ci: privilege-separate Claude review workflow

daandemeyer · daandemeyer · commit f660aa63d52d · 2026-03-06T20:47:40.000+01:00
Split the workflow into two jobs for least-privilege:

1. 'review' job — runs Claude with read-only permissions (contents: read,
   id-token: write for AWS OIDC, actions: read). Claude produces a structured
   JSON review via --json-schema. Its tools are restricted to read-only
   operations (no Write, Edit, or MCP comment tools).

2. 'post' job — only has pull-requests: write. Reads the structured JSON
   output from the review job and posts it as a single PR review using
   Octokit via actions/github-script. Deduplicates against existing inline
   comments before posting.

Also fix:
- Missing closing parenthesis in the if condition
- issue_comment events not resolving PR number (github.event.pull_request
  is unavailable, fall back to github.event.issue.number)
- Concurrency group using the same fallback
- Drop tracking comment support

Co-developed-by: Claude &lt;claude@anthropic.com&gt;
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
@@ -1,6 +1,10 @@
 # Integrates Claude Code as an AI assistant for reviewing pull requests.
-# Mention @claude in any PR review to request a review. Claude authenticates
+# Mention @claude in any PR comment to request a review. Claude authenticates
 # via AWS Bedrock using OIDC — no long-lived API keys required.
+#
+# Architecture: The workflow is split into two jobs for least-privilege:
+#   1. "review" — runs Claude with read-only permissions, produces structured JSON
+#   2. "post"   — reads the JSON and posts comments to the PR with write permissions
 
 name: Claude Review
 
@@ -13,11 +17,13 @@ on:
     types: [created]
   pull_request_review:
     types: [submitted]
+
 concurrency:
-    group: claude-review-${{ github.event.pull_request.number || github.event.issue.number }}
-    cancel-in-progress: true
+  group: claude-review-${{ github.event.pull_request.number || github.event.issue.number }}
+  cancel-in-progress: true
+
 jobs:
-  claude-review:
+  review:
     runs-on: ubuntu-latest
     env:
       PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
@@ -35,10 +41,14 @@ jobs:
         contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.review.author_association)))
 
     permissions:
-      contents: read       # Read repository contents
-      pull-requests: write # Post comments and reviews on PRs
+      contents: read
       id-token: write      # Authenticate with AWS via OIDC
-      actions: read        # Access workflow run metadata
+      actions: read
+
+    outputs:
+      structured_output: ${{ steps.claude.outputs.structured_output }}
+      pr_number: ${{ steps.pr.outputs.number }}
+      head_sha: ${{ steps.pr.outputs.head_sha }}
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -60,28 +70,72 @@ jobs:
           aws-region: us-east-1
 
       - name: Run Claude Code
+        id: claude
         uses: anthropics/claude-code-action@1fc90f3ed982521116d8ff6d85b948c9b12cae3e
+        env:
+          REVIEW_SCHEMA: >-
+            {
+              "type": "object",
+              "required": ["comments", "summary"],
+              "properties": {
+                "summary": {
+                  "type": "string",
+                  "description": "A markdown summary of the review to post as a top-level tracking comment"
+                },
+                "comments": {
+                  "type": "array",
+                  "items": {
+                    "type": "object",
+                    "required": ["file", "line", "severity", "body"],
+                    "properties": {
+                      "file": {
+                        "type": "string",
+                        "description": "Path to the file relative to the repo root"
+                      },
+                      "line": {
+                        "type": "integer",
+                        "description": "Line number in the diff (new file side) to attach the comment to"
+                      },
+                      "severity": {
+                        "type": "string",
+                        "enum": ["must-fix", "suggestion", "nit"]
+                      },
+                      "body": {
+                        "type": "string",
+                        "description": "The review comment body in markdown"
+                      }
+                    }
+                  }
+                }
+              }
+            }
         with:
           use_bedrock: "true"
+          # We still have to pass GITHUB_TOKEN here because claude-code-action
+          # requires it, but we restrict Claude's tools to read-only operations
+          # so it cannot post comments or modify the PR.
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          # This requires "tag mode", which is currently bugged:
-          # https://github.com/anthropics/claude-code-action/issues/939
           track_progress: false
+          show_full_output: true
           claude_args: |
             --model us.anthropic.claude-opus-4-6-v1
             --max-turns 100
             --allowedTools "
-                Read,Write,Edit,MultiEdit,LS,Grep,Glob,Task,
-                Bash(cat:*),Bash(test:*),Bash(printf:*),Bash(jq:*),Bash(head:*),Bash(git:*),Bash(gh:*),
-                mcp__github_inline_comment__create_inline_comment,
+                Read,LS,Grep,Glob,Task,
+                Bash(cat:*),Bash(test:*),Bash(printf:*),Bash(jq:*),Bash(head:*),Bash(tail:*),
+                Bash(git:*),Bash(gh:*),Bash(grep:*),Bash(find:*),Bash(ls:*),Bash(wc:*),
+                Bash(diff:*),Bash(sed:*),Bash(awk:*),Bash(sort:*),Bash(uniq:*),
                 "
+            --json-schema '${{ env.REVIEW_SCHEMA }}'
           prompt: |
               REPO: ${{ github.repository }}
               PR NUMBER: ${{ steps.pr.outputs.number }}
               HEAD SHA: ${{ steps.pr.outputs.head_sha }}
 
-              Review this pull request.
-              You are in the upstream repo without the patch applied. Do not apply it.
+              You are a code reviewer for the systemd project. Review this pull request and
+              produce a structured JSON result containing your review comments. Do NOT attempt
+              to post comments yourself — just return the JSON. You are in the upstream repo
+              without the patch applied. Do not apply it.
 
               ## Phase 1: Gather context
 
@@ -92,81 +146,183 @@ jobs:
               - `gh api --paginate repos/${{ github.repository }}/pulls/${{ steps.pr.outputs.number }}/comments`
               - `gh api --paginate repos/${{ github.repository }}/pulls/${{ steps.pr.outputs.number }}/reviews`
 
+              Also look for an existing tracking comment (containing `<!-- claude-pr-review -->`)
+              in the top-level issue comments. If one exists, you will use it as the basis for
+              your `summary` in Phase 3.
+
               ## Phase 2: Parallel review subagents
 
               Review:
               - Code quality, style, and best practices
               - Potential bugs, issues, incorrect logic
               - Security implications
-              - CLAUDE.md - compliance
+              - CLAUDE.md compliance
 
               For every category, launch subagents to review them in parallel. Group related sections
               as needed — use 2-4 subagents based on PR size and scope.
 
               Give each subagent the PR title, description, full patch, and the list of changed files.
 
               Each subagent must return a JSON array of issues:
-              `[{"file": "path", "line": <number or null>, "severity": "must-fix|suggestion|nit", "title": "...", "body": "..."}]`
+              `[{"file": "path", "line": <number>, "severity": "must-fix|suggestion|nit", "body": "..."}]`
 
-              Subagents must ONLY return the JSON array — they must NOT post comments,
-              call `gh`, or use `mcp__github_inline_comment__create_inline_comment`.
-              All posting happens in Phase 3.
+              `line` must be a line number from the NEW side of the diff (i.e. where the comment
+              should appear in the changed file after the patch is applied).
 
               Each subagent MUST verify its findings before returning them:
               - For style/convention claims, check at least 3 existing examples in the codebase to confirm
                 the pattern actually exists before flagging a violation.
               - For "use X instead of Y" suggestions, confirm X actually exists and works for this case.
               - If unsure, don't include the issue.
 
-              ## Phase 3: Collect and post
+              ## Phase 3: Collect, deduplicate, and summarize
 
               After ALL subagents complete:
               1. Collect all issues. Merge duplicates (same file, lines within 3 of each other, same problem).
               2. Drop low-confidence findings.
-              3. For CLAUDE.md violations that appear in 3+ existing places in the codebase, do NOT post inline comments.
-                  Instead, add them to the 'CLAUDE.md improvements' section of the tracking comment
-              4. Check existing inline review comments (fetched in Phase 1). Do NOT post an inline comment if
-                  one already exists on the same file+line about the same problem.
-              5. Check for author replies that dismiss or reject a previous comment. Do NOT re-raise an issue
-                  the PR author has already responded to disagreeing with.
-              6. Post new inline comments with `mcp__github_inline_comment__create_inline_comment`.
-
-              Prefix ALL comments with "Claude: ".
-              Link format: https://github.com/${{ github.repository }}/blob/${{ steps.pr.outputs.head_sha }}/README.md#L10-L15
-
-              Then maintain a single top-level "tracking comment" listing ALL issues as checkboxes.
-              Use a hidden HTML marker to find it: `<!-- claude-pr-review -->`.
-              Look through the top-level comments fetched in Phase 1 for one containing that marker.
-
-              **If no tracking comment exists (first run):**
-              Create one with `gh pr comment ${{ steps.pr.outputs.number }} --body "..."` using this format:
-              ```
-              Claude: review of <REPO> #<PR NUMBER> (<HEAD SHA>)
-
-              <!-- claude-pr-review -->
-
-              ### Must fix
-              - [ ] **title** — `file:line` — short explanation
-
-              ### Suggestions
-              - [ ] **title** — `file:line` — short explanation
-
-              ### Nits
-              - [ ] **title** — `file:line` — short explanation
-
-              ### CLAUDE.md improvements
-              - improvement suggestion
-              ```
-              Omit empty sections.
-
-              **If a tracking comment already exists (subsequent run):**
-              1. Parse the existing checkboxes. For each old issue, check if the current patch still has
-                  that problem (re-check the relevant lines in the new diff). If fixed, mark it `- [x]`.
-                  If the author dismissed it, mark it `- [x] ~~title~~ (dismissed)`.
-              2. Append any NEW issues found in this run that aren't already listed.
-              3. Update the HEAD SHA in the header line.
-              4. Edit the comment in-place.
-                  ```
-                  printf '%s' "$BODY" > pr-review-body.txt
-                  gh api --method PATCH repos/${{ github.repository }}/issues/comments/<comment-id> -F body=@pr-review-body.txt
-                  ```
+              3. Check the existing inline review comments fetched in Phase 1. Do NOT include a
+                 comment if one already exists on the same file and line about the same problem.
+                 Also check for author replies that dismiss or reject a previous comment — do NOT
+                 re-raise an issue the PR author has already responded to disagreeing with.
+              4. Prefix ALL comment bodies with a severity tag: `**must-fix**: `, `**suggestion**: `,
+                 or `**nit**: `.
+              5. Write a `summary` field in markdown for a top-level tracking comment.
+
+                 **If no existing tracking comment was found (first run):**
+                 Use this format:
+
+                 ```
+                 ## Claude review of PR #<number> (<HEAD SHA>)
+
+                 <!-- claude-pr-review -->
+
+                 ### Must fix
+                 - [ ] **short title** — `file:line` — brief explanation
+
+                 ### Suggestions
+                 - [ ] **short title** — `file:line` — brief explanation
+
+                 ### Nits
+                 - [ ] **short title** — `file:line` — brief explanation
+                 ```
+
+                 Omit empty sections. Each checkbox item must correspond to an entry in `comments`.
+                 If there are no issues at all, write a short message saying the PR looks good.
+
+                 **If an existing tracking comment was found (subsequent run):**
+                 Use the existing comment as the starting point. Preserve the order and wording
+                 of all existing items. Then apply these updates:
+                 - Update the HEAD SHA in the header line.
+                 - For each existing item, re-check whether the issue is still present in the
+                   current diff. If it has been fixed, mark it checked: `- [x]`.
+                 - If the PR author replied dismissing an item, mark it:
+                   `- [x] ~~short title~~ (dismissed)`.
+                 - Preserve checkbox state that was already set by previous runs or by hand.
+                 - Append any NEW issues found in this run that aren't already listed,
+                   in the appropriate severity section, after the existing items.
+                 - Do NOT reorder, reword, or remove existing items.
+
+              Return the final JSON object with your `comments` array and `summary` string.
+              Do NOT attempt to post comments, call `gh`, or use any MCP tools to interact with the PR.
+
+  post:
+    runs-on: ubuntu-latest
+    needs: review
+    if: always() && needs.review.result == 'success'
+
+    permissions:
+      pull-requests: write
+
+    steps:
+      - name: Post review comments
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        env:
+          STRUCTURED_OUTPUT: ${{ needs.review.outputs.structured_output }}
+          PR_NUMBER: ${{ needs.review.outputs.pr_number }}
+          HEAD_SHA: ${{ needs.review.outputs.head_sha }}
+        with:
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
+            const headSha = process.env.HEAD_SHA;
+
+            /* Parse Claude's structured output. */
+            const raw = process.env.STRUCTURED_OUTPUT;
+            console.log("Structured output from Claude:");
+            console.log(raw || "(empty)");
+
+            let comments = [];
+            let summary = "";
+            if (raw) {
+              try {
+                const review = JSON.parse(raw);
+                if (Array.isArray(review.comments))
+                  comments = review.comments;
+                if (typeof review.summary === "string")
+                  summary = review.summary;
+              } catch (e) {
+                console.log(`Failed to parse structured output: ${e.message}`);
+              }
+            }
+
+            console.log(`Claude produced ${comments.length} review comment(s).`);
+
+            /* Post each inline comment individually. Deduplication against existing
+             * comments is handled by Claude in the prompt, so we just post whatever
+             * it returns. Using individual comments (rather than a review) means
+             * re-runs only add new comments instead of creating a whole new review. */
+            for (const c of comments) {
+              console.log(`  Posting comment on ${c.file}:${c.line}`);
+              await github.rest.pulls.createReviewComment({
+                owner,
+                repo,
+                pull_number: prNumber,
+                commit_id: headSha,
+                path: c.file,
+                line: c.line,
+                body: `Claude: ${c.body}`,
+              });
+            }
+
+            if (comments.length > 0)
+              console.log(`Posted ${comments.length} inline comment(s).`);
+            else
+              console.log("No inline comments to post.");
+
+            /* Create or update the tracking comment. */
+            const MARKER = "<!-- claude-pr-review -->";
+            if (!summary)
+              summary = "Claude review: no issues found :tada:\n\n" + MARKER;
+            else if (!summary.includes(MARKER))
+              summary = summary.replace(/\n/, `\n${MARKER}\n`);
+
+            /* Find an existing tracking comment. */
+            const {data: issueComments} = await github.rest.issues.listComments({
+              owner,
+              repo,
+              issue_number: prNumber,
+              per_page: 100,
+            });
+
+            const existing = issueComments.find((c) => c.body && c.body.includes(MARKER));
+
+            if (existing) {
+              console.log(`Updating existing tracking comment ${existing.id}.`);
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: existing.id,
+                body: summary,
+              });
+            } else {
+              console.log("Creating new tracking comment.");
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number: prNumber,
+                body: summary,
+              });
+            }
+
+            console.log("Tracking comment posted successfully.");
