Skip to content

ci: add claude-code-review reusable workflow#54

Open
sydorovdmytro wants to merge 1 commit intomainfrom
claude-code-review
Open

ci: add claude-code-review reusable workflow#54
sydorovdmytro wants to merge 1 commit intomainfrom
claude-code-review

Conversation

@sydorovdmytro
Copy link
Copy Markdown
Collaborator

@sydorovdmytro sydorovdmytro commented Mar 30, 2026
edited
Loading

Summary

  • Extracts the Claude Code Review workflow as a reusable workflow_call workflow
  • Source: identical workflow in loft-enterprise, vcluster, and vcluster-pro (automatic PR review on pull_request_target)
  • SHA-pinned actions/checkout@v6.0.2 and anthropics/claude-code-action@v1
  • Added persist-credentials: false on checkout
  • Parameterized ANTHROPIC_API_KEY as a workflow_call secret (anthropic-api-key)
  • Standardized ${VAR} quoting
  • Preserves fork handling (loft-sh owner guard + remote setup for fork PRs)

Security hardening

  • Replaced gh CLI tools with local-only tools (Read,Glob,Grep,LS,Bash(git diff:*),Bash(git log:*)) — prevents secret exfiltration via shell expansion in gh pr comment
  • Restore CLAUDE.md from base branch before review — prevents prompt injection from PR head
  • Added concurrency group — cancels stale review runs on rapid pushes
  • Added timeout-minutes: 15 — prevents runaway runner usage
  • Removed unused issues: read permission — least privilege

Caller example

name: Claude Code Review

on:
  pull_request_target:
    types: [opened, synchronize, ready_for_review, reopened]

jobs:
  claude-code-review:
    uses: loft-sh/github-actions/.github/workflows/claude-code-review.yaml@claude-code-review/v1
    secrets:
      anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

Test plan

  • actionlint passes
  • zizmor passes
  • CI green
  • Tag claude-code-review/v1 after merge
  • Migration PRs in loft-enterprise, vcluster, and vcluster-pro

Part of the Phase 3 GitHub Actions centralization effort.

@sydorovdmytro
ci: add claude-code-review reusable workflow
64fb835 
Extracts the Claude Code Review workflow (automatic PR review triggered
on pull_request_target) as a reusable workflow_call workflow.

Source: identical workflow in loft-enterprise, vcluster, and vcluster-pro.

Changes from source:
- SHA-pinned actions/checkout and anthropics/claude-code-action
- Added persist-credentials: false on checkout
- Parameterized ANTHROPIC_API_KEY as a workflow_call secret
- Standardized variable quoting to ${VAR} style

Security hardening:
- Replaced gh CLI tools with local-only Read/Glob/Grep/LS and git diff/log
  to prevent secret exfiltration via shell expansion
- Restore CLAUDE.md from base branch to prevent prompt injection from PRs
- Added concurrency group to cancel stale review runs
- Added timeout-minutes: 15
- Removed unused issues:read permission (least privilege)
@sydorovdmytro sydorovdmytro requested a review from Piotr1215 April 1, 2026 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Piotr1215 Piotr1215 Awaiting requested review from Piotr1215

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sydorovdmytro