feat(ci): enable Claude experimental review mode

[yamadashy]

This PR enables Claude's experimental review mode in the GitHub Actions workflow to provide automated code reviews on pull requests.

Changes

• Updated .github/workflows/claude-review.yml to use experimental review mode
• Added trigger for @claude review comments on PRs
• Enhanced permissions for pull request and issue comments
• Updated Claude Code Action to latest version with experimental review support
• Updated other GitHub Actions dependencies to latest secure versions via Ratchet

Features

• Automatic code review on new PRs and synchronize events
• Manual trigger via @claude review comments
• Comprehensive code analysis focusing on quality, security, and best practices
• GitHub suggestion format for proposed code changes

Checklist

• Run npm run test
• Run npm run lint

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Workflow updates primarily bump pinned action SHAs across multiple GitHub Actions files. The claude-review workflow is refactored: new triggers, job rename, conditional gating, expanded permissions, full-depth checkout, updated Claude action with mode-based inputs and custom instructions. No changes to scripts or core CI logic beyond action version updates.

Changes

Cohort / File(s)	Summary of edits
actions/checkout pin bumps .github/workflows/ci.yml, .github/workflows/claude-review.yml, .github/workflows/claude.yml, .github/workflows/codeql.yml, .github/workflows/docker.yml, .github/workflows/ratchet-verify.yml, .github/workflows/test-action.yml	Update actions/checkout SHA to 08eba0b27e820071cde6df949e0beb9ba4906955; no logic changes.
Claude code action pin bumps .github/workflows/claude.yml, .github/workflows/claude-review.yml	Update anthropics/claude-code-action to 78b07473f50218c6494719ef164ed1ebd31da25c; inputs adjusted in claude-review (see refactor cohort).
Claude review workflow refactor .github/workflows/claude-review.yml	Triggers add synchronize and issue_comment:created; job renamed auto-review→code-review; conditional run on PR or "@claude review" comments; permissions add pull-requests: write and issues: write; checkout fetch-depth 0; replace direct_prompt with mode: experimental-review, add timeout_minutes and custom_instructions.
CodeQL action pin bumps .github/workflows/codeql.yml	Update github/codeql-action init/analyze SHAs to df559355d593797519d70b90fc8edd5db049e7a2; no input changes.
CI auxiliary action bumps .github/workflows/ci.yml	Update crate-ci/typos to a67079b4ae32e18c3f53d75368c52ce53b5fb56b; update stefanzweifel/git-auto-commit-action to 3ea6ae190baf489ba007f7c92608f33ce20ef04a.
Homebrew actions pin bumps .github/workflows/homebrew.yml	Update dawidd6/action-setup-homebrew, Homebrew/actions/git-user-config, Homebrew/actions/bump-packages to 87d3af7a72e5ede081b6dafce1798551a74fb366; other settings unchanged.
Repomix workflow pins .github/workflows/pack-repository.yml	Update actions/checkout and Repomix action SHAs; step structure and inputs unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Events
  participant WF as claude-review workflow
  participant JR as code-review job
  participant CO as actions/checkout (fetch-depth: 0)
  participant CC as claude-code-action

  GH->>WF: pull_request (opened/synchronize)
  GH->>WF: issue_comment (created)
  WF->>JR: Evaluate if: PR event OR comment contains "@claude review"
  alt condition true
    JR->>CO: Checkout repository (full history)
    JR->>CC: Run mode=experimental-review with custom_instructions
  else condition false
    WF-->>GH: No-op
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(ci): Add Claude Auto Review workflow for PR feedback #681 — Also modifies .github/workflows/claude-review.yml and the Claude code-action configuration.
• chore(ci): Update GitHub Actions dependencies #668 — Updates pinned GitHub Actions SHAs across many of the same workflow files.
• fix: pin GitHub Actions to commit SHAs for security #651 — Similar action pin updates in GitHub workflows (including actions/checkout and others).

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/claude-experimental-review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR updates GitHub Actions dependencies across all workflow files to their latest secure versions, managed automatically by Ratchet for improved supply chain security.

• Updates actions/checkout to latest commit hash across all workflows
• Updates CodeQL actions, Homebrew actions, and various third-party actions to latest versions
• Enhances the Claude review workflow with additional trigger conditions and improved configuration

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/test-action.yml	Updates actions/checkout to latest commit hash
.github/workflows/ratchet-verify.yml	Updates actions/checkout to latest commit hash
.github/workflows/pack-repository.yml	Updates actions/checkout and repomix action to latest commit hashes
.github/workflows/homebrew.yml	Updates all Homebrew actions to latest commit hashes
.github/workflows/docker.yml	Updates actions/checkout to latest commit hash
.github/workflows/codeql.yml	Updates actions/checkout and CodeQL actions to latest commit hashes
.github/workflows/claude.yml	Updates actions/checkout and Claude code action to latest commit hashes
.github/workflows/claude-review.yml	Updates actions/checkout and Claude action, plus workflow enhancements
.github/workflows/ci.yml	Updates actions/checkout, crate-ci/typos, and git-auto-commit-action to latest commit hashes

---

_{You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	33d44a1
Status:	✅  Deploy successful!
Preview URL:	https://33c4f8c4.repomix.pages.dev
Branch Preview URL:	https://chore-claude-experimental-re.repomix.pages.dev

View logs

[github-actions]

✅ Security Best Practice: Excellent use of commit hash pinning for actions/checkout. This protects against tag manipulation attacks while the Ratchet comment maintains human readability by showing this maps to @v4.

[github-actions]

🔄 Updated Claude Integration: Good update to the latest anthropics/claude-code-action commit. This ensures you're getting the latest features and security improvements for the experimental review mode.

Note: The experimental review mode configuration looks solid with appropriate permissions and custom instructions focused on code quality, security, and best practices.

[github-actions]

🛡️ Security Scanning Updates: CodeQL actions properly updated to latest commit hashes, ensuring you're using the most current security scanning capabilities with enhanced rule sets and language detection.

[github-actions]

📦 Homebrew Actions Synchronized: All three Homebrew actions updated to the same commit hash 87d3af7a... ensuring consistency across:

• setup-homebrew
• git-user-config
• bump-packages

This synchronization is excellent for maintaining compatibility and avoiding version mismatches in the Homebrew release pipeline.

[github-actions]

🔧 Self-Verifying Security: Great to see the Ratchet verification workflow itself getting updated! This creates a self-reinforcing security loop where:

1. Ratchet updates dependencies
2. This workflow verifies all pinned SHAs are legitimate
3. The workflow itself uses pinned, verified actions

This is a perfect example of "eating your own dog food" for security practices.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/claude-review.yml (2)

20-21: Permissions expanded appropriately; consider least-privilege tightening

pull-requests: write and issues: write are justified here. If OIDC isn’t used in this job, you can drop id-token: write to reduce scope.

     permissions:
       contents: read
-      pull-requests: write
-      issues: write
-      id-token: write
+      pull-requests: write
+      issues: write

---

12-16: Optional hardening: restrict who can trigger via comments

To avoid abuse from drive-by commenters on public repos, you can additionally require the commenter to be a member/collaborator/owner when using issue_comment.

Apply this diff to the job condition:

     if: |
       github.event_name == 'pull_request' ||
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
-       contains(github.event.comment.body, '@claude review'))
+       contains(github.event.comment.body, '@claude review') &&
+       (
+         github.event.comment.author_association == 'MEMBER' ||
+         github.event.comment.author_association == 'OWNER' ||
+         github.event.comment.author_association == 'COLLABORATOR'
+       ))

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5cd37d6 and f318670.

📒 Files selected for processing (9)

• .github/workflows/ci.yml (15 hunks)
• .github/workflows/claude-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)
• .github/workflows/codeql.yml (2 hunks)
• .github/workflows/docker.yml (1 hunks)
• .github/workflows/homebrew.yml (1 hunks)
• .github/workflows/pack-repository.yml (1 hunks)
• .github/workflows/ratchet-verify.yml (1 hunks)
• .github/workflows/test-action.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Test (windows-latest, 20.x)
• GitHub Check: Test (macos-latest, 21.x)
• GitHub Check: Test (windows-latest, 23.x)
• GitHub Check: Test (macos-latest, 20.x)
• GitHub Check: Test (windows-latest, 24.x)
• GitHub Check: Test (ubuntu-latest, 21.x)
• GitHub Check: Test (windows-latest, 22.x)
• GitHub Check: Test (windows-latest, 21.x)
• GitHub Check: build-and-publish-image
• GitHub Check: code-review
• GitHub Check: Cloudflare Pages

🔇 Additional comments (15)

.github/workflows/pack-repository.yml (1)

15-15: Good pinning of external actions to immutable SHAs.

actions/checkout and the Repomix composite action are both pinned to specific commits with ratchet annotations. This is aligned with supply-chain best practices.

Also applies to: 18-18

.github/workflows/docker.yml (1)

30-30: Checkout action updated and pinned — looks good.

Pinned to a newer SHA with ratchet annotation; no behavior change expected in this step.

.github/workflows/ratchet-verify.yml (1)

9-9: Checkout SHA bump aligns with Ratchet’s expectations.

Pinned update with ratchet comment; the subsequent lint step should validate all workflow pins as intended.

.github/workflows/claude.yml (2)

28-28: Action SHAs updated and pinned — minimal risk.

Both actions are pinned to specific commits with ratchet annotations. No other logic changes in the job.

Also applies to: 34-34

---

34-37: No action required: input compatibility confirmed

I’ve checked the pinned action.yml at 78b0747… and the only required input remains anthropic_api_key (all others have defaults, including the new mode: tag). Passing just your existing key will work exactly as before—no updates needed.

.github/workflows/homebrew.yml (1)

13-13: Homebrew actions updated and pinned — looks solid.

All three Homebrew steps now reference the same newer commit with ratchet annotations. No config changes needed.

Also applies to: 18-18, 21-21

.github/workflows/test-action.yml (1)

24-24: Checkout pin bump looks good

Pinned to the latest v4 SHA via Ratchet. No other logic changes introduced.

.github/workflows/codeql.yml (2)

29-29: Checkout action pin updated correctly

Updated to the latest v4 commit and still ratcheted. No issues.

---

33-33: CodeQL actions updated to a consistent, newer SHA

Both init and analyze now point to the same newer commit (v3). This consistency is good practice. If you rely on query packs or custom config, consider a quick smoke run to ensure there are no breaking rule changes.

Also applies to: 49-49

.github/workflows/ci.yml (3)

16-16: All checkout pins refreshed consistently

Every job now uses the latest pinned v4 SHA. Consistent and supply-chain safe.

Also applies to: 29-29, 42-42, 55-55, 72-72, 89-89, 105-105, 114-114, 125-125, 144-144, 158-158, 183-183, 203-203, 230-230, 253-253

---

115-115: Typos action updated to a newer commit

Looks good. If you’ve customized typos config, keep an eye on any new default dictionary changes in the new commit.

---

260-260: git-auto-commit-action pin updated

Update is straightforward. Optional: skim the action’s changelog to confirm no behavior changes around authoring/committing flags that matter to this job.

.github/workflows/claude-review.yml (3)

5-7: Ensure correct PR ref when triggered via issue_comment

Nice gating so it only runs on PR events or when someone comments “@claude review”. When triggered by issue_comment, checkout will default to the repository’s default branch ref. If the action depends on the checked-out code (rather than only GitHub API diffs), it may analyze the wrong ref for comment-triggered runs. Verify the anthropics action behavior on issue_comment; if needed, adjust checkout to the PR’s head/merge ref for that path.

Also applies to: 12-17

---

25-28: Full history checkout is appropriate for review context

fetch-depth: 0 is useful for better diff analysis. Approved.

---

30-36: Claude action integration updated; validate new inputs on this SHA

Migration to mode: experimental-review with timeout and custom_instructions looks correct for the pinned commit. Please verify this SHA documents these inputs to avoid runtime failures. If the action posts comments, confirm it won’t re-trigger itself (you already gate on the “@claude review” phrase, which should mitigate).

[github-actions]

The comment on line 34 states "github_token not needed" but this may not be accurate for the experimental-review mode. The anthropics/claude-code-action action typically requires explicit GitHub token configuration to perform operations like creating review comments and suggestions on PRs.

Consider explicitly providing the token for clarity and to ensure proper functionality:

Suggested change

	# github_token not needed - uses default GITHUB_TOKEN for GitHub operations
	github_token: ${{ secrets.GITHUB_TOKEN }}

[github-actions]

Security Consideration: The current condition allows any user to trigger the Claude review by commenting "@claude review". For public repositories, consider restricting this to repository collaborators to prevent potential abuse or spam:

Suggested change

	if: |
	github.event_name == 'pull_request' ||
	(github.event_name == 'issue_comment' &&
	github.event.issue.pull_request &&
	contains(github.event.comment.body, '@claude review'))
	if: |
	github.event_name == 'pull_request' ||
	(github.event_name == 'issue_comment' &&
	github.event.issue.pull_request &&
	contains(github.event.comment.body, '@claude review') &&
	(github.event.comment.author_association == 'MEMBER' ||
	github.event.comment.author_association == 'OWNER' ||
	github.event.comment.author_association == 'COLLABORATOR'))

This ensures only trusted users can trigger manual reviews.

[github-actions]

Potential Issue with issue_comment Trigger: When triggered by issue_comment, the checkout action defaults to the repository's default branch, not the PR branch. This means Claude might analyze the wrong code version when manually triggered via comments.

Consider checking out the PR's head ref for comment triggers:

Suggested change

	- name: Checkout repository
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v4
	uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4
	with:
	fetch-depth: 1
	fetch-depth: 0 # Full history for better diff analysis
	- name: Checkout repository
	uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4
	with:
	fetch-depth: 0 # Full history for better diff analysis
	ref: ${{ github.event_name == 'issue_comment' && github.event.pull_request.head.sha || github.sha }}

This ensures the correct code is analyzed regardless of trigger method.

[github-actions]

✅ Excellent Security Practice: Great use of commit hash pinning for actions/checkout. This protects against tag manipulation attacks while the Ratchet comment maintains human readability by showing this maps to @v4.

The consistent application of this pattern across all workflow files demonstrates strong supply chain security practices.