ci(github-actions): @claude Notion MCP 연동 + 코드리뷰 인라인 코멘트 게시

[seong-jin-jo]

배경

• @claude 멘션 시 client 레포에서만 Notion MCP 조회가 안 됨 → 원인: client claude.yml이 애초에 MCP 미설정 (backend에만 설정돼 있었음).
• 코드리뷰 워크플로우가 Slack엔 "리뷰 완료(success)"라 알리는데 PR엔 리뷰가 안 보임 → 원인: automation(prompt) 모드에서 /code-review가 --comment 없이 실행돼 결과가 모델 출력에만 남고 PR엔 게시 안 됨.

변경

• claude.yml: backend 검증 설정 미러링
  • 런타임 .mcp.json 생성 step 추가 (Notion MCP 서버 자동 로드)
  • Run Claude Code step에 OPENAPI_MCP_HEADERS / NOTION_TOKEN env 추가
  • claude_args allowedTools에 mcp__notion__* 추가 (프론트 패키지매니저 권한은 보존)
• claude-code-review.yml: /code-review prompt에 --comment 추가 → findings가 PR 인라인 코멘트로 게시됨

사전 조건

• NOTION_TOKEN 시크릿 client 레포에 등록 완료
• Notion integration이 조회 대상 페이지에 connection 연결돼 있어야 함

적용 시점

• @claude 멘션(issue_comment 트리거)은 기본 브랜치(develop) 머지 후 동작.

관련: 백엔드(mvp) PR #1133 (코드리뷰 --comment 동일 수정)

🤖 Generated with Claude Code

Summary by CodeRabbit

릴리스 노트

• 새 기능

  • Notion 통합 추가로 확장된 기능 지원

• 개선사항

  • PR 코드 리뷰 의견이 인라인 코멘트로 직접 게시되도록 개선

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
study-platform-client-dev	Ready	Preview, Comment	May 28, 2026 5:08pm

[coderabbitai]

📝 Walkthrough

Walkthrough

두 GitHub Actions 워크플로우가 Claude 도구 통합을 확장합니다. Code Review 워크플로우는 인라인 PR 코멘트 기능을 추가하고, Claude 워크플로우는 Notion MCP 서버 통합(설정 생성, 인증, 도구 권한)을 추가합니다.

Changes

Claude GitHub Actions 워크플로우 향상

Layer / File(s)	Summary
Code Review 인라인 코멘트 기능 .github/workflows/claude-code-review.yml	Claude Code Review 프롬프트 실행에 --comment 옵션이 추가되어, 리뷰 결과가 PR에 인라인 코멘트로 게시되도록 변경됩니다.
Notion MCP 서버 설정 및 인증 .github/workflows/claude.yml	워크플로우 실행 중 .mcp.json을 생성하여 Notion MCP 서버를 설정하고, OPENAPI_MCP_HEADERS와 NOTION_TOKEN 환경변수를 추가하며, --allowedTools를 Notion 도구(mcp__notion__*) 및 파일 편집/조회 권한을 포함하도록 확장합니다.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• code-zero-to-one/study-platform-client#563: 두 PR 모두 Claude GitHub Actions 워크플로우를 수정하며, 특히 .github/workflows/claude-code-review.yml를 변경합니다(현재 PR은 인라인 리뷰 코멘트용 --comment 추가, 연관 PR은 해당 Claude 코드 리뷰 워크플로우 도입/설정).

Poem

🐰 PR workflows now dance in binary light,
Notion's whispers meet Claude's keen sight,
Inline comments bloom on code review ground,
MCP tools spin without a sound,
Automation's rabbit runs fast and bright! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PR 제목은 주요 변경사항인 Notion MCP 연동과 코드리뷰 인라인 코멘트 기능을 명확하게 요약하고 있습니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/claude-github-mcp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude.yml:
- Around line 51-58: Replace movable tags for third-party GitHub Actions with
commit SHAs: update the anthropics/claude-code-action@v1 reference to its
specific commit SHA and do the same for slackapi/slack-github-action@v2.1.0;
keep the same env variables (OPENAPI_MCP_HEADERS and NOTION_TOKEN) and any
claude_args settings but point the actions to immutable SHAs to prevent tag
movement or takeover.
- Around line 42-43: Pin the external MCP invocation and action to immutable
versions and add a trust gate: replace the open npx call "npx -y
`@notionhq/notion-mcp-server`" with an exact pin (e.g., use
"`@notionhq/notion-mcp-server`@vX.Y.Z" or a specific commit SHA) and pin
"anthropics/claude-code-action@v1" to its commit SHA instead of the tag;
restrict secrets/permission exposure by gating use of NOTION_TOKEN and write
permissions (mcp__notion__*, contents/pull-requests/issues: write) behind an
approval/allowlist check (use github.actor allowlist, required
reviewers/approval, branch/PR state or a conditional that only runs the MCP step
for trusted actors/branches) so those steps never run on untrusted triggers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4dd3578b-2318-4433-8096-675cb485ec0f

📥 Commits

Reviewing files that changed from the base of the PR and between e10bb15 and c587d89.

📒 Files selected for processing (2)

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

MCP 서버/외부 액션은 exact pin(버전·커밋)하고, 비신뢰 트리거에 대한 시크릿/쓰기 도구 노출을 차단하세요.

• .github/workflows/claude.yml의 npx -y @notionhq/notion-mcp-server``는 버전이 고정되어 있지 않아 업스트림 변경 시 워크플로우 재현성과 공급망 안전성이 떨어집니다. exact 버전으로 pin 하세요.
• anthropics/claude-code-action@v1는 태그로만 고정되어 있고, 해당 실행 경로는 secrets 및 contents/pull-requests/issues: write 권한을 사용합니다. commit SHA로 pin 하세요.
• 트리거가 @claude 문자열 포함 여부에만 의존해 NOTION_TOKEN 같은 시크릿과 mcp__notion__*, Bash(npx *) 등 강력 툴이 노출됩니다. github.actor/승인자/브랜치/PR 상태 등으로 신뢰 게이트를 추가하세요.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 42 - 43, Pin the external MCP
invocation and action to immutable versions and add a trust gate: replace the
open npx call "npx -y `@notionhq/notion-mcp-server`" with an exact pin (e.g., use
"`@notionhq/notion-mcp-server`@vX.Y.Z" or a specific commit SHA) and pin
"anthropics/claude-code-action@v1" to its commit SHA instead of the tag;
restrict secrets/permission exposure by gating use of NOTION_TOKEN and write
permissions (mcp__notion__*, contents/pull-requests/issues: write) behind an
approval/allowlist check (use github.actor allowlist, required
reviewers/approval, branch/PR state or a conditional that only runs the MCP step
for trusted actors/branches) so those steps never run on untrusted triggers.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the referenced workflow and the area around the reported lines
echo "=== .github/workflows/claude.yml (around lines 40-80) ==="
nl -ba .github/workflows/claude.yml | sed -n '40,90p'

# Check for any other third-party action refs in the workflow
echo
echo "=== action@ refs in .github/workflows/claude.yml ==="
rg -n "uses:\s*[^/\s]+/[^@\s]+@([^\s]+)" .github/workflows/claude.yml || true

# Check whether anthropics/claude-code-action is pinned elsewhere in the repo
echo
echo "=== anthropics/claude-code-action@ occurrences (repo-wide) ==="
rg -n "anthropics/claude-code-action@" . || true

Repository: code-zero-to-one/study-platform-client

Length of output: 201

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Print the reported region with line numbers (using cat -n)
echo "=== .github/workflows/claude.yml (around lines 40-80) ==="
cat -n .github/workflows/claude.yml | sed -n '40,90p'

# 2) Find any action refs of the form owner/name@ref in this workflow
echo
echo "=== action@ refs in .github/workflows/claude.yml ==="
rg -n "uses:\s*[^/\s]+/[^@\s]+@([^\s]+)" .github/workflows/claude.yml || true

# 3) Check if anthropics/claude-code-action is referenced elsewhere
echo
echo "=== anthropics/claude-code-action@ occurrences (repo-wide) ==="
rg -n "anthropics/claude-code-action@" . || true

Repository: code-zero-to-one/study-platform-client

Length of output: 2676

---

써드파티 GitHub Actions는 커밋 SHA로 pin 하세요 (moving tag 금지)

• .github/workflows/claude.yml에서 anthropics/claude-code-action@v1를 사용 중이며, 해당 step이 NOTION_TOKEN을 받고(env) claude_args에 Write 도구 허용이 포함되어 있어(--allowedTools ...Write...) tag 이동/탈취 시 즉시 영향이 큽니다.
• 같은 이유로 slackapi/slack-github-action@v2.1.0도 SHA로 고정하는 것을 권장합니다( SLACK_BOT_TOKEN 사용).

🧰 Tools

🪛 zizmor (1.25.2)

[error] 51-51: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude.yml around lines 51 - 58, Replace movable tags for
third-party GitHub Actions with commit SHAs: update the
anthropics/claude-code-action@v1 reference to its specific commit SHA and do the
same for slackapi/slack-github-action@v2.1.0; keep the same env variables
(OPENAPI_MCP_HEADERS and NOTION_TOKEN) and any claude_args settings but point
the actions to immutable SHAs to prevent tag movement or takeover.