ci: Claude Code Review workflow Update 2 (assistant-ui#2660)

JustAnOkapi · theblazehen · commit 34e3750db88f · 2025-11-12T20:31:37.000+02:00
Implement dual-path architecture to support both internal and cross-repository pull request reviews while navigating GitHub's OIDC security boundaries. ## Architecture Changes ### Dual-trigger system - Add `pull_request` trigger alongside existing `pull_request_target` - Internal PRs use pull_request + OIDC authentication (claude[bot] identity) - Fork PRs use pull_request_target + github_token (github-actions[bot] identity) - Job-level XOR logic ensures only one path executes per PR **Why:** GitHub prevents OIDC with pull_request_target to protect secrets from untrusted forks. claude-code-action requires OIDC for claude[bot] identity, forcing us to use github_token for forks (creates github-actions[bot] instead). ### Conditional action steps Replace single action step with two conditional steps: **Internal Review:** - Trigger: pull_request event + same repository - Auth: claude_code_oauth_token (OIDC) - Identity: claude[bot] - Features: Full sticky comment support **Fork Review:** - Trigger: pull_request_target event + different repository - Auth: github_token (GITHUB_TOKEN secret) - Identity: github-actions[bot] - Features: allowed_non_write_users: '*' for fork contributors ## Review Quality Improvements ### Comprehensive review prompt Move from inline checklist to sophisticated multi-stage review process: **Context gathering phase:** - Check CI status via mcp__github_ci__get_ci_status - Fetch previous reviews via gh pr view --comments - Track previously identified issues across commits - Analyze workflow failures via mcp__github_ci__get_workflow_run_details **Review approach:** - First review: Comprehensive analysis of all changes - Subsequent reviews: Incremental feedback tracking issue status (Fixed/Unresolved/New) - Incorporate CI/test failure context into feedback - Prohibit meta-commentary about review process itself **Review criteria:** - Code quality and best practices - Potential bugs and security implications - Performance considerations and test coverage - assistant-ui requirements (changesets, documentation) ### Inline comment quality controls - Restrict to critical code issues or relevant suggestions - Check for existing comments to prevent duplicates - Prohibit use for good practices or positive observations - Require actionable, precise feedback ### Tool restrictions - Remove gh pr comment permissions (prevents spam) - Require use of mcp__github_comment__update_claude_comment - Allow read-only gh commands (pr view, diff, list) - Enable inline comments via mcp__github_inline_comment__create_inline_comment ## Fork PR Comment Management Add GraphQL minimization script for fork PRs: - Collapses previous github-actions[bot] comments as OUTDATED - Runs only on cross-repository PRs (pull_request_target) - Supports pagination for handling many comments - No external dependencies (pure github-script@v8) **Why:** Fork PRs can't use sticky comments due to bot identity change (github-actions[bot] instead of claude[bot]). Minimizing old comments keeps discussion clean until sticky comment support is added. **Note:** Temporary workaround until anthropics/claude-code-action#411 merges. PR assistant-ui#411 adds sticky_comment_app_bot_id/name config for github-actions[bot]. ## CI Integration Enable progress tracking and CI tool access: - Set TRACK_PROGRESS: 'true' to load mcp__github_ci__* tools - Add additional_permissions: actions: read - Enable Claude to access test results and workflow run details - Support context-aware reviews based on CI status ## Configuration Improvements ### DRY environment variables Extract shared configuration to env block: - REVIEW_PROMPT: Comprehensive review instructions - CLAUDE_ARGS: Tool allowlist and restrictions - TRACK_PROGRESS: Enable CI MCP tools - USE_STICKY_COMMENT: Enable sticky comment mode - ADDITIONAL_PERMISSIONS: Grant actions: read access ### Checkout optimization - Change from head.repo.full_name + head.ref to refs/pull/{number}/head - Universal reference works for both internal and cross-repository PRs - Ensures correct code is reviewed regardless of fork status ### Resource controls - Add timeout-minutes: 15 to prevent runaway costs - Upgrade to checkout@v5 and github-script@v8 ## claude.yml Refinements Reduce workflow noise and modernize dependencies: - Remove pull_request_review trigger (eliminates duplicate check runs) - Simplify bot filtering (delegate to claude-code-action) - Remove manual github.event.sender.type == 'User' checks - Upgrade actions/github-script@v7 → @v8 - Upgrade actions/checkout@v4 → @v5
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -1,20 +1,99 @@
 name: Claude Code Review
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, ready_for_review, reopened]
     # Optional: Only run on specific file changes
     # paths:
     #   - "src/**/*.ts"
     #   - "src/**/*.tsx"
     #   - "src/**/*.js"
     #   - "src/**/*.jsx"
+  pull_request_target:
+    types: [opened, synchronize, ready_for_review, reopened]
+
+env:
+  # Shared action configuration
+  TRACK_PROGRESS: 'true'
+  USE_STICKY_COMMENT: 'true'
+  ADDITIONAL_PERMISSIONS: |
+    actions: read
+
+  REVIEW_PROMPT: |
+    REPO: ${{ github.repository }}
+    PR NUMBER: ${{ github.event.pull_request.number }}
+    TITLE: ${{ github.event.pull_request.title }}
+    BODY: ${{ github.event.pull_request.body }}
+    AUTHOR: ${{ github.event.pull_request.user.login }}
+    COMMIT: ${{ github.event.pull_request.head.sha }}
+    Note: The PR branch is already checked out in the current working directory.
+
+    Gather Context (complete these steps FIRST, silently - don't report on this process):
+    1. Check CI status: Use mcp__github_ci__get_ci_status to see if tests passed/failed
+    2. Get previous reviews: Run gh pr view ${{ github.event.pull_request.number }} --comments
+    3. Identify previous bot reviews and track which issues were raised before
+    4. If CI failed: Use mcp__github_ci__get_workflow_run_details for failure details
+
+    Review Approach:
+    - If first review: Comprehensive analysis of all changes
+    - If previous reviews exist: Focus on changes since last review, track issue status, understand how changes impact pr
+    - Incorporate CI/test failure context into your feedback if relevant
+    - Use inline comments (mcp__github_inline_comment__create_inline_comment) for specific code issues
+
+    Do not include in your review:
+    - Task completion statements ("I completed the review", "Review finished")
+    - Process descriptions ("First I checked X, then I analyzed Y")
+    - Generic meta-commentary about reviewing
+    - Progress tracking
+
+    Review this pull request by individually analysing each of these thoroughly:
+    - Code quality and best practices
+    - Potential bugs or issues
+    - Security implications
+    - Performance considerations
+    - Test coverage
+    - assistant-ui specific requirements:
+      - The PR has a changeset if updating source code of published packages (packages/*)
+      - The PR includes documentation if API surface changes
+
+    Provide a comprehensive review build on previous reviews including:
+    - Summary of changes since last review
+    - Critical issues found (be thorough)
+    - Suggested improvements (be thorough)
+    - Good practices observed (be concise - list only the most notable items without elaboration)
+    - Leverage collapsible <details> sections where appropriate for lengthy explanations or code snippets to enhance human readability
+
+    When reviewing subsequent commits:
+    - Track status of previously identified issues
+    - Identify new problems introduced since last review
+    - Note if fixes introduced new issues
+
+    IMPORTANT: Be comprehensive about issues and improvements. For good practices, be brief - just note what was done well without explaining why or praising excessively. NO meta-commentary about the review process itself.
+
+    Use `mcp__github_inline_comment__create_inline_comment` only for critical code issues or relevant suggestions. Check existing inline comments first to avoid duplicates. Do NOT use inline comments for good practices or positive observations. Each inline comment must be well thought out, precise, and actionable.
+
+    You have been provided with the mcp__github_comment__update_claude_comment tool to update your comment. This tool automatically handles PR comments. Only the body parameter is required - the tool automatically knows which comment to update.
+
+    IMPORTANT: Submit your review feedback by updating the Claude comment using mcp__github_comment__update_claude_comment. This will be displayed as your PR review.
+
+  # Allowed tools:
+  # - mcp__github_inline_comment__create_inline_comment: Create inline code comments
+  # - Bash(gh ...): Read-only GitHub CLI commands for PR/issue info
+  # Note: gh pr comment is NOT allowed - Claude must use update_claude_comment only
+  CLAUDE_ARGS: '--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
 
 jobs:
   claude-review:
-    # Skip draft PRs
-    if: github.event.pull_request.draft == false
+    # Only run if at least one review scenario matches
+    if: |
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.head.repo != null &&
+      (
+        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
+        (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
+      )
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       pull-requests: write
@@ -24,52 +103,110 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: refs/pull/${{ github.event.pull_request.number }}/head
           fetch-depth: 1
 
-      - name: Run Claude Code Review
-        id: claude-review
-        uses: anthropics/claude-code-action@v1
+      # Minimize previous bot comments on fork PRs to keep discussion clean
+      # NOTE: Temporary workaround until https://github.com/anthropics/claude-code-action/pull/411 is merged
+      # PR #411 adds sticky_comment_app_bot_id/name config to make sticky comments work with github-actions[bot]
+      # Uses GraphQL script instead of int128/hide-comment-action or step-security fork for no external dependencies
+      - name: Minimize previous fork PR comments
+        if: |
+          github.event_name == 'pull_request_target' &&
+          github.event.pull_request.head.repo.full_name != github.repository
+        uses: actions/github-script@v8
         with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          allowed_non_write_users: '*'
+          script: |
+            try {
+              const owner = context.repo.owner;
+              const repo = context.repo.repo;
+              const prNumber = context.issue.number;
+              let hasNextPage = true;
+              let afterCursor = null;
+              let minimizedCount = 0;
 
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
+              core.info(`Checking for previous github-actions comments on PR #${prNumber}...`);
 
-            Please review this pull request against our checklist:
+              while (hasNextPage) {
+                const { repository } = await github.graphql(`
+                  query($owner: String!, $repo: String!, $prNumber: Int!, $after: String) {
+                    repository(owner: $owner, name: $repo) {
+                      pullRequest(number: $prNumber) {
+                        comments(first: 100, after: $after) {
+                          nodes {
+                            id
+                            author { login }
+                            isMinimized
+                          }
+                          pageInfo {
+                            hasNextPage
+                            endCursor
+                          }
+                        }
+                      }
+                    }
+                  }
+                `, { owner, repo, prNumber, after: afterCursor });
 
-            ## Code Quality
-            - [ ] Code follows our style guide
-            - [ ] No commented-out code
-            - [ ] Meaningful variable names
-            - [ ] DRY principle followed
+                const comments = repository.pullRequest.comments.nodes;
+                const pageInfo = repository.pullRequest.comments.pageInfo;
 
-            ## Requirements
-            - [ ] The PR has a changeset when updating source code of published packages (packages/*)
-            - [ ] The PR includes documentation if API surface changes
+                // Filter for non-minimized github-actions comments
+                const botComments = comments.filter(c =>
+                  c.author?.login === 'github-actions' && !c.isMinimized
+                );
 
-            ## Review Areas
-            - [ ] Code quality and best practices
-            - [ ] Potential bugs or issues
-            - [ ] Performance considerations
-            - [ ] Security concerns
-            - [ ] Test coverage
+                core.info(`Found ${botComments.length} non-minimized bot comment(s) in this batch`);
 
-            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
+                // Minimize each bot comment
+                for (const comment of botComments) {
+                  await github.graphql(`
+                    mutation($commentId: ID!) {
+                      minimizeComment(input: { subjectId: $commentId, classifier: OUTDATED }) {
+                        minimizedComment { isMinimized }
+                      }
+                    }
+                  `, { commentId: comment.id });
+                  minimizedCount++;
+                }
 
-            Use `mcp__github_inline_comment__create_inline_comment` to comment on specific code lines.
-            Use your Bash tool to run `gh pr comment ${{ github.event.pull_request.number }}` to post your review.
+                hasNextPage = pageInfo.hasNextPage;
+                afterCursor = pageInfo.endCursor;
+              }
 
-          # Optional: Use sticky comments to make Claude reuse the same comment on subsequent pushes to the same PR
-          use_sticky_comment: true
+              core.info(`✓ Successfully minimized ${minimizedCount} previous comment(s)`);
+            } catch (error) {
+              core.setFailed(`Failed to minimize comments: ${error.message}`);
+            }
 
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
-          claude_args: '--allowed-tools "mcp__github_inline_comment__create_inline_comment,Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment ${{ github.event.pull_request.number }}:*),Bash(gh pr comment --edit-last:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+      # Same-repo PRs: Use pull_request trigger + OIDC → claude[bot]
+      - name: Internal Review
+        if: |
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: ${{ env.REVIEW_PROMPT }}
+          use_sticky_comment: ${{ fromJSON(env.USE_STICKY_COMMENT) }}
+          track_progress: ${{ fromJSON(env.TRACK_PROGRESS) }}
+          claude_args: ${{ env.CLAUDE_ARGS }}
+          additional_permissions: ${{ env.ADDITIONAL_PERMISSIONS }}
 
+      # Fork PRs: Use pull_request_target trigger + github_token → github-actions[bot]
+      - name: Fork Review
+        if: |
+          github.event_name == 'pull_request_target' &&
+          github.event.pull_request.head.repo.full_name != github.repository
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          allowed_non_write_users: '*'
+          prompt: ${{ env.REVIEW_PROMPT }}
+          use_sticky_comment: ${{ fromJSON(env.USE_STICKY_COMMENT) }}
+          track_progress: ${{ fromJSON(env.TRACK_PROGRESS) }}
+          claude_args: ${{ env.CLAUDE_ARGS }}
+          additional_permissions: ${{ env.ADDITIONAL_PERMISSIONS }}
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -7,17 +7,14 @@ on:
     types: [created]
   issues:
     types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
 
 jobs:
   check-permissions:
-    # Only run if @claude is mentioned and triggered by a User (not bot)
+    # Only run if @claude is mentioned (bot filtering handled by claude-code-action)
     if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && github.event.sender.type == 'User') ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && github.event.sender.type == 'User') ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && github.event.sender.type == 'User') ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && github.event.sender.type == 'User')
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -26,7 +23,7 @@ jobs:
     steps:
       - name: Check user has write access
         id: check
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             try {
@@ -57,7 +54,7 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
