Conversation
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows to run Anthropic Claude Code in response to repository activity (comment-driven assistant and automatic PR code review).
Changes:
- Introduces a comment-/issue-triggered “Claude Code” workflow that runs when
@claudeis mentioned. - Introduces a PR-triggered “Claude Code Review” workflow that runs on PR lifecycle events and invokes a code-review plugin.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/claude.yml |
New workflow to invoke Claude Code when @claude is detected in comments/reviews/issues. |
.github/workflows/claude-code-review.yml |
New workflow to automatically run Claude-based code review on PR events. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: | ||
| types: [opened, assigned] | ||
| pull_request_review: | ||
| types: [submitted] |
There was a problem hiding this comment.
The workflow can be triggered by anyone opening an issue or posting a comment containing @claude, which will run with secrets.ANTHROPIC_API_KEY available in the base repo context. This creates a real secret-exposure / prompt-injection risk and can also be abused to burn API quota. Restrict execution to trusted actors (e.g., check author_association/repo membership in the job if:) and/or remove the issues trigger (or limit to workflow_dispatch/maintainers only).
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
contains() is evaluated on fields that can be null/empty (e.g., github.event.review.body for a submitted review without text, or github.event.issue.body for an issue created without a body). In GitHub Actions expressions this can cause the job if: evaluation to fail. Coerce these to empty strings (e.g., ...body || '') or add explicit null checks before calling contains().
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body || '', '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body || '', '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body || '', '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body || '', '@claude') || contains(github.event.issue.title || '', '@claude'))) |
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
The job permissions are set to pull-requests: read / issues: read, but this workflow is expected to respond back on PRs/issues when invoked. With read-only permissions, the action will be unable to create comments/reviews/status updates via the GITHUB_TOKEN. Grant the minimal required write scopes (typically pull-requests: write and/or issues: write), and consider dropping id-token: write unless the action is actually using OIDC.
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| pull-requests: write | |
| issues: write |
| # This is an optional setting that allows Claude to read CI results on PRs | ||
| additional_permissions: | | ||
| actions: read | ||
There was a problem hiding this comment.
additional_permissions requests actions: read, but the job already has actions: read in permissions. Keeping both is redundant and can confuse future maintenance; prefer a single source of truth (either rely on workflow permissions or remove the duplicated action input if it isn't required).
| # This is an optional setting that allows Claude to read CI results on PRs | |
| additional_permissions: | | |
| actions: read |
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes |
There was a problem hiding this comment.
This workflow runs on pull_request events but depends on secrets.ANTHROPIC_API_KEY. For PRs from forks, GitHub will not provide repository secrets, so the action will fail (or behave unexpectedly) on those PRs. Add a job-level guard to skip forked PRs (e.g., if: github.event.pull_request.head.repo.fork == false) and/or document that it only supports same-repo branches.
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
The job permissions are read-only (pull-requests: read, issues: read), but a code review action typically needs to publish a review comment back onto the PR. With read-only permissions it won't be able to post results via GITHUB_TOKEN. Grant the minimal required write permissions (usually pull-requests: write; add issues: write only if it posts to issues) and consider removing id-token: write unless OIDC is actually used.
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| pull-requests: write | |
| issues: read |
1 participant
No description provided.