Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughTwo GitHub Actions workflows are added to enable Claude-powered code review. The first workflow runs automatically when pull requests are created or updated. The second workflow responds to ChangesClaude Code Review Integration
🎯 2 (Simple) | ⏱️ ~10 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)
8-10: ⚡ Quick winRemove
issues.assignedto prevent duplicate Claude runs.With the current condition, re-assigning an issue that already contains
@clauderetriggers the workflow even without a new request.♻️ Suggested simplification
issues: - types: [opened, assigned] + types: [opened]🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/claude.yml around lines 8 - 10, The workflow is being retriggered by the issues.assigned event; remove the 'assigned' entry from the issues.types list so the workflow only runs on new issue opens (e.g., keep types: [opened]) or replace the issues trigger with a single event that excludes reassignment; update the .github/workflows/claude.yml file to delete 'assigned' (reference: the issues.types array in the workflow) to prevent duplicate Claude runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude-code-review.yml:
- Around line 14-21: The claude-review job can fail on forked PRs because
secrets.CLAUDE_CODE_OAUTH_TOKEN aren’t available; update the claude-review job
to skip runs for forked PRs by adding a job-level conditional that ensures the
PR’s head repo matches the base repository (or that the PR is not from a fork)
before using secrets. Modify the claude-review job (refer to the claude-review
job name and the use of secrets.CLAUDE_CODE_OAUTH_TOKEN) to include an if
condition that only runs when github.event.pull_request.head.repo.full_name ==
github.repository (or an equivalent check for non-fork PRs) so the job is
skipped for forked pull requests.
- Around line 29-37: Replace mutable action tags with pinned full commit SHAs:
find the uses lines "uses: actions/checkout@v4" and "uses:
anthropics/claude-code-action@v1" in the workflow and substitute each tag with
the corresponding full-length commit SHA for the released commit you want to pin
(do the same change in the other workflow that uses these actions). Ensure you
update both occurrences (checkout and anthropics action) and verify the SHAs
correspond to the exact release commit you intend to lock to before committing.
---
Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 8-10: The workflow is being retriggered by the issues.assigned
event; remove the 'assigned' entry from the issues.types list so the workflow
only runs on new issue opens (e.g., keep types: [opened]) or replace the issues
trigger with a single event that excludes reassignment; update the
.github/workflows/claude.yml file to delete 'assigned' (reference: the
issues.types array in the workflow) to prevent duplicate Claude runs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6f5d402c-ed9a-4d6d-8746-25eded9bbd25
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml.github/workflows/claude.yml
| claude-review: | ||
| # Optional: Filter by PR author | ||
| # if: | | ||
| # github.event.pull_request.user.login == 'external-contributor' || | ||
| # github.event.pull_request.user.login == 'new-developer' || | ||
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | ||
|
|
||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/claude-code-review.ymlRepository: wangdiues/layguel360-v0
Length of output: 1808
Skip this job for forked PRs to avoid secret-missing failures.
This workflow uses secrets.CLAUDE_CODE_OAUTH_TOKEN on pull_request; fork-origin PR runs will not have that secret and will fail noisily.
🛡️ Suggested guard
jobs:
claude-review:
+ if: ${{ !github.event.pull_request.head.repo.fork }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| claude-review: | |
| # Optional: Filter by PR author | |
| # if: | | |
| # github.event.pull_request.user.login == 'external-contributor' || | |
| # github.event.pull_request.user.login == 'new-developer' || | |
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | |
| runs-on: ubuntu-latest | |
| claude-review: | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| # Optional: Filter by PR author | |
| # if: | | |
| # github.event.pull_request.user.login == 'external-contributor' || | |
| # github.event.pull_request.user.login == 'new-developer' || | |
| # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' | |
| runs-on: ubuntu-latest |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 14 - 21, The
claude-review job can fail on forked PRs because secrets.CLAUDE_CODE_OAUTH_TOKEN
aren’t available; update the claude-review job to skip runs for forked PRs by
adding a job-level conditional that ensures the PR’s head repo matches the base
repository (or that the PR is not from a fork) before using secrets. Modify the
claude-review job (refer to the claude-review job name and the use of
secrets.CLAUDE_CODE_OAUTH_TOKEN) to include an if condition that only runs when
github.event.pull_request.head.repo.full_name == github.repository (or an
equivalent check for non-fork PRs) so the job is skipped for forked pull
requests.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Run Claude Code Review | ||
| id: claude-review | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Check if the workflow files exist
fd -t f "claude.*\.yml" .github/workflows/Repository: wangdiues/layguel360-v0
Length of output: 137
🏁 Script executed:
# Read the claude-code-review.yml file around lines 29-37
if [ -f .github/workflows/claude-code-review.yml ]; then
echo "=== claude-code-review.yml (lines 20-45) ==="
sed -n '20,45p' .github/workflows/claude-code-review.yml
fiRepository: wangdiues/layguel360-v0
Length of output: 983
🏁 Script executed:
# Check all workflow files for these actions
if [ -f .github/workflows/claude.yml ]; then
echo "=== claude.yml (all) ==="
cat -n .github/workflows/claude.yml
fiRepository: wangdiues/layguel360-v0
Length of output: 2328
🌐 Web query:
GitHub Actions best practices pin to commit SHA security
💡 Result:
Best practice: pin third-party GitHub Actions to a full-length (40-character) commit SHA in your workflow (e.g., actions/checkout@) rather than to tags like @v4, and use GitHub policies to enforce SHA pinning so unpinned actions fail. Why pin to commit SHA - GitHub’s “secure use” guidance states that pinning an action to a full-length commit SHA is “currently the only way to use an action as an immutable release,” and that it helps mitigate backdoor risk because an attacker would need to generate a SHA-1 collision for a valid Git object payload. It also instructs you to verify the SHA comes from the action’s repository and not a fork.[1] - GitHub also notes that tag pinning is convenient but less secure because a tag can be moved or deleted if a bad actor gains access to the action’s repository.[1] How to do it in practice 1) Replace tag references with full SHA in the workflow YAML. - Example pattern: uses: actions/checkout@ [1] 2) Add a short comment next to the SHA showing which tag/version it corresponds to (this keeps reviews maintainable). (This is commonly recommended; GitHub’s docs emphasize full SHA pinning and verification.) [2][1] 3) Verify the SHA is from the action’s upstream repository, not a fork.[1] Enforce it org/repo-wide (recommended) - GitHub added an “allowed actions policy” feature to enforce SHA pinning: it recommends workflows pin dependency versions to a specific commit SHA to prevent malicious code in updated branches/tags from being used automatically, and administrators can enforce SHA pinning through an “allowed actions policy.” The policy checks for a full commit SHA and workflows that use an action that isn’t pinned will fail.[3] Net answer to your query - “Pin to commit SHA” is the correct security best practice; use full-length commit SHAs (not shortened SHAs, not tags) and enforce SHA pinning with GitHub’s allowed-actions policy.[1][3]
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
- 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
🌐 Web query:
actions/checkout v4 pinning commit SHA recommendations
💡 Result:
Recommendation (secure + actionable): pin actions/checkout v4 to an immutable full-length commit SHA (not a mutable tag like v4). Example: - uses: actions/checkout@<FULL_COMMIT_SHA> # v4.x.y (pin to the commit that implements the v4.x.y tag you tested) Why: 1) Pinning to a full-length commit SHA is the only way to make a GitHub Action reference immutable, mitigating the risk that the tag could move to different code later [1]. 2) Using tags like @v4 is mutable because a tag is effectively a pointer to a specific SHA that can change [1]. How to find the exact SHA for the v4 release you want: - Go to the actions/checkout repo and open the tag you’re targeting (e.g., the v4.x.y release tag), then copy the commit SHA the tag points to; the changelog/release pages show the specific v4.x.y release you can pin [2][3]. Notes specific to actions/checkout v4: - By default it checks out only a single commit: the ref/SHA that triggered the workflow (set fetch-depth: 0 if you need full history) [4]. - The action outputs include the checked-out commit SHA (useful for auditing/pinning checks) [5]. What commit SHA should you pin to “right now”? - This requires choosing a specific v4.x.y release (e.g., v4.2.0 vs another v4 patch), then pinning to the SHA that tag resolves to; the sources retrieved here confirm the correct method but don’t provide the exact SHA value for a chosen v4.x.y in the query results. If you tell me which v4 patch you want (or whether “latest v4.x.y” is acceptable), I can look up the corresponding tag’s commit SHA and give you the exact one-line YAML.
Citations:
- 1: https://stackoverflow.com/questions/78903499/how-do-i-pin-an-action-to-a-specific-sha
- 2: https://github.com/actions/checkout/releases/tag/v4.0.0
- 3: https://github.com/actions/checkout/releases/tag/v4.2.0
- 4: https://github.com/actions/checkout/blob/v4/README.md
- 5: https://github.com/actions/checkout/blob/v4/action.yml
🌐 Web query:
anthropic claude-code-action v1 pinning SHA support
💡 Result:
Yes, Anthropic's claude-code-action v1 supports pinning to a commit SHA for secure usage in GitHub workflows. Users commonly pin it like uses: anthropics/claude-code-action@a3ff61d47aa5118a43b33ae44c4087d9eb51111a # v1 to meet organization requirements for immutable references and prevent supply chain attacks [1][2]. This is a standard GitHub Actions best practice, and the repository has implemented internal pinning of its nested actions (e.g., PR #1293 to pin to commit SHAs [3], issue #15 resolved by pinning dependencies [4]). Official docs show usage with @v1 but do not prohibit or restrict SHA pinning, and community examples confirm it works [5][6][7]. Specific SHAs like 01e756b34ef7a1447e9508f674143b07d20c2631 have been used as workarounds for bugs [2]. The repo has 174 releases under v1.x (latest v1.0.110 as of 2026-04-29 [5]), allowing precise pinning to tested commits.
Citations:
- 1: [Bug]
/install-github-app: Github Action Workflow Files Missing Dependency SHA Pinning anthropics/claude-code#7437 - 2: Claude Code Action failing with SDK crash (Feb 23, 2026) - pinned SHA workaround no longer works anthropics/claude-code-action#965
- 3: Pin GitHub Actions to commit SHAs anthropics/claude-code-action#1293
- 4: Pin nested actions anthropics/claude-code-action#15
- 5: https://github.com/anthropics/claude-code-action
- 6: https://code.claude.com/docs/en/github-actions
- 7: https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
Pin GitHub Actions to immutable commit SHAs.
Both actions/checkout@v4 and anthropics/claude-code-action@v1 use mutable tags. GitHub's security guidance states that pinning to full-length commit SHAs is the only way to use actions as immutable releases and mitigates supply-chain drift risk. Apply the same fix to .github/workflows/claude.yml.
🔒 Suggested hardening diff
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@<full-length-checkout-sha> # v4 release commit
with:
fetch-depth: 1
- name: Run Claude Code Review
id: claude-review
- uses: anthropics/claude-code-action@v1
+ uses: anthropics/claude-code-action@<full-length-claude-action-sha> # v1 release commit
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-review.yml around lines 29 - 37, Replace
mutable action tags with pinned full commit SHAs: find the uses lines "uses:
actions/checkout@v4" and "uses: anthropics/claude-code-action@v1" in the
workflow and substitute each tag with the corresponding full-length commit SHA
for the released commit you want to pin (do the same change in the other
workflow that uses these actions). Ensure you update both occurrences (checkout
and anthropics action) and verify the SHAs correspond to the exact release
commit you intend to lock to before committing.
1 participant
🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code integration in our repository.
What is Claude Code?
Claude Code is an AI coding agent that can help with:
How it works
Once this PR is merged, we'll be able to interact with Claude by mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and surrounding context, and execute on the request in a GitHub action.
Important Notes
Security
There's more information in the Claude Code action repo.
After merging this PR, let's try mentioning @claude in a comment on any PR to get started!
Summary by CodeRabbit