ci: improve claude code review workflow

elhajin · elhajin · commit a02ee1e9732d · 2026-02-02T22:05:12.000+08:00
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -1,13 +1,19 @@
-name: Claude Code
+# Claude Code Review Workflow
+# - Auto-reviews PRs targeting main (excludes drafts and forks)
+# - Responds to @claude mentions from org members only
+# - Uses OIDC auth with Claude GitHub App (id-token: write)
+# - Mention jobs checkout base branch to avoid CodeQL "untrusted checkout" alerts
+
+name: Claude review
 
 on:
-  # Auto-review PRs to main
+  # Trigger: new/updated PRs to main
   pull_request:
     types: [opened, synchronize, ready_for_review, reopened]
     branches:
       - main
 
-  # @claude mentions in PR comments
+  # Trigger: @claude mentions in comments
   issue_comment:
     types: [created]
   pull_request_review_comment:
@@ -16,68 +22,163 @@ on:
     types: [submitted]
 
 jobs:
-  # Auto-review PRs targeting main
+  # Job 1: Auto-review on PR open/update (no forks, no drafts)
   auto-review:
-    if: github.event_name == 'pull_request' && !github.event.pull_request.draft
+    if: |
+      github.event_name == 'pull_request' &&
+      !github.event.pull_request.draft &&
+      !github.event.pull_request.head.repo.fork
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       pull-requests: write
       id-token: write
+      actions: read
     steps:
       - uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
 
       - uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ORG_ANTHROPIC_API_KEY }}
+          additional_permissions: "actions: read"
           track_progress: true
           use_sticky_comment: true
           prompt: |
+            Follow CLAUDE.md for project context and conventions.
+            For contract details, read the relevant docs in /docs folder.
+
             REPO: ${{ github.repository }}
             PR NUMBER: ${{ github.event.pull_request.number }}
 
-            Perform a comprehensive code review focusing on:
-            - Code quality and best practices
-            - Potential bugs or security issues
-            - Performance considerations
-            - Test coverage
+            First, identify the PR type from the title (feat|fix|docs|test|refactor|ci|perf|style|chore|release):
+            - **feat/fix**: Full review - correctness, security, edge cases, gas, events, test coverage
+            - **perf**: Focus on gas optimization correctness and no functional regressions
+            - **test**: Check assertions are correct, edge cases covered, no false positives
+            - **docs**: Check accuracy against actual code behavior
+            - **style/refactor**: No functional changes - verify behavior is preserved
+            - **chore/ci/release**: Light review - check for unintended side effects
+
+            For Solidity changes, check:
+            1. **Correctness**: Does it work? Edge cases handled? Invariants preserved?
+            2. **Security**: Access control, reentrancy, overflow, unsafe external calls
+            3. **Integration**: How do changes affect other contracts that interact with this one?
 
-            Use inline comments for specific issues.
-            Use top-level comments for general observations.
+            For each issue found:
+            - Use inline comment on the specific line
+            - Explain the problem
+            - Provide a suggested fix as a diff block:
+            ```diff
+            - old code
+            + new code
+            ```
+
+            Use top-level comment for summary only.
 
           claude_args: |
-            --allowedTools "Read,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
+            --allowedTools "Read,Glob,Grep,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr checks:*),Bash(gh run list:*),Bash(gh run view:*)"
+            --system-prompt "If you inspect CI logs, never paste raw logs. Summarize likely cause only. Redact tokens, keys, credentials, or URLs with credentials. If unsure, say log may contain sensitive data and stop."
             --max-turns 15
 
-  # Respond to @claude mentions (members only, PRs only)
-  mention-response:
+  # Job 2: @claude in PR conversation comments (members only)
+  mention-pr-comment:
     if: |
-      (
-        (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@claude')) ||
-        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude'))
-      ) &&
+      github.event_name == 'issue_comment' &&
+      github.event.issue.pull_request &&
+      contains(github.event.comment.body, '@claude') &&
       (
         github.event.comment.author_association == 'MEMBER' ||
         github.event.comment.author_association == 'COLLABORATOR' ||
-        github.event.review.author_association == 'MEMBER' ||
-        github.event.review.author_association == 'COLLABORATOR'
+        github.event.comment.author_association == 'OWNER'
+      )
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read
+    steps:
+      # Verify this is not a fork PR (issue_comment doesn't have fork info in payload)
+      - name: Check if fork PR
+        id: fork-check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if ! IS_FORK=$(gh pr view ${{ github.event.issue.number }} --json isCrossRepository -q '.isCrossRepository'); then
+            echo "Unable to determine fork status; skipping."
+            echo "is_fork=true" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          if [ "$IS_FORK" = "true" ]; then
+            echo "Skipping fork PR"
+            echo "is_fork=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_fork=false" >> $GITHUB_OUTPUT
+          fi
+
+      # Checkout base branch (trusted) - Claude reads PR diff via gh pr diff
+      - uses: actions/checkout@v6
+        if: steps.fork-check.outputs.is_fork != 'true'
+        with:
+          fetch-depth: 1
+
+      - uses: anthropics/claude-code-action@v1
+        if: steps.fork-check.outputs.is_fork != 'true'
+        with:
+          anthropic_api_key: ${{ secrets.ORG_ANTHROPIC_API_KEY }}
+          additional_permissions: "actions: read"
+          claude_args: |
+            --allowedTools "Read,Glob,Grep,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr checks:*),Bash(gh run list:*),Bash(gh run view:*)"
+            --system-prompt "If you inspect CI logs, never paste raw logs. Summarize likely cause only. Redact tokens, keys, credentials, or URLs with credentials. If unsure, say log may contain sensitive data and stop."
+            --max-turns 10
+
+  # Job 3: @claude in review comments/reviews (members only)
+  mention-review:
+    if: |
+      !github.event.pull_request.head.repo.fork &&
+      (
+        (
+          github.event_name == 'pull_request_review_comment' &&
+          contains(github.event.comment.body, '@claude') &&
+          (
+            github.event.comment.author_association == 'MEMBER' ||
+            github.event.comment.author_association == 'COLLABORATOR' ||
+            github.event.comment.author_association == 'OWNER'
+          )
+        ) ||
+        (
+          github.event_name == 'pull_request_review' &&
+          contains(github.event.review.body, '@claude') &&
+          (
+            github.event.review.author_association == 'MEMBER' ||
+            github.event.review.author_association == 'COLLABORATOR' ||
+            github.event.review.author_association == 'OWNER'
+          )
+        )
       )
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write
       id-token: write
+      actions: read
     steps:
+      # Checkout base branch (trusted) - Claude reads PR diff via gh pr diff
       - uses: actions/checkout@v6
         with:
           fetch-depth: 1
 
       - uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ORG_ANTHROPIC_API_KEY }}
+          additional_permissions: "actions: read"
           claude_args: |
-            --allowedTools "Read,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
+            --allowedTools "Read,Glob,Grep,mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr checks:*),Bash(gh run list:*),Bash(gh run view:*)"
+            --system-prompt "Follow CLAUDE.md for context. For issues found, provide a diff block showing the fix. If you inspect CI logs, summarize only - never paste raw logs. Redact any tokens, keys, or credentials."
             --max-turns 10
