devondragon · devondragon · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Copilot
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -2,7 +2,7 @@ name: Claude Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [opened, synchronize, ready_for_review, reopened]
-    types: [opened, synchronize, ready_for_review, reopened]
+    types: [opened, synchronize, reopened]
-    types: [opened, synchronize, ready_for_review, reopened]
+    types: [opened, synchronize, reopened]
     # Optional: Only run on specific file changes
     # paths:
     #   - "src/**/*.ts"
@@ -36,22 +36,9 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
-
-            Please review this pull request and provide feedback on:
-            - Code quality and best practices
-            - Potential bugs or issues
-            - Performance considerations
-            - Security concerns
-            - Test coverage
-
-            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
-
-            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
-
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
-          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
-          plugins: 'code-review@claude-code-plugins'
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          # Security note:
+          # - The "code-review@claude-code-plugins" plugin is used only for static code review.
+          # - It operates via the Claude Code backend using the OAuth token above, with read-only
+          #   access to repository contents, pull request metadata, and issues (see the job
+          #   permissions: contents: read, pull-requests: read, issues: read, id-token: write).
+          # - This workflow no longer exposes granular "allowed-tools" bash/gh commands directly.
+          #   Instead, the plugin's capabilities are restricted by the Claude Code service and are
+          #   intended to match or be more restrictive than the previous allowed-tools configuration
+          #   (e.g., viewing PRs/issues and posting review comments), without granting arbitrary
+          #   shell or GitHub CLI execution in this runner.
+          plugins: 'code-review@claude-code-plugins'
+          # The prompt below invokes the code-review plugin on the target pull request.
+          # It does not execute local shell commands; all operations are performed by the
+          # Claude Code service within the permissions described above.
-          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
-          plugins: 'code-review@claude-code-plugins'
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          # Security note:
+          # - The "code-review@claude-code-plugins" plugin is used only for static code review.
+          # - It operates via the Claude Code backend using the OAuth token above, with read-only
+          #   access to repository contents, pull request metadata, and issues (see the job
+          #   permissions: contents: read, pull-requests: read, issues: read, id-token: write).
+          # - This workflow no longer exposes granular "allowed-tools" bash/gh commands directly.
+          #   Instead, the plugin's capabilities are restricted by the Claude Code service and are
+          #   intended to match or be more restrictive than the previous allowed-tools configuration
+          #   (e.g., viewing PRs/issues and posting review comments), without granting arbitrary
+          #   shell or GitHub CLI execution in this runner.
+          plugins: 'code-review@claude-code-plugins'
+          # The prompt below invokes the code-review plugin on the target pull request.
+          # It does not execute local shell commands; all operations are performed by the
+          # Claude Code service within the permissions described above.
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
-          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # Instruct Claude (with the code-review plugin) to review the current pull request.
+          prompt: >
+            Please run a code review on the pull request at
+            https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}.
-          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # Instruct Claude (with the code-review plugin) to review the current pull request.
+          prompt: >
+            Please run a code review on the pull request at
+            https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}.
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://code.claude.com/docs/en/cli-reference for available options
-          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'