Add Claude Code GitHub Workflow#15
Conversation
WalkthroughThree GitHub Actions workflows are added for Claude Code: an automatic PR review workflow with error verification, a ChangesClaude CI Workflows
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying shakastack-com with
|
| Latest commit: |
7bc2568
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://3aa133ac.shakastack-com.pages.dev |
| Branch Preview URL: | https://add-claude-github-actions-17.shakastack-com.pages.dev |
There was a problem hiding this comment.
Actionable comments posted: 7
🧹 Nitpick comments (1)
.github/workflows/claude-deep-review.yml (1)
18-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winDisable checkout credential persistence.
actions/checkoutwill otherwise leave the workflow token in the local git config for the downstream Claude action/plugin chain to access. This job does not need authenticated git writes after checkout.Suggested fix
- name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 1 + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/claude-deep-review.yml around lines 18 - 21, The Checkout repository step currently leaves the workflow token persisted in git config, which is unnecessary for this job. Update the actions/checkout configuration in the claude-deep-review workflow to disable credential persistence so downstream Claude actions cannot reuse the token. Keep the existing checkout behavior otherwise, and make the change in the Checkout repository step using the checkout action’s credential-persistence setting.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 17-20: The Checkout repository step uses actions/checkout with
default credential persistence, which leaves the workflow token in .git/config
and available to later steps. Update the checkout configuration in the workflow
to disable credential persistence by setting persist-credentials to false in the
actions/checkout setup so the token is not written into the workspace.
In @.github/workflows/claude-deep-review.yml:
- Around line 11-15: The `permissions` block for the Claude deep review job is
too restrictive, so the workflow cannot post PR feedback. Update the permissions
in `claude-deep-review.yml` to grant the same comment/write scopes used by the
other Claude review workflow, especially for `pull-requests` and any needed
issue/comment access, while keeping `contents: read` and `id-token: write` as
appropriate.
- Around line 23-30: The Claude deep review workflow is missing the same
post-action execution-file guard used in the other Claude review workflow, so
the job can pass even when no review is actually posted. Update the `Run Claude
Code deep review` job to mirror the `execution_file` check from
`.github/workflows/claude-code-review.yml` after
`anthropics/claude-code-action@v1` runs, and fail the job when the file is
absent so an invalid or expired `CLAUDE_CODE_OAUTH_TOKEN` does not silently
succeed.
In @.github/workflows/claude.yml:
- Around line 25-28: The Checkout repository step is leaving the GitHub token
persisted by default, but this workflow only needs read-only source access.
Update the actions/checkout usage in the workflow to disable credential
persistence so the token is not written into the workspace before the Claude
action runs, while keeping the existing checkout behavior otherwise unchanged.
- Around line 8-16: The GitHub Actions trigger in claude.yml is too broad
because the issues event currently includes assigned, which causes the claude
job to rerun on unrelated assignee changes whenever the issue already contains
`@claude`. Update the issues trigger in the workflow so it only runs for the
intended issue creation flow, and keep the existing claude job condition logic
unchanged unless you need to support a specific assignee-based path. Use the
workflow job named claude and the issues.types configuration to locate the fix.
- Around line 13-16: The workflow trigger in the GitHub Actions condition
currently lets any `@claude` mention start the job, even though it passes
`CLAUDE_CODE_OAUTH_TOKEN`. Update the `if` expression in
`.github/workflows/claude.yml` to gate `issue_comment`,
`pull_request_review_comment`, and `issues` events to trusted authors only,
using the existing event payload fields for author association or write-access
status. Keep the `@claude` text check, but combine it with an author trust check
so only write-access users can invoke Claude.
- Around line 30-34: The Claude action step in claude.yml currently reports
success even when no valid Claude output is produced. Update the workflow to
mirror the result verification used in claude-code-review.yml by checking the
generated execution file and its is_error status after the Run Claude Code step,
and fail the job if the token is invalid/expired or if Claude did not produce a
successful result.
---
Nitpick comments:
In @.github/workflows/claude-deep-review.yml:
- Around line 18-21: The Checkout repository step currently leaves the workflow
token persisted in git config, which is unnecessary for this job. Update the
actions/checkout configuration in the claude-deep-review workflow to disable
credential persistence so downstream Claude actions cannot reuse the token. Keep
the existing checkout behavior otherwise, and make the change in the Checkout
repository step using the checkout action’s credential-persistence setting.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 57f58621-1128-493f-b8ab-84f908c03390
📒 Files selected for processing (3)
.github/workflows/claude-code-review.yml.github/workflows/claude-deep-review.yml.github/workflows/claude.yml
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 1 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable credential persistence during checkout.
Line 17 leaves actions/checkout at its default, which writes the workflow token into .git/config. Because the next step runs a third-party action and exposes Bash tooling, that token becomes readable from the workspace with this job’s write scopes. Set persist-credentials: false here.
Suggested fix
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 1
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 17-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 17 - 20, The Checkout
repository step uses actions/checkout with default credential persistence, which
leaves the workflow token in .git/config and available to later steps. Update
the checkout configuration in the workflow to disable credential persistence by
setting persist-credentials to false in the actions/checkout setup so the token
is not written into the workspace.
Source: Linters/SAST tools
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Grant comment write scopes to this job.
Line 13 and Line 14 only allow reads, so the deep-review run cannot post PR feedback even though that is the workflow’s purpose. The repo’s other Claude review workflow already uses write scopes for the same action.
Suggested fix
permissions:
contents: read
- pull-requests: read
- issues: read
+ pull-requests: write
+ issues: write
id-token: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| id-token: write |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-deep-review.yml around lines 11 - 15, The
`permissions` block for the Claude deep review job is too restrictive, so the
workflow cannot post PR feedback. Update the permissions in
`claude-deep-review.yml` to grant the same comment/write scopes used by the
other Claude review workflow, especially for `pull-requests` and any needed
issue/comment access, while keeping `contents: read` and `id-token: write` as
appropriate.
| - name: Run Claude Code deep review | ||
| id: claude-deep-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| plugin_marketplaces: "https://github.com/anthropics/claude-code.git" | ||
| plugins: "code-review@claude-code-plugins" | ||
| prompt: "/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}" |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf 'Files of interest:\n'
git ls-files '.github/workflows/*claude*.yml' '.github/workflows/*claude*.yaml'
printf '\nOutline of .github/workflows/claude-deep-review.yml:\n'
ast-grep outline .github/workflows/claude-deep-review.yml --view expanded || true
printf '\nOutline of .github/workflows/claude-code-review.yml:\n'
ast-grep outline .github/workflows/claude-code-review.yml --view expanded || true
printf '\nRelevant lines from claude-deep-review.yml:\n'
sed -n '1,120p' .github/workflows/claude-deep-review.yml
printf '\nRelevant lines from claude-code-review.yml:\n'
sed -n '1,180p' .github/workflows/claude-code-review.ymlRepository: shakacode/shakastack-com
Length of output: 5663
🌐 Web query:
anthropics/claude-code-action v1 execution_file output exit success review failed silent no-op
💡 Result:
The anthropics/claude-code-action v1 is a GitHub Action designed to integrate Claude Code into CI/CD workflows for tasks such as automated PR reviews, code changes, and issue management [1][2]. Regarding the specific execution and output mechanics: Execution File and Output: The action generates a JSON file containing the execution log of the Claude Code session [3][4]. This path is exposed as a GitHub Action output named execution_file [3][5]. Users can access this path within subsequent steps of their workflow using ${{ steps..outputs.execution_file }} [5]. The action also provides an output named conclusion, which indicates whether the execution was a success or failure [3][4]. Success and Failure States: The conclusion output is explicitly set to 'success' if the Claude Code session completes successfully, and 'failure' otherwise [3][6][4]. If an error occurs during execution, the action catches the exception, may attempt to set the execution_file output if available, and calls core.setFailed to mark the step as failed in the GitHub Actions runner [3]. Silent/No-op Behavior: The action differentiates between modes based on the presence of a prompt input [7]. When a prompt is provided (Automation Mode), the action executes immediately [7]. Without a prompt (Interactive Mode), it waits for @claude mentions in PRs or issues [7]. Regarding silent operation or "no-ops," while there is no specific silent flag, the action is designed to be configurable; for instance, users can control comment behavior or disable specific features like inline comment classification using inputs such as classify_inline_comments: 'false' [8]. If the action triggers but finds no work to do or is misconfigured, it may complete without performing changes, but it will generally still produce an execution result [7][3]. For detailed usage, developers typically access the execution file to generate job summaries or custom reports by cat-ing the file content into $GITHUB_STEP_SUMMARY [3][5].
Citations:
- 1: https://github.com/anthropics/claude-code-action
- 2: https://code.claude.com/docs/en/github-actions
- 3: https://github.com/anthropics/claude-code-action/blob/main/src/entrypoints/run.ts
- 4: https://github.com/anthropics/claude-code-action/blob/eb99fb38/base-action/action.yml
- 5: https://github.com/anthropics/claude-code-action/blob/bdd0c925cb06995712d4dbd690e8b8bc513a08eb/action.yml
- 6: https://github.com/anthropics/claude-code-action/blob/eb99fb38/base-action/src/run-claude-sdk.ts
- 7: https://github.com/anthropics/claude-code-action/blob/main/docs/custom-automations.md
- 8: https://github.com/anthropics/claude-code-action/blob/main/docs/solutions.md
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf 'Search for execution_file and claude-code-action references:\n'
rg -n --hidden --glob '!**/.git/**' 'execution_file|claude-code-action@v1|claude_code_oauth_token|code-review@claude-code-plugins' .
printf '\nWorkflow files mentioning verification:\n'
rg -n --hidden --glob '.github/workflows/*' 'execution_file|jq -s|claude-deep-review|claude-code-review|is_error' .github/workflowsRepository: shakacode/shakastack-com
Length of output: 2702
Add the same execution-file guard here
This workflow can still go green if anthropics/claude-code-action@v1 returns without posting a review, because it skips the execution_file check already used in .github/workflows/claude-code-review.yml. Mirror that step so an invalid or expired CLAUDE_CODE_OAUTH_TOKEN fails the job instead of silently doing nothing.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-deep-review.yml around lines 23 - 30, The Claude
deep review workflow is missing the same post-action execution-file guard used
in the other Claude review workflow, so the job can pass even when no review is
actually posted. Update the `Run Claude Code deep review` job to mirror the
`execution_file` check from `.github/workflows/claude-code-review.yml` after
`anthropics/claude-code-action@v1` runs, and fail the job when the file is
absent so an invalid or expired `CLAUDE_CODE_OAUTH_TOKEN` does not silently
succeed.
| issues: | ||
| types: [opened, assigned] | ||
|
|
||
| jobs: | ||
| claude: | ||
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win
Avoid retriggering Claude on unrelated issue assignments.
With issues: [opened, assigned], any later assignment of an issue whose title/body already contains @claude reruns Claude. Remove assigned unless there is a specific assignee-based flow.
Proposed fix
issues:
- types: [opened, assigned]
+ types: [opened]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| issues: | |
| types: [opened, assigned] | |
| jobs: | |
| claude: | |
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| issues: | |
| types: [opened] | |
| jobs: | |
| claude: | |
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '`@claude`')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '`@claude`')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`'))) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 8 - 16, The GitHub Actions trigger
in claude.yml is too broad because the issues event currently includes assigned,
which causes the claude job to rerun on unrelated assignee changes whenever the
issue already contains `@claude`. Update the issues trigger in the workflow so it
only runs for the intended issue creation flow, and keep the existing claude job
condition logic unchanged unless you need to support a specific assignee-based
path. Use the workflow job named claude and the issues.types configuration to
locate the fix.
| if: | | ||
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | ||
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Gate @claude triggers to trusted authors.
The PR objective says write-access users should trigger Claude, but this condition accepts any issue/PR comment containing @claude while passing CLAUDE_CODE_OAUTH_TOKEN to the action.
Proposed minimum gate
if: |
- (github.event_name == 'issue_comment' && contains(github.event.comment.body, '`@claude`')) ||
- (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '`@claude`')) ||
- (github.event_name == 'issues' && (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`')))
+ (github.event_name == 'issue_comment' &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
+ contains(github.event.comment.body, '`@claude`')) ||
+ (github.event_name == 'pull_request_review_comment' &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
+ contains(github.event.comment.body, '`@claude`')) ||
+ (github.event_name == 'issues' &&
+ contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) &&
+ (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`')))📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if: | | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) | |
| if: | | |
| (github.event_name == 'issue_comment' && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && | |
| contains(github.event.comment.body, '`@claude`')) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && | |
| contains(github.event.comment.body, '`@claude`')) || | |
| (github.event_name == 'issues' && | |
| contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association) && | |
| (contains(github.event.issue.body, '`@claude`') || contains(github.event.issue.title, '`@claude`'))) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 13 - 16, The workflow trigger in
the GitHub Actions condition currently lets any `@claude` mention start the job,
even though it passes `CLAUDE_CODE_OAUTH_TOKEN`. Update the `if` expression in
`.github/workflows/claude.yml` to gate `issue_comment`,
`pull_request_review_comment`, and `issues` events to trusted authors only,
using the existing event payload fields for author association or write-access
status. Keep the `@claude` text check, but combine it with an author trust check
so only write-access users can invoke Claude.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable checkout credential persistence.
actions/checkout persists the GitHub token by default, leaving it in the workspace before the Claude action runs. This workflow only needs a read checkout.
Proposed fix
with:
fetch-depth: 1
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 25-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 25 - 28, The Checkout repository
step is leaving the GitHub token persisted by default, but this workflow only
needs read-only source access. Update the actions/checkout usage in the workflow
to disable credential persistence so the token is not written into the workspace
before the Claude action runs, while keeping the existing checkout behavior
otherwise unchanged.
Source: Linters/SAST tools
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Claude workflows consistently check the action execution_file result.
rg -n -C3 'execution_file|is_error|claude-code-action@v1' .github/workflowsRepository: shakacode/shakastack-com
Length of output: 4223
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== claude.yml ==\n'
cat -n .github/workflows/claude.yml
printf '\n== claude-deep-review.yml ==\n'
cat -n .github/workflows/claude-deep-review.yml
printf '\n== claude-code-review.yml (relevant section) ==\n'
sed -n '20,95p' .github/workflows/claude-code-review.ymlRepository: shakacode/shakastack-com
Length of output: 7231
Add Claude result verification to this workflow .github/workflows/claude.yml:30-34 — mirror the execution_file/is_error check from .github/workflows/claude-code-review.yml so an invalid or expired token doesn’t leave the job green with no Claude output.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 30 - 34, The Claude action step in
claude.yml currently reports success even when no valid Claude output is
produced. Update the workflow to mirror the result verification used in
claude-code-review.yml by checking the generated execution file and its is_error
status after the Run Claude Code step, and fail the job if the token is
invalid/expired or if Claude did not produce a successful result.
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/claude-deep-review.yml (2)
23-30: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy liftMissing execution-file guard against silent-success on invalid token.
This step lacks the
execution_file-based verification step present inclaude-code-review.yml, so an invalid/expiredCLAUDE_CODE_OAUTH_TOKENcan make the job pass without ever posting a review. Previously flagged and still unresolved.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/claude-deep-review.yml around lines 23 - 30, The Claude deep review workflow step can silently succeed with an invalid or expired OAuth token because it does not verify that the review actually ran. Update the claude-deep-review job in the workflow to include the same execution_file-based guard used in claude-code-review.yml, tying the check to the claude-code-action step so the job fails if no review output is produced. Use the existing step id claude-deep-review and the claude_code_oauth_token configuration as the anchor points when adding the verification.
11-15: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winGrant comment write scopes to this job.
Job only has read permissions, so the deep-review action cannot post PR feedback despite that being the workflow's purpose. This was previously flagged and remains unaddressed.
Suggested fix
permissions: contents: read - pull-requests: read - issues: read + pull-requests: write + issues: write id-token: write🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/claude-deep-review.yml around lines 11 - 15, The workflow job’s permissions are read-only, so the deep-review action cannot leave PR feedback. Update the permissions block for the claude-deep-review job to grant comment-writing access, using the existing permissions section in the workflow so the action can post review comments and feedback.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/claude-deep-review.yml:
- Around line 23-30: The Claude deep review workflow step can silently succeed
with an invalid or expired OAuth token because it does not verify that the
review actually ran. Update the claude-deep-review job in the workflow to
include the same execution_file-based guard used in claude-code-review.yml,
tying the check to the claude-code-action step so the job fails if no review
output is produced. Use the existing step id claude-deep-review and the
claude_code_oauth_token configuration as the anchor points when adding the
verification.
- Around line 11-15: The workflow job’s permissions are read-only, so the
deep-review action cannot leave PR feedback. Update the permissions block for
the claude-deep-review job to grant comment-writing access, using the existing
permissions section in the workflow so the action can post review comments and
feedback.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c8cee271-4dc0-483e-aa8e-6625020660a6
📒 Files selected for processing (1)
.github/workflows/claude-deep-review.yml
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Summary by CodeRabbit