Add DeepWork Review GitHub Action

[Copilot]

Implements this repo as a working composite GitHub Action: runs Claude Code with the DeepWork plugin on a PR, applies all review-driven improvements autonomously, commits them back to the PR branch, and posts inline review comments explaining each change.

Action structure

• action.yml — composite action; 7 steps covering plugin setup, review state caching, Claude run, commit/push, and comment posting
• prompts/review.txt — CI-mode prompt: invokes /review, suppresses AskUserQuestion, applies all findings (not just "obvious" ones), and writes a structured change manifest to /tmp/deepwork_changes.json
• scripts/post-review-comments.py — posts a single GitHub PR review with one inline comment per changed file; uses Claude's /tmp/deepwork_changes.json summary for descriptions, falls back to diff statistics
• .github/workflows/example.yml — minimal caller workflow to copy; triggers on pull_request with types [opened, synchronize]

Key design decisions

• anthropics/claude-code-base-action@beta — Claude Code is installed and run via the official Anthropic-managed action, which uses the curl-based installer (https://claude.ai/install.sh) rather than npm
• Plugin installation via native plugin system — DeepWork is installed using claude plugin marketplace add + claude plugin install through the base action's plugin_marketplaces/plugins inputs, eliminating the need for sparse-cloning or manual MCP config manipulation
• --dangerously-skip-permissions for fully non-interactive CI execution
• Base-branch diff detection (origin/<base> → <base> → HEAD~1 fallback) for correctness on shallow clones
• .deepwork/tmp cached per PR via actions/cache@v4 so already-passed reviews are not re-run on subsequent pushes to the same PR; uses a run_id-suffixed save key with a PR-scoped restore-keys prefix to always write a fresh entry while restoring the most recent prior state — THIS IS A MAJOR TOKEN COST SAVER!!!
• Default model is claude-opus-4-6 for best review quality
• Bot-identity loop prevention — the example workflow uses if: github.actor != 'deepwork-action[bot]' at the job level instead of a [skip ci] commit message suffix, so auto-fix commits can still trigger other CI workflows while the DeepWork review job itself never re-runs on its own commits
• Trigger scoped to [opened, synchronize] — fires when a PR is first created and on every subsequent push to the PR branch (synchronize); reopened is omitted as it is rarely needed

Usage

- uses: actions/checkout@v4
  with:
    fetch-depth: 0
    ref: ${{ github.event.pull_request.head.ref }}
    token: ${{ secrets.GITHUB_TOKEN }}

- uses: Unsupervisedcom/deepwork-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    github_token: ${{ secrets.GITHUB_TOKEN }}

Original prompt

This repo is a prebuilt github action that should run Claude Code on a PR and invoke https://github.com/Unsupervisedcom/deepwork/ in it (installed as a plugin) and run /review to trigger DeepWork reviews.

It needs to be instructed to make all changes that it thinks make sense for the context of the PR. Those changes should then be auto-committed onto the PR with comments added to each change afterwards (in the main file review context, not the single commit context) calling out the change so that it can be reviewed by the user.

[nhorton]

@copilot - modify this PR so that it uses action caching to persist the .deepwork/tmp folder between runs for the same PR too. That will keep it from re-running the same review over and over.

[Copilot]

@copilot - modify this PR so that it uses action caching to persist the .deepwork/tmp folder between runs for the same PR too. That will keep it from re-running the same review over and over.

Done in 654752c. Added an actions/cache@v4 step that persists .deepwork/tmp per PR. The key is deepwork-review-pr-<pr_number>-<run_id> so each run saves an updated entry, and restore-keys: deepwork-review-pr-<pr_number>- restores the most recent cache for that PR — meaning reviews that already passed won't re-run on subsequent pushes to the same PR.

[nhorton]

@copilot - address all the changes in this review and any other one-off comments

[Copilot]

@copilot - address all the changes in this review and any other one-off comments

All review feedback addressed in bc66f07. Summary of changes:

• Claude Code now installed via anthropics/claude-code-base-action@beta (curl-based, Anthropic-managed)
• Plugin installed via native plugin_marketplaces/plugins inputs (deepwork@deepwork-plugins)
• Removed --plugin-dir, MCP config manipulation steps, and scripts/merge-mcp-config.py
• README updated

[nhorton]

@copilot - address the review comments and the individual suggestions made before this review

[nhorton]

This seems not ideal. Triggering other CI actions from the changes would make sense, and this name is confusing.

Can we instead skip commits that are signed by the deepwork-action[bot]` identity?

[Copilot]

Done in f1a5126. Removed [skip ci] from the default commit_message. The example workflow (and the README usage snippet) now include if: github.actor != 'deepwork-action[bot]' at the job level, so the workflow simply never starts when the push was made by the bot identity — no magic commit message required.

[Copilot]

@copilot - address the review comments and the individual suggestions made before this review

All addressed in f1a5126:

• Default model → claude-opus-4-6 (action.yml, README, example.yml)
• [skip ci] → replaced with if: github.actor != 'deepwork-action[bot]' job guard
• README caching section updated with the token-cost note
• README security section updated to document the bot-identity approach

[nhorton]

@copilot

[nhorton]

I don't think this it the right thing to run on. Shouldn't this run on push and not opened and such?

[Copilot]

In GitHub Actions, pull_request + synchronize is the "run on push to a PR branch" event — using bare push would lose all the PR context (github.event.pull_request.number, base.ref, etc.) that the action needs for caching, checkout, and posting review comments.

Simplified the types to [opened, synchronize] (dropped reopened) in 1290b16 — synchronize fires on every push to the PR branch, and opened handles the initial PR creation.