From 545f5754e05688e261804e2c7c265b17172e589d Mon Sep 17 00:00:00 2001 From: Maple Gao Date: Fri, 8 May 2026 02:12:31 +0800 Subject: [PATCH 1/5] ci: use official Claude PR review comments --- .github/workflows/claude-code-review.yml | 76 +++++++++--------------- 1 file changed, 27 insertions(+), 49 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index a8ce24b..d820748 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -2,9 +2,8 @@ name: Claude Code Review on: pull_request: - types: [opened, synchronize, ready_for_review] + types: [opened, synchronize, reopened, ready_for_review] branches: [main] - workflow_dispatch: permissions: contents: read @@ -18,11 +17,8 @@ jobs: runs-on: ubuntu-latest if: >- ${{ - github.event_name == 'workflow_dispatch' || - ( - github.event.pull_request.draft == false && - contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association) - ) + github.event.pull_request.draft == false && + contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association) }} env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} @@ -33,61 +29,43 @@ jobs: - name: Skip when Claude secrets are not configured if: ${{ env.ANTHROPIC_API_KEY == '' || env.ANTHROPIC_BASE_URL == '' || env.GH_TOKEN_VALUE == '' }} run: echo "Claude Code review secrets are not configured; skipping Claude Code review." + - name: Checkout repository if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && env.GH_TOKEN_VALUE != '' }} - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 1 persist-credentials: false + - name: Run Claude Code review - id: claude-review if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && env.GH_TOKEN_VALUE != '' }} - continue-on-error: true uses: anthropics/claude-code-action@v1 + env: + ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ secrets.GH_TOKEN }} + track_progress: true prompt: | + REPO: ${{ github.repository }} + PR NUMBER: ${{ github.event.pull_request.number }} + Review this pull request using REVIEW.md as the review-only guide. - Focus on actionable VoScript risks: privacy/security leaks, model lifecycle races, - GPU/CPU fallback behavior, HTTP API compatibility, regression-test coverage, and - synchronized English/Chinese documentation. Avoid formatting-only comments. + Focus on actionable VoScript risks: + - Privacy and security leaks + - Model lifecycle races and GPU/CPU fallback behavior + - HTTP API compatibility + - Regression-test coverage + - Synchronized English/Chinese documentation + + The PR branch is already checked out in the current working directory. + Always post one top-level review summary with `gh pr comment`, even when there are no actionable findings. + If there are no actionable findings, say that explicitly in the top-level comment. + Use `mcp__github_inline_comment__create_inline_comment` with `confirmed: true` for specific changed-line issues. + Avoid formatting-only comments. + Only post GitHub comments; do not leave review text only in the action transcript. + claude_args: | --model ${{ env.CLAUDE_MODEL }} --max-turns 30 - env: - ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} - - - name: Post Claude Code review summary - if: ${{ always() && github.event_name == 'pull_request' && env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && env.GH_TOKEN_VALUE != '' }} - env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} - PR_NUMBER: ${{ github.event.pull_request.number }} - HEAD_SHA: ${{ github.event.pull_request.head.sha }} - CLAUDE_OUTCOME: ${{ steps.claude-review.outcome }} - RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - MARKER: "" - run: | - set -euo pipefail - short_sha="${HEAD_SHA:0:7}" - if [ "$CLAUDE_OUTCOME" = "success" ]; then - body="$(printf '%s\n### Claude Code Review\n\nClaude Code Review completed for `%s`.\n\nThis summary is posted even when Claude has no line-level findings. If no separate Claude inline comments are visible, there were no actionable line-level findings for this run.\n\nRun: %s' "$MARKER" "$short_sha" "$RUN_URL")" - else - body="$(printf '%s\n### Claude Code Review\n\nClaude Code Review did not complete successfully for `%s`.\n\nCheck the workflow run before merging. The check will remain failed so this cannot be missed.\n\nRun: %s' "$MARKER" "$short_sha" "$RUN_URL")" - fi - - comment_id="$( - gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --paginate \ - --jq ".[] | select(.body | contains(\"$MARKER\")) | .id" | tail -n 1 - )" - if [ -n "$comment_id" ]; then - jq -n --arg body "$body" '{body: $body}' \ - | gh api -X PATCH "repos/$GITHUB_REPOSITORY/issues/comments/$comment_id" --input - - else - jq -n --arg body "$body" '{body: $body}' \ - | gh api -X POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" --input - - fi - - - name: Fail when Claude Code review failed - if: ${{ steps.claude-review.outcome == 'failure' }} - run: exit 1 + --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(git diff:*),Bash(rg:*)" From 5233c95e3cb5325097a3e1ac8836424a26132dfb Mon Sep 17 00:00:00 2001 From: Maple Gao Date: Fri, 8 May 2026 02:28:01 +0800 Subject: [PATCH 2/5] ci: expose token to claude gh tools --- .github/workflows/claude-code-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index d820748..116a830 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -41,7 +41,7 @@ jobs: if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && env.GH_TOKEN_VALUE != '' }} uses: anthropics/claude-code-action@v1 env: - ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ secrets.GH_TOKEN }} From 11947ba42ce659dabf377b53a22ca238d7705ac7 Mon Sep 17 00:00:00 2001 From: Maple Gao Date: Fri, 8 May 2026 02:33:53 +0800 Subject: [PATCH 3/5] ci: prevent stale claude review context --- .github/workflows/claude-code-review.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 116a830..907a523 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -46,6 +46,8 @@ jobs: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} github_token: ${{ secrets.GH_TOKEN }} track_progress: true + use_sticky_comment: true + exclude_comments_by_actor: MapleEve,github-actions,codecov,sourcery-ai,copilot-pull-request-reviewer prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} @@ -59,6 +61,8 @@ jobs: - Synchronized English/Chinese documentation The PR branch is already checked out in the current working directory. + This workflow intentionally passes `github_token: secrets.GH_TOKEN` and exports `GH_TOKEN` because the official Claude GitHub App is not installed for this repository yet. + Do not treat `GH_TOKEN_VALUE`, `github_token: secrets.GH_TOKEN`, or `GH_TOKEN` as a migration bug unless the official Claude GitHub App has been installed and verified. Always post one top-level review summary with `gh pr comment`, even when there are no actionable findings. If there are no actionable findings, say that explicitly in the top-level comment. Use `mcp__github_inline_comment__create_inline_comment` with `confirmed: true` for specific changed-line issues. From 6f79ed05e2137abe3e1687f9964afce9479e562b Mon Sep 17 00:00:00 2001 From: Maple Gao Date: Fri, 8 May 2026 02:39:12 +0800 Subject: [PATCH 4/5] ci: require official claude app comments --- .github/workflows/claude-code-review.yml | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 907a523..ab05628 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -23,28 +23,24 @@ jobs: env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} - GH_TOKEN_VALUE: ${{ secrets.GH_TOKEN }} CLAUDE_MODEL: claude-sonnet-4-6 steps: - name: Skip when Claude secrets are not configured - if: ${{ env.ANTHROPIC_API_KEY == '' || env.ANTHROPIC_BASE_URL == '' || env.GH_TOKEN_VALUE == '' }} + if: ${{ env.ANTHROPIC_API_KEY == '' || env.ANTHROPIC_BASE_URL == '' }} run: echo "Claude Code review secrets are not configured; skipping Claude Code review." - name: Checkout repository - if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && env.GH_TOKEN_VALUE != '' }} + if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' }} uses: actions/checkout@v6 with: fetch-depth: 1 persist-credentials: false - name: Run Claude Code review - if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && env.GH_TOKEN_VALUE != '' }} + if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' }} uses: anthropics/claude-code-action@v1 - env: - GH_TOKEN: ${{ secrets.GH_TOKEN }} with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} - github_token: ${{ secrets.GH_TOKEN }} track_progress: true use_sticky_comment: true exclude_comments_by_actor: MapleEve,github-actions,codecov,sourcery-ai,copilot-pull-request-reviewer @@ -61,15 +57,12 @@ jobs: - Synchronized English/Chinese documentation The PR branch is already checked out in the current working directory. - This workflow intentionally passes `github_token: secrets.GH_TOKEN` and exports `GH_TOKEN` because the official Claude GitHub App is not installed for this repository yet. - Do not treat `GH_TOKEN_VALUE`, `github_token: secrets.GH_TOKEN`, or `GH_TOKEN` as a migration bug unless the official Claude GitHub App has been installed and verified. - Always post one top-level review summary with `gh pr comment`, even when there are no actionable findings. - If there are no actionable findings, say that explicitly in the top-level comment. - Use `mcp__github_inline_comment__create_inline_comment` with `confirmed: true` for specific changed-line issues. + Post feedback only through the official Claude Code Action GitHub integration. + Do not use the GitHub CLI and do not use a user-owned GitHub token. + If the official Claude GitHub App integration is unavailable, fail instead of posting as the repository owner. + If there are no actionable findings, post the standard no-findings confirmation through the action integration. Avoid formatting-only comments. - Only post GitHub comments; do not leave review text only in the action transcript. claude_args: | --model ${{ env.CLAUDE_MODEL }} --max-turns 30 - --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(git diff:*),Bash(rg:*)" From 3434f84856d6f625f077631fb70637d566d9559f Mon Sep 17 00:00:00 2001 From: Maple Gao Date: Fri, 8 May 2026 02:45:39 +0800 Subject: [PATCH 5/5] ci: skip claude review workflow self changes --- .github/workflows/claude-code-review.yml | 25 ++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index ab05628..d3c37ba 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -29,15 +29,36 @@ jobs: if: ${{ env.ANTHROPIC_API_KEY == '' || env.ANTHROPIC_BASE_URL == '' }} run: echo "Claude Code review secrets are not configured; skipping Claude Code review." - - name: Checkout repository + - name: Detect Claude review workflow changes + id: claude-workflow-change if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' }} + uses: actions/github-script@v8 + with: + script: | + const files = await github.paginate(github.rest.pulls.listFiles, { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + per_page: 100, + }); + const selfChanged = files.some( + (file) => file.filename === ".github/workflows/claude-code-review.yml", + ); + core.setOutput("self_changed", selfChanged ? "true" : "false"); + + - name: Skip Claude review for workflow self-change + if: ${{ steps.claude-workflow-change.outputs.self_changed == 'true' }} + run: echo "Skipping Claude Code Review because this PR changes the review workflow itself." + + - name: Checkout repository + if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && steps.claude-workflow-change.outputs.self_changed != 'true' }} uses: actions/checkout@v6 with: fetch-depth: 1 persist-credentials: false - name: Run Claude Code review - if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' }} + if: ${{ env.ANTHROPIC_API_KEY != '' && env.ANTHROPIC_BASE_URL != '' && steps.claude-workflow-change.outputs.self_changed != 'true' }} uses: anthropics/claude-code-action@v1 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}