Skip to content

ci: Add claude review#3911

Merged
patrickelectric merged 1 commit into
bluerobotics:masterfrom
patrickelectric:pr-review
Apr 30, 2026
Merged

ci: Add claude review#3911
patrickelectric merged 1 commit into
bluerobotics:masterfrom
patrickelectric:pr-review

Conversation

@patrickelectric

@patrickelectric patrickelectric commented Apr 30, 2026

Copy link
Copy Markdown
Member

Inspired by Cockpit pr review action

Summary by Sourcery

CI:

  • Add a GitHub Actions workflow that runs an Anthropic Claude code review action on eligible pull requests, posting a single sticky review comment with security-conscious behavior and prompt-injection safeguards.

Signed-off-by: Patrick José Pereira <patrickelectric@gmail.com>

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • The workflow is only triggered on opened, reopened, and ready_for_review events; consider adding synchronize so that new commits to an existing PR also get an updated automated review.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The workflow is only triggered on `opened`, `reopened`, and `ready_for_review` events; consider adding `synchronize` so that new commits to an existing PR also get an updated automated review.

## Individual Comments

### Comment 1
<location path=".github/workflows/claude-pr-review.yml" line_range="27-28" />
<code_context>
+      # base ref by default, which is trusted code. We must NEVER checkout the
+      # PR head ref, since the Anthropic API key is available to this job and
+      # we do not want fork code to execute with access to it.
+      - name: Checkout base ref (trusted)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin GitHub Actions to specific commit SHAs rather than floating major versions for better supply-chain security.

Using `actions/checkout@v4` (and `anthropics/claude-code-action@v1` below) means the workflow will automatically pull new code on major updates, which increases supply-chain risk. Please pin these to specific commit SHAs instead, optionally adding a comment with the corresponding tag so updates remain explicit and reviewable.

Suggested implementation:

```
      - name: Checkout base ref (trusted)
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # actions/checkout@v4.2.2
        with:
          fetch-depth: 1

```

You should also:
1. Find the step using the Anthropic action, which likely looks like:
   `uses: anthropics/claude-code-action@v1`
2. Replace it with a pinned SHA and an inline comment, for example:
   `uses: anthropics/claude-code-action@<COMMIT_SHA> # anthropics/claude-code-action@v1`
   where `<COMMIT_SHA>` is the commit hash corresponding to the `v1` tag from the anthropics/claude-code-action repository.
3. Consider adding a short comment at the top of the workflow explaining that all actions are intentionally pinned to SHAs for supply-chain security and should be updated deliberately.
</issue_to_address>

### Comment 2
<location path=".github/workflows/claude-pr-review.yml" line_range="56" />
<code_context>
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          claude_args: |
+            --model claude-opus-4-7
+            --max-turns 40
+            --allowedTools 'Read,Glob,Grep,Write,Bash(gh:*),Bash(jq:*),Bash(wc:*)'
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check that the specified Claude model identifier is valid for the action/runtime you’re targeting.

`claude-opus-4-7` doesn’t follow Anthropic’s usual model ID format (e.g. `claude-3-opus-20240229`, `claude-3.5-sonnet-20241022`). Unless this is a valid internal alias, the workflow will likely fail at runtime. Please confirm it against the currently supported model IDs and update if needed.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/claude-pr-review.yml
Comment thread .github/workflows/claude-pr-review.yml

@Williangalvani Williangalvani left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like a great start. we could add the synchronize hook later if we feel like we need it

@patrickelectric patrickelectric merged commit c350f52 into bluerobotics:master Apr 30, 2026
7 checks passed
@patrickelectric patrickelectric deleted the pr-review branch April 30, 2026 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants