Skip to content

ci: add Claude Code PR review workflow (OAuth auth)#9

Closed
rohansx wants to merge 11 commits into
mainfrom
ci/claude-pr-review
Closed

ci: add Claude Code PR review workflow (OAuth auth)#9
rohansx wants to merge 11 commits into
mainfrom
ci/claude-pr-review

Conversation

@rohansx

@rohansx rohansx commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

Adds .github/workflows/claude-code-review.yml — automated PR review via anthropics/claude-code-action@v1, authenticated with a Claude subscription OAuth token (CLAUDE_CODE_OAUTH_TOKEN) instead of an API key.

Behavior

  • Triggers on pull_request: opened, synchronize, ready_for_review, reopened. Draft PRs are skipped.
  • concurrency + cancel-in-progress: a new push cancels the in-flight review, so only the latest commit is reviewed.
  • track_progress: true: posts a live checklist comment and inline line comments.
  • Prompt tailored to CloakPipe: PII leak-safety, cryptographic ledger/verifier integrity (chain/sigs/anchors/proofs not failing open), Rust correctness, the <5ms hot path, and the cloakleak/verifier gates.
  • Least privilege: contents: read, pull-requests: write, id-token: write.

Required before it runs

Repo secret CLAUDE_CODE_OAUTH_TOKEN must be set (claude setup-token, then gh secret set CLAUDE_CODE_OAUTH_TOKEN).

Test plan

  • Add the CLAUDE_CODE_OAUTH_TOKEN secret
  • Confirm the Claude Code Review job runs on this PR and posts a review

🤖 Generated with Claude Code

Runs anthropics/claude-code-action@v1 on non-draft PRs, authenticated
with a Claude subscription OAuth token (CLAUDE_CODE_OAUTH_TOKEN) rather
than an API key. Review prompt is tailored to CloakPipe: PII leak-safety,
cryptographic ledger/verifier integrity, Rust correctness, hot-path
performance, and the cloakleak/verifier gates. Uses track_progress for a
live checklist, concurrency cancellation to review only the latest push,
and least-privilege permissions.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

Defines what Important means for CloakPipe (PII leakage, fail-open crypto
verification, panics on untrusted input, concurrency hazards), caps nits,
skips CI-enforced and intentionally-insecure baseline code, and lists
always-check rules for the privacy and verifier invariants.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

rohansx added 2 commits July 3, 2026 22:18
Avoids the 'Claude Code GitHub App not installed' 401 by passing the
Actions token instead of falling back to app-token exchange.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 2s —— View job


I'll analyze this and get back to you.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

1 similar comment
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 2s —— View job


I'll analyze this and get back to you.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 2s —— View job


I'll analyze this and get back to you.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

Responds to @claude mentions on issues and PRs via the same OAuth token.
Note: comment-triggered workflows only run from the default branch, so
this takes effect once merged to main.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 2s —— View job


I'll analyze this and get back to you.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 3s —— View job


I'll analyze this and get back to you.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 2s —— View job


I'll analyze this and get back to you.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 2m 54s —— View job


Claude Code Review

1 important, 1 nit.

  • Gather context (diff, CLAUDE.md, changed files)
  • Review .github/workflows/claude-code-review.yml
  • Review .github/workflows/claude.yml
  • Review REVIEW.md
  • Post final review

This PR only adds CI workflow files and a reviewer-instructions doc — no Rust/PII/crypto code is touched, so the review focuses on the workflow security/behavior itself rather than the CloakPipe-specific checklist in REVIEW.md.

🔴 Important

  • .github/workflows/claude.yml:24-34 — write-privileged agent can be triggered by anyone commenting @claude. The job condition only checks that a comment/issue/review body contains the string @claude; it never checks author_association. Combined with contents: write / pull-requests: write / issues: write and no claude_args/--allowedTools restriction, any GitHub user (including non-collaborators on a public repo) can get a broadly-privileged agent to run arbitrary instructions with push access. Recommend gating each branch of the if: on author_association being OWNER/MEMBER/COLLABORATOR (details and suggested snippet in the inline comment).

🟡 Nit

  • .github/workflows/claude-code-review.yml:92--allowedTools includes Bash(gh pr comment:*) in addition to mcp__github_inline_comment__create_inline_comment and track_progress: true. That lets Claude post extra freeform comments outside the single tracked comment this design otherwise relies on, risking duplicate/orphaned comments across re-runs. Consider dropping it.

Other observations (no action needed)

  • claude-code-review.yml correctly skips drafts, scopes concurrency per PR number, and uses least-privilege permissions (contents: read, pull-requests: write, id-token: write) for the review-only job — good defaults.
  • I checked whether fetch-depth: 1 in the checkout step (both workflows) would break git diff origin/main...HEAD-based review, since earlier runs on this PR returned empty/placeholder review text. In this very execution, origin/main was resolvable locally despite the shallow checkout, so the action appears to fetch what it needs internally — this isn't the cause of the earlier empty runs, and I couldn't find another concrete cause in the diff, so I'm not flagging it as a bug.
  • claude.yml's comment correctly notes that issue_comment/pull_request_review_comment/issues triggers only execute the copy of the workflow on the default branch — worth remembering that the author-association fix above only takes effect once merged to main.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

Comment on lines +24 to +34
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: write # allow @claude to apply and push fixes when asked
pull-requests: write
issues: write
id-token: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Important — anyone can trigger a write-privileged agent by commenting "@claude"

The job's if: only checks that the comment/issue/review body contains the string @claude (lines 25-28). It never checks github.event.comment.author_association (or the issue/review equivalents), and the job runs with contents: write, pull-requests: write, and issues: write (lines 31-34).

On a public repo this means any GitHub account — not just maintainers or collaborators — can open an issue or comment on any PR (including one they opened from a fork) with @claude <arbitrary instructions> and get an agent to run with push access to the repo and issue/PR write access. Since claude.yml doesn't set claude_args/--allowedTools at all, the action's default (fairly broad) tool access applies, so the blast radius of an untrusted instruction here is large — pushing unreviewed commits, editing issues/PRs, etc.

Suggest gating the condition on author association, e.g.:

if: |
  (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') &&
   contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
  ...

and the same for the pull_request_review_comment, pull_request_review, and issues branches.

Fix this →


# Read-only repo access plus the ability to post review comments.
claude_args: |
--allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Nit: --allowedTools includes Bash(gh pr comment:*) alongside mcp__github_inline_comment__create_inline_comment and track_progress: true. This lets Claude post extra freeform top-level PR comments outside the single tracked/managed comment the rest of this setup relies on, which can lead to duplicate/orphaned comments on re-runs instead of one comment being updated. Consider dropping gh pr comment from the allowlist so all output goes through track_progress + inline comments.

…tools

- claude.yml: require OWNER/MEMBER/COLLABORATOR to trigger the
  write-privileged @claude agent (was: anyone could trigger it).
- claude-code-review.yml: drop Bash(gh pr comment:*) so track_progress
  keeps a single tracked comment instead of duplicate freeform ones.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Claude finished @rohansx's task in 48s —— View job


Claude Code Review

No blocking issues.

  • Gather context (diff, CLAUDE.md, changed files)
  • Review .github/workflows/claude-code-review.yml
  • Review .github/workflows/claude.yml
  • Review REVIEW.md
  • Post final review

This push (f2d9165) addresses both findings from the prior review:

  • .github/workflows/claude.yml — the job condition now requires author_association to be OWNER/MEMBER/COLLABORATOR on every branch (issue_comment, pull_request_review_comment, pull_request_review, issues), closing the previous gap where any GitHub user could trigger a write-privileged (contents: write, pull-requests: write, issues: write) agent by commenting @claude. ✅ Fixed.
  • .github/workflows/claude-code-review.yml:90-94Bash(gh pr comment:*) has been dropped from --allowedTools, so all output now goes through track_progress + inline comments instead of risking duplicate/orphaned freeform comments. ✅ Fixed.

No new issues found in this diff (only these two workflow files and REVIEW.md, which is unchanged in this push, were touched — no Rust/PII/crypto code is affected).

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

v2 gate results

  • build + test + clippy
  • cloakleak zero-leak gate (prose + tool_json)
  • cloakpipe-verify end-to-end (chain + sigs + anchors + proofs + all)

See PR artifacts for the scoreboards.

@rohansx

rohansx commented Jul 3, 2026

Copy link
Copy Markdown
Owner Author

Superseded by #10 (clean, squashed version, merged to main). Closing.

@rohansx rohansx closed this Jul 3, 2026
@rohansx rohansx deleted the ci/claude-pr-review branch July 3, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant