Use shared claude-review reusable workflow#1874
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the repository’s Claude PR review automation from an inlined workflow definition to a shared reusable workflow in stellar/actions, aiming to centralize maintenance and standardize the security model across Stellar repos.
Changes:
- Replaced the inlined
claude-review.ymljob steps with a call tostellar/actions/.github/workflows/claude-review.yml@main. - Narrowed the
pull_requesttrigger types to onlyready_for_reviewandsynchronize. - Passed the Anthropic API key secret through to the reusable workflow.
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| types: [ready_for_review, synchronize] |
| permissions: {} | ||
|
|
||
| jobs: | ||
| review: |
| cancel-in-progress: true | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| review: | ||
| if: github.event.pull_request.draft == false && github.event.pull_request.head.repo.fork == false | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| track_progress: true | ||
| prompt: | | ||
| REPO: ${{ github.repository }} | ||
| PR NUMBER: ${{ github.event.pull_request.number }} | ||
|
|
||
| Please review this pull request with a focus on: | ||
| - Code quality and best practices | ||
| - Potential bugs or issues | ||
| - Security implications | ||
| - Performance considerations | ||
|
|
||
| Provide detailed feedback using inline comments for specific issues. | ||
|
|
||
| # --max-turns caps how many tool-use cycles Claude can run, which | ||
| # bounds token spend per invocation. The allowed `gh pr` commands are | ||
| # scoped to this PR's number so a misfire can't reach into another PR. | ||
| claude_args: | | ||
| --max-turns 30 | ||
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment ${{ github.event.pull_request.number }}:*),Bash(gh pr diff ${{ github.event.pull_request.number }}:*),Bash(gh pr view ${{ github.event.pull_request.number }}:*)" | ||
| uses: stellar/actions/.github/workflows/claude-review.yml@main | ||
| secrets: |
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| types: [ready_for_review, synchronize] |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 80f17e0320
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| claude_args: | | ||
| --max-turns 30 | ||
| --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment ${{ github.event.pull_request.number }}:*),Bash(gh pr diff ${{ github.event.pull_request.number }}:*),Bash(gh pr view ${{ github.event.pull_request.number }}:*)" | ||
| uses: stellar/actions/.github/workflows/claude-review.yml@main |
There was a problem hiding this comment.
This change removes the job-level permissions block while keeping workflow-level permissions: {}, which leaves the called reusable workflow with a GITHUB_TOKEN that has no scopes. In that state, the review workflow cannot perform core actions like reading contents or writing PR comments/reviews, so Claude review runs will fail or become non-functional for all PRs.
Useful? React with 👍 / 👎.
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| types: [ready_for_review, synchronize] |
There was a problem hiding this comment.
Restricting pull_request.types to ready_for_review and synchronize skips the initial run for PRs that are created already non-draft, because those PRs emit opened (not ready_for_review). As a result, many PRs will not receive any Claude review until another commit is pushed, which is a functional regression from the previous workflow behavior.
Useful? React with 👍 / 👎.
What
Replace the inlined
claude-review.ymlworkflow with a call to the shared reusable workflow atstellar/actions/.github/workflows/claude-review.yml@main. Keep the existingpull_requesttrigger (the safer default; fork PRs can't access secrets on this event so they cannot be reviewed) and narrow the trigger types to[ready_for_review, synchronize]so Claude only reviews PRs that are marked ready and re-reviews on new commits.Why
The same claude-review workflow is maintained across four stellar repos. Moving to
stellar/actionslets all repos share one implementation, so the security model and prompt updates live in one place. The reusable workflow also adopts the harderpull_request_targetflow with an author-association gate, enabling reviews of fork PRs from org members while still keeping secrets out of attacker-controlled code paths.Example
Before — fully inlined workflow with
pull_requesttrigger.After:
Note
Requires the corresponding PR in
stellar/actionsto be merged first so thatstellar/actions/.github/workflows/claude-review.yml@mainresolves: