fix: limit claude code review to PR creation and @claude comments (#393)

* fix: limit claude code review to PR creation and @claude comments Reduces unnecessary action runs and token usage by only triggering the review on initial PR open, and re-running when @claude is mentioned. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: restrict @claude trigger to trusted contributors Only repo owners, org members, and collaborators can invoke the review via @claude comments, preventing external users from consuming token quota. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: consolidate claude workflows and auto-run on PR creation Remove separate claude-code-review.yml and add pull_request trigger to claude.yml so it runs automatically on PR open without needing @claude in the body. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: restore author_association guard on issue_comment trigger The consolidation commit dropped the author_association check from the issue_comment condition. Without it, any external commenter could invoke Claude and consume token quota. Restores the guard to limit triggers to OWNER, MEMBER, and COLLABORATOR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: apply author_association guard to review comment triggers Extends the OWNER/MEMBER/COLLABORATOR check to pull_request_review_comment and pull_request_review events, preventing external users from triggering Claude via review comments. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-17 02:25:57 +00:00 · 2026-03-04 19:26:12 +05:30
parent 52f9dfb2e4
commit ad4c0af4fe
2 changed files with 6 additions and 47 deletions
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -1,44 +0,0 @@
-name: Claude Code Review
-
-on:
-  pull_request:
-    types: [opened, synchronize, ready_for_review, reopened]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
-
-jobs:
-  claude-review:
-    # Optional: Filter by PR author
-    # if: |
-    #   github.event.pull_request.user.login == 'external-contributor' ||
-    #   github.event.pull_request.user.login == 'new-developer' ||
-    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
-
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code Review
-        id: claude-review
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
-          plugins: 'code-review@claude-code-plugins'
-          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://code.claude.com/docs/en/cli-reference for available options
-
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -1,6 +1,8 @@
 name: Claude Code

 on:
+  pull_request:
+    types: [opened, ready_for_review]
  issue_comment:
    types: [created]
  pull_request_review_comment:
@@ -13,9 +15,10 @@ on:
 jobs:
  claude:
    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)) ||
      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
    runs-on: ubuntu-latest
    permissions: