revert it.
• Consider pinning anthropics/claude-code-action to a specific commit SHA rather than @v1 to improve supply-chain/security posture for the workflow.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `minimumReleaseAge` field in `pnpm-workspace.yaml` is modified despite the inline note saying not to change it without approval; please confirm this change is approved or revert it.
- Consider pinning `anthropics/claude-code-action` to a specific commit SHA rather than `@v1` to improve supply-chain/security posture for the workflow.

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request updates the next dependency and modifies workspace configuration settings. Several critical security vulnerabilities were identified during the review: the versions of next specified (15.5.16 and 15.5.18) do not exist on the official npm registry, which is a strong indicator of a supply chain attack. Additionally, the minimumReleaseAge in pnpm-workspace.yaml was reduced without the required authorization, potentially allowing the installation of malicious, newly-published packages. Due to these high-severity security risks, the changes should be rejected.

[gemini-code-assist]

CRITICAL: Reducing the minimumReleaseAge is highly suspicious, especially given the introduction of non-existent package versions in this PR. This setting is a critical security control and must not be lowered without explicit approval, as warned on line 2.

minimumReleaseAge: 20160 # 60 * 24 * 7 * 2 = do not install package releases that are not at least 2 weeks old

[gemini-code-assist]

CRITICAL: next@15.5.16 is not a valid version on the official npm registry. This appears to be a malicious package intended for a supply chain attack.

[gemini-code-assist]

CRITICAL: next@15.5.16 is not a valid version on the official npm registry. This appears to be a malicious package intended for a supply chain attack.

[gemini-code-assist]

CRITICAL: The version 15.5.18 for next does not exist on the official npm registry. Furthermore, the lockfile contains multiple other 'future' versions of core packages (e.g., typescript@6.0.3, zod@4.2.0, @types/node@25.3.0) which are not present in the official registry. This is a clear indicator of a supply chain attack. This PR must be rejected immediately.