@@ -10,68 +10,74 @@ jobs:
1010 permissions :
1111 contents : read
1212 pull-requests : write
13- issues : read
13+ issues : write
1414 actions : read
1515 id-token : write
1616
1717 steps :
18- - name : Checkout PR head (fork)
18+ # IMPORTANT: checkout BASE repo only (safe on forks)
19+ - name : Checkout base repo (safe)
1920 uses : actions/checkout@v4
2021 with :
21- ref : ${{ github.event.pull_request.head.sha }}
2222 fetch-depth : 1
2323
2424 - name : Run Claude Code Review
25- id : claude-review
2625 uses : anthropics/claude-code-action@v1
2726 with :
2827 claude_code_oauth_token : ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
2928 github_token : ${{ github.token }}
3029
31- plugin_marketplaces : ' https://github.com/anthropics/claude-code.git'
32- plugins : ' code-review@claude-code-plugins'
30+ plugin_marketplaces : " https://github.com/anthropics/claude-code.git"
31+ plugins : " code-review@claude-code-plugins"
3332
3433 claude_args : >
35- --dangerouslyDisableSandbox
34+ --dangerously-skip-permissions
3635 --max-turns 10
3736 --allowedTools
3837 "Bash(gh pr view:*)"
3938 "Bash(gh pr diff:*)"
4039 "Bash(gh pr comment:*)"
41- "Bash(gh api repos/*/pulls/*:*)"
42- "Bash(gh api repos/*/issues/*/comments:*)"
40+ "Bash(gh pr list:*)"
41+ "Bash(gh pr status:*)"
42+ "Bash(gh issue comment:*)"
43+ "Bash(gh api:*)"
4344 "Bash(cat:*)"
4445 "Bash(ls:*)"
4546 "Bash(grep:*)"
4647 "Bash(find:*)"
48+ "Bash(sed:*)"
49+ "Bash(awk:*)"
50+ "Bash(head:*)"
51+ "Bash(tail:*)"
52+ "Bash(wc:*)"
53+ "Bash(sort:*)"
54+ "Bash(uniq:*)"
55+ "Bash(cut:*)"
56+ "Bash(xargs:*)"
57+ "Bash(jq:*)"
58+ "Bash(python3:*)"
4759
4860prompt : |
49- /code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}
61+ You are running in pull_request_target. DO NOT execute or inspect the fork's checked-out code.
62+ Review ONLY via GitHub API/gh commands.
5063
51- Always use the numeric PR form with --repo, e.g.:
52- - gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} ...
53- - gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }} ...
54- - gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} ...
64+ Always use numeric PR form with --repo:
65+ - gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json files,title,body
66+ - gh pr diff ${{ github.event.pull_request.number }} --repo ${{ github.repository }}
67+
68+ If CLAUDE.md exists in the base repo checkout, read it with:
69+ - cat CLAUDE.md
70+ Prefer jq/python3 for JSON parsing instead of shell loops.
5571
5672 Output requirements (even if no issues):
57- - Start with: files changed count + list up to 15 changed file paths
58- - Then: a short summary of what the PR changes (3–6 bullets)
59- - Then: findings :
60- - If issues: list them with file path + line numbers when possible
61- - If no issues: list at least 3 concrete " improvement opportunities" with file paths
73+ - Files changed count + list up to 15 file paths
74+ - Summary (3–6 bullets)
75+ - Findings :
76+ - If issues: include file + line numbers when possible
77+ - If no issues: at least 3 concrete improvement opportunities with file paths
6278
63- Post the results as ONE top-level PR comment titled "Claude Code Review".
64- If you cannot access the diff/files, say exactly what is blocked.
79+ Post ONE top-level PR comment titled "Claude Code Review".
6580 If posting a PR comment is blocked, write the full review to the GitHub Actions job summary instead.
6681
67- IMPORTANT:
68- - Do NOT stop just because a previous "Claude Code Review" comment exists.
69- - If a prior Claude review exists, post a NEW comment titled "Claude Code Review (updated)" that includes:
70- - current head SHA: ${{ github.event.pull_request.head.sha }}
71- - files changed count + up to 15 file paths
72- - 3–6 bullet summary of changes
73- - findings or at least 3 improvement opportunities with file paths
74- Post as ONE top-level PR comment.
75-
7682additional_permissions : |
7783 actions: read
0 commit comments