ci: Add claude review#3911
Merged
Merged
Conversation
Signed-off-by: Patrick José Pereira <patrickelectric@gmail.com>
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- The workflow is only triggered on
opened,reopened, andready_for_reviewevents; consider addingsynchronizeso that new commits to an existing PR also get an updated automated review.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The workflow is only triggered on `opened`, `reopened`, and `ready_for_review` events; consider adding `synchronize` so that new commits to an existing PR also get an updated automated review.
## Individual Comments
### Comment 1
<location path=".github/workflows/claude-pr-review.yml" line_range="27-28" />
<code_context>
+ # base ref by default, which is trusted code. We must NEVER checkout the
+ # PR head ref, since the Anthropic API key is available to this job and
+ # we do not want fork code to execute with access to it.
+ - name: Checkout base ref (trusted)
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 1
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin GitHub Actions to specific commit SHAs rather than floating major versions for better supply-chain security.
Using `actions/checkout@v4` (and `anthropics/claude-code-action@v1` below) means the workflow will automatically pull new code on major updates, which increases supply-chain risk. Please pin these to specific commit SHAs instead, optionally adding a comment with the corresponding tag so updates remain explicit and reviewable.
Suggested implementation:
```
- name: Checkout base ref (trusted)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # actions/checkout@v4.2.2
with:
fetch-depth: 1
```
You should also:
1. Find the step using the Anthropic action, which likely looks like:
`uses: anthropics/claude-code-action@v1`
2. Replace it with a pinned SHA and an inline comment, for example:
`uses: anthropics/claude-code-action@<COMMIT_SHA> # anthropics/claude-code-action@v1`
where `<COMMIT_SHA>` is the commit hash corresponding to the `v1` tag from the anthropics/claude-code-action repository.
3. Consider adding a short comment at the top of the workflow explaining that all actions are intentionally pinned to SHAs for supply-chain security and should be updated deliberately.
</issue_to_address>
### Comment 2
<location path=".github/workflows/claude-pr-review.yml" line_range="56" />
<code_context>
+ with:
+ anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+ claude_args: |
+ --model claude-opus-4-7
+ --max-turns 40
+ --allowedTools 'Read,Glob,Grep,Write,Bash(gh:*),Bash(jq:*),Bash(wc:*)'
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check that the specified Claude model identifier is valid for the action/runtime you’re targeting.
`claude-opus-4-7` doesn’t follow Anthropic’s usual model ID format (e.g. `claude-3-opus-20240229`, `claude-3.5-sonnet-20241022`). Unless this is a valid internal alias, the workflow will likely fail at runtime. Please confirm it against the currently supported model IDs and update if needed.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Williangalvani
approved these changes
Apr 30, 2026
Williangalvani
left a comment
Member
There was a problem hiding this comment.
looks like a great start. we could add the synchronize hook later if we feel like we need it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Inspired by Cockpit pr review action
Summary by Sourcery
CI: