From 2c304cd7d3af6c7a82fdfc8c7a21356143a7e04e Mon Sep 17 00:00:00 2001 From: Looking Glass Factory <64664251+TheLookingGlassFactory@users.noreply.github.com> Date: Tue, 23 Jun 2026 22:10:17 -0400 Subject: [PATCH 1/2] Add Claude PR review workflow --- .github/workflows/claude-review.yml | 44 +++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/claude-review.yml diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml new file mode 100644 index 0000000..f93f16e --- /dev/null +++ b/.github/workflows/claude-review.yml @@ -0,0 +1,44 @@ +name: Claude PR Review + +on: + pull_request: + types: [opened, synchronize] + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + pull_request_review: + types: [submitted] + +permissions: + contents: read + pull-requests: write + issues: write + actions: read + id-token: write + +jobs: + claude-review: + if: >- + github.event_name == 'pull_request' || + ( + github.event_name == 'issue_comment' && + github.event.issue.pull_request && + contains(github.event.comment.body || '', '@claude') + ) || + ( + github.event_name == 'pull_request_review_comment' && + contains(github.event.comment.body || '', '@claude') + ) || + ( + github.event_name == 'pull_request_review' && + contains(github.event.review.body || '', '@claude') + ) + permissions: + contents: read + pull-requests: write + issues: write + actions: read + id-token: write + uses: Looking-Glass/ai-ops/.github/workflows/claude-pr-review.yml@main + secrets: inherit From b05e62a18625c59a23fcd0aaaec2b625e7e9d476 Mon Sep 17 00:00:00 2001 From: Looking Glass Factory <64664251+TheLookingGlassFactory@users.noreply.github.com> Date: Tue, 23 Jun 2026 22:59:09 -0400 Subject: [PATCH 2/2] Harden Claude PR review workflow --- .github/workflows/claude-review.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index f93f16e..ecbca42 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -20,18 +20,25 @@ permissions: jobs: claude-review: if: >- - github.event_name == 'pull_request' || + ( + github.event_name == 'pull_request' && + github.event.pull_request.head.repo.full_name == github.repository && + github.actor != 'dependabot[bot]' + ) || ( github.event_name == 'issue_comment' && github.event.issue.pull_request && + contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && contains(github.event.comment.body || '', '@claude') ) || ( github.event_name == 'pull_request_review_comment' && + contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && contains(github.event.comment.body || '', '@claude') ) || ( github.event_name == 'pull_request_review' && + contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association) && contains(github.event.review.body || '', '@claude') ) permissions: @@ -40,5 +47,6 @@ jobs: issues: write actions: read id-token: write - uses: Looking-Glass/ai-ops/.github/workflows/claude-pr-review.yml@main - secrets: inherit + uses: Looking-Glass/ai-ops/.github/workflows/claude-pr-review.yml@c76384eabc355c2ea81be0de520b03579a7241a2 + secrets: + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}