Add vendored code-review command and security hardening#65
Conversation
- Remove 'labeled' trigger type from code-review workflow (all PRs reviewed) - Add step-security/harden-runner to code-review workflow - Vendor code-review skill to .claude/commands/ to avoid unpinned git URL - Remove stale TODO comment on contents:read permission - Document actor vs. author mismatch for issues:edited trigger https://claude.ai/code/session_016ujbvPfQnhK55bd2hQFBYd
There was a problem hiding this comment.
Pull request overview
This PR vendors a code-review command into the repo and updates the Claude Code Review GitHub Actions workflow to use the vendored command (instead of external plugin marketplaces), along with adding runner hardening steps to Claude-related workflows.
Changes:
- Added a vendored Claude command at
.claude/commands/code-review.mdto drive PR reviews (including optional inline commenting). - Updated
claude-code-reviewworkflow to invoke/project:code-reviewdirectly and removed plugin marketplace configuration. - Hardened Claude workflows by adding
step-security/harden-runnerand clarified permissions/comments.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
Adds runner hardening and a note about author_association behavior; adjusts permissions comment. |
.github/workflows/claude-code-review.yml |
Switches from external plugins to the vendored /project:code-review command; adds runner hardening; updates triggers. |
.claude/commands/code-review.md |
Introduces a vendored multi-stage code review command definition and procedure. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # NOTE: For issues:edited, author_association refers to the issue author, not | ||
| # the actor who performed the edit. This means an edit by a non-collaborator | ||
| # could re-trigger Claude if the original author is a collaborator. In practice, | ||
| # only users with write access can edit others' issues, so the risk is limited. |
There was a problem hiding this comment.
The NOTE block is inside the multi-line if: | expression, so the # ... lines become part of the GitHub Actions expression string. GitHub expression syntax doesn’t support # comments, which will cause the workflow to fail to parse. Move this note outside the if block (as YAML comments above the if: key) or encode it in a way that doesn’t become part of the expression.
| # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md | ||
| # or https://code.claude.com/docs/en/cli-reference for available options | ||
| # Uses vendored code-review skill from .claude/commands/code-review.md | ||
| prompt: '/project:code-review --comment ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
The vendored command instructions use gh pr view <PR> / gh pr diff <PR>, but the workflow passes ${{ github.repository }}/pull/${{ github.event.pull_request.number }} (no scheme). gh pr view accepts a PR number in the current repo, OWNER/REPO#NUMBER, or a full URL; owner/repo/pull/123 is not a standard selector and is likely to fail. Consider passing just the PR number (since the repo is checked out) or a full https://github.com/.../pull/... URL.
| prompt: '/project:code-review --comment ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' | |
| prompt: '/project:code-review --comment ${{ github.event.pull_request.number }}' |
|
|
||
| If any condition is true, stop and do not proceed. | ||
|
|
||
| Note: Still review Claude generated PR's. |
There was a problem hiding this comment.
Minor grammar: “PR's” should be “PRs” (no apostrophe for plural).
| Note: Still review Claude generated PR's. | |
| Note: Still review Claude generated PRs. |
Summary
This PR adds a vendored code-review command to the repository and updates the Claude Code Review workflow to use it directly instead of relying on external plugins. It also includes security hardening improvements to the GitHub Actions workflows.
Key Changes
Added
.claude/commands/code-review.md: A comprehensive code review command that provides detailed instructions for reviewing pull requests, including:Updated
.github/workflows/claude-code-review.yml:claude-code-plugins)/project:code-reviewprompt--commentflag to enable automatic inline commentinglabeledtrigger type (now only triggers onopened,synchronize,ready_for_review,reopened)Updated
.github/workflows/claude.yml:author_associationbehavior forissues:editedeventscontents: readpermission (now clear it's needed)Notable Implementation Details
The code-review command implements a multi-stage review process:
The workflow now uses a vendored approach, eliminating external plugin dependencies and improving reliability and maintainability.
https://claude.ai/code/session_016ujbvPfQnhK55bd2hQFBYd