name: Claude Code Review on: pull_request: types: [labeled] # No concurrency group — intentionally omitted. # Previous attempt (#3554, reverted #3599) used cancel-in-progress which # killed in-progress PR runs before they produced useful results. # Future iteration could safely add concurrency for scheduled/push-only # triggers (where head_ref is empty and runs get unique groups). permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions jobs: claude-review: # Only run when 'claude-review' label is added (opt-in) if: github.event.label.name == 'claude-review' runs-on: ubuntu-latest timeout-minutes: 30 environment: ci permissions: contents: read pull-requests: write issues: write id-token: write # Required for OIDC authentication with claude-code-action steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false fetch-depth: 1 - name: Run Claude Code Review id: claude-review uses: anthropics/claude-code-action@558b1d6cab4085c7753fe402c10bef0fbb92ac7a # v1.0.165 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # CLI arguments for Claude (v1.0+ format) claude_args: | --model claude-opus-4-5-20251101 # Prompt for automated review (no @claude mention needed) prompt: | Please review this pull request and provide feedback on: - Code quality and best practices - Potential bugs or issues - Performance considerations - Security concerns - Test coverage Be constructive and helpful in your feedback.