Add Claude Code GitHub Actions workflows#41
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughAdded two GitHub Actions workflows: one automatically invokes Claude Code for selected pull request events, and another responds to Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 21-27: Add a timeout-minutes setting to the workflow job
containing the runs-on and permissions configuration, using an appropriate
finite duration to prevent stuck Claude runs from consuming the runner’s full
default timeout.
- Around line 3-11: Add workflow-level concurrency control to the pull_request
workflow in claude-code-review.yml, using a group keyed to the pull request or
workflow identity and cancel-in-progress enabled so rapid synchronize events do
not overlap. Align the configuration with the existing claude.yml concurrency
behavior.
- Around line 29-41: Update the workflow’s actions/checkout and
anthropics/claude-code-action references to immutable commit SHAs instead of
mutable version tags, and configure checkout with persist-credentials disabled.
Apply the same changes to the corresponding identical workflow pattern
referenced in the review.
- Around line 4-5: Update the pull_request trigger configuration in the Claude
review workflow to skip draft pull requests, including pushes while a PR remains
draft, while preserving reviews for ready-for-review and subsequent non-draft
updates.
- Around line 39-40: Update the claude-code-action configuration around
plugin_marketplaces and plugins so the code-review plugin resolves from a forked
or vendored marketplace with a stable pinned revision instead of the upstream
default branch. Preserve the existing review plugin selection while replacing
the unpinnable upstream marketplace reference.
In @.github/workflows/claude.yml:
- Around line 28-38: Update the workflow steps around Checkout repository and
Run Claude Code to pin both actions to immutable commit SHAs instead of mutable
tags, and configure actions/checkout with persist-credentials: false. Preserve
the existing checkout depth and Claude Code OAuth token configuration.
- Around line 20-26: Add a timeout-minutes setting to the workflow job in
claude.yml, matching the timeout configuration used by claude-code-review.yml.
Place it at the job level alongside runs-on and permissions, using the
established timeout value.
- Around line 3-11: Add a concurrency configuration to the workflow triggered by
issue comments, pull request review comments, issues, and pull request reviews.
Use a stable workflow- and ref-scoped concurrency group, and configure
cancellation behavior consistently with claude-code-review.yml while preserving
these existing triggers.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 5b527f90-b8e6-4118-9784-0ad05fed134f
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml.github/workflows/claude.yml
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] | ||
| # Optional: Only run on specific file changes | ||
| # paths: | ||
| # - "src/**/*.ts" | ||
| # - "src/**/*.tsx" | ||
| # - "src/**/*.js" | ||
| # - "src/**/*.jsx" |
There was a problem hiding this comment.
🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win
No concurrency control (see consolidated comment).
This workflow re-runs on every synchronize; without a concurrency group, rapid pushes can pile up overlapping review runs. Consolidated below with claude.yml.
🧰 Tools
🪛 YAMLlint (1.37.1)
[warning] 3-3: truthy value should be one of [false, true]
(truthy)
🪛 zizmor (1.26.1)
[warning] 3-11: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 3 - 11, Add
workflow-level concurrency control to the pull_request workflow in
claude-code-review.yml, using a group keyed to the pull request or workflow
identity and cancel-in-progress enabled so rapid synchronize events do not
overlap. Align the configuration with the existing claude.yml concurrency
behavior.
Source: Linters/SAST tools
| pull_request: | ||
| types: [opened, synchronize, ready_for_review, reopened] |
There was a problem hiding this comment.
🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win
Consider skipping draft PRs.
opened/synchronize fire even while the PR is still a draft, so Claude re-reviews on every push before the author is ready — wasted API/CI spend.
♻️ Suggested guard
jobs:
claude-review:
+ if: github.event.pull_request.draft == false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| pull_request: | |
| types: [opened, synchronize, ready_for_review, reopened] | |
| jobs: | |
| claude-review: | |
| if: github.event.pull_request.draft == false |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 4 - 5, Update the
pull_request trigger configuration in the Claude review workflow to skip draft
pull requests, including pushes while a PR remains draft, while preserving
reviews for ready-for-review and subsequent non-draft updates.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
|
|
There was a problem hiding this comment.
🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win
Add a job timeout.
No timeout-minutes is set, so a stuck or looping Claude run can consume the full default runner timeout on every PR push.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 24-24: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 21 - 27, Add a
timeout-minutes setting to the workflow job containing the runs-on and
permissions configuration, using an appropriate finite duration to prevent stuck
Claude runs from consuming the runner’s full default timeout.
Source: Linters/SAST tools
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' | ||
| plugins: 'code-review@claude-code-plugins' | ||
| prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Unpinned action refs and default credential persistence (see consolidated comment).
actions/checkout@v4 and anthropics/claude-code-action@v1 are pinned to mutable tags, and checkout leaves persist-credentials at its default (true). Details and fix consolidated below since claude.yml has the identical pattern.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 29-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 29 - 41, Update the
workflow’s actions/checkout and anthropics/claude-code-action references to
immutable commit SHAs instead of mutable version tags, and configure checkout
with persist-credentials disabled. Apply the same changes to the corresponding
identical workflow pattern referenced in the review.
Source: Linters/SAST tools
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
|
|
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Unpinned action refs and default credential persistence (see consolidated comment).
Same pattern as claude-code-review.yml: actions/checkout@v4 and anthropics/claude-code-action@v1 pinned to mutable tags, checkout without persist-credentials: false. Consolidated below.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 28-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 28 - 38, Update the workflow steps
around Checkout repository and Run Claude Code to pin both actions to immutable
commit SHAs instead of mutable tags, and configure actions/checkout with
persist-credentials: false. Preserve the existing checkout depth and Claude Code
OAuth token configuration.
Source: Linters/SAST tools
`claude-code-review.yml` used `on: pull_request`, which gets no secrets on fork PRs, so CLAUDE_CODE_OAUTH_TOKEN was empty and review never ran for our fork-based PRs. Switch to `pull_request_target` (runs in the base repo with the secret available) and gate the job to PRs from the jnasbyupgrade fork only, so external forks can't trigger the secret-bearing job. Check out the PR head read-only (persist-credentials: false); no PR code is built or executed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
) - Add concurrency groups (cancel stale review runs; serialize @claude without cancelling in-progress responses). - Add timeout-minutes: 30 to both jobs. - Skip draft PRs in the auto-review. - Pin actions/checkout and anthropics/claude-code-action to immutable SHAs. - persist-credentials: false on all checkouts. (plugin_marketplaces can't be pinned — it tracks the marketplace default branch.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Revert the SHA pins on actions/checkout and anthropics/claude-code-action back to @v4/@v1. For these first-party actions we want upstream fixes to flow in automatically rather than freezing at a SHA. (CodeRabbit/zizmor will flag the unpinned refs; that's an accepted trade-off here.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@claude mentions are independent, read-only requests; serializing only delays responses and cancelling would drop them. Concurrency stays on claude-code-review.yml (cancel stale review runs), where it's useful. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
git subtree copies pgxntool's entire tree into embedding projects, including dev-only dirs (.github/, .claude/) that are export-ignored from `make dist` and don't belong in a consumer. subtree doesn't honor export-ignore, so update-setup-files.sh (run by pgxntool-sync) now prunes them via a new prune_pgxntool_dev_dirs helper in lib.sh. GitHub only runs root-level workflows, so a consumer's pgxntool/.github never executed anyway — this just keeps the embedded copy clean. Related changes in pgxntool-test: - Test that update-setup-files.sh prunes pgxntool/.github Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
64d6708
into
Postgres-Extensions:master
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to `@claude` mentions in issues/PRs) and `claude-code-review.yml` (automated review on new PRs). Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription token from `claude setup-token`) and the Claude GitHub App granted access to this repo. Paired pgxntool PR: Postgres-Extensions/pgxntool#41 Replaces the `/install-github-app` auto-generated PR, which targeted the fork and had a verbose boilerplate description. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to `@claude` mentions in issues/PRs) and `claude-code-review.yml` (automated review on new PRs). Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription token from `claude setup-token`) and the Claude GitHub App granted access to this repo. Paired pgxntool PR: Postgres-Extensions/pgxntool#41 Replaces the `/install-github-app` auto-generated PR, which targeted the fork and had a verbose boilerplate description. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to `@claude` mentions in issues/PRs) and `claude-code-review.yml` (automated review on new PRs). Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription token from `claude setup-token`) and the Claude GitHub App granted access to this repo. Paired pgxntool PR: Postgres-Extensions/pgxntool#41 Replaces the `/install-github-app` auto-generated PR, which targeted the fork and had a verbose boilerplate description. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the Claude Code GitHub Actions workflows: `claude.yml` (responds to `@claude` mentions in issues/PRs) and `claude-code-review.yml` (automated review on new PRs). Requires the `CLAUDE_CODE_OAUTH_TOKEN` secret (a Claude subscription token from `claude setup-token`) and the Claude GitHub App granted access to this repo. Paired pgxntool-test PR: Postgres-Extensions/pgxntool-test#26 Replaces the `/install-github-app` auto-generated PR, which targeted the fork and had a verbose boilerplate description. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the Claude Code GitHub Actions workflows:
claude.yml(responds to@claudementions in issues/PRs) andclaude-code-review.yml(automated review on new PRs).Requires the
CLAUDE_CODE_OAUTH_TOKENsecret (a Claude subscription token fromclaude setup-token) and the Claude GitHub App granted access to this repo.Paired pgxntool-test PR: Postgres-Extensions/pgxntool-test#26
Replaces the
/install-github-appauto-generated PR, which targeted the fork and had a verbose boilerplate description.