From fd11d1b9a00543d54414b74f993e0623dcdd82e9 Mon Sep 17 00:00:00 2001
From: claude <claude@anthropic.com>
Date: Thu, 9 Apr 2026 23:23:20 -0400
Subject: [PATCH 1/2] =?UTF-8?q?ci:=20upgrade=20code=20review=20=E2=80=94?=
 =?UTF-8?q?=20plugin=20approach,=20sticky=20comment,=20concurrency,=20full?=
 =?UTF-8?q?=20permissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/claude-code-review.yml | 51 ++++++++++++------------
 1 file changed, 25 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 7898434..403b567 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -2,53 +2,52 @@ name: Claude Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize, ready_for_review, reopened]
+    types: [opened, synchronize]
+
+concurrency:
+  group: claude-code-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
   claude-review:
+    if: github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
       issues: read
-      actions: write
       id-token: write
+      actions: read
 
     steps:
       - name: Checkout repository
+        timeout-minutes: 60
         uses: actions/checkout@v4
         with:
-          fetch-depth: 1
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
 
       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@v1.0.88
+        timeout-minutes: 60
+        uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           use_sticky_comment: true
           track_progress: true
           allowed_bots: 'claude,claude[bot]'
+          additional_permissions: |
+            actions: read
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
           prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
-
-            Review this pull request. For each changed skill file:
-            - Check that the frontmatter (name, description) is accurate and well-written
-            - Flag any hardcoded secrets, tokens, or personal data that should be env vars
-            - Note any broken references (paths, tool names, commands that don't exist)
-            - Call out anything that contradicts how the skill actually works
+            /code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }} --comment
 
-            Keep feedback concise and actionable. Skip praise.
-            Use inline comments for specific code issues.
-            Use `gh pr comment` for top-level feedback.
-            If everything looks good and there are no issues, post a comment saying "LGTM" followed by one sentence summarizing what you reviewed.
+            Additional checks for this repo (skill files):
+            - Flag hardcoded secrets, tokens, or personal data that should be env vars or placeholders.
+            - Check that frontmatter (name, description) in skill .md files is accurate and well-written.
+            - Flag broken references: paths, tool names, or commands that do not exist.
+            - For every deleted function call or side effect, grep to find what depended on it. A removed side effect with no replacement is a bug.
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
 
-            REVIEW SUBMISSION:
-            After completing your review, submit a formal GitHub review using gh pr review:
-            - If you found issues: `gh pr review ${{ github.event.pull_request.number }} --request-changes --body "Summary of issues found"`
-            - If LGTM: `gh pr review ${{ github.event.pull_request.number }} --approve --body "LGTM - brief summary"`
-            If gh pr review fails (e.g. permissions), fall back to posting a comment with `gh pr comment` instead.
-          claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*)"
-            --model claude-opus-4-6
-            --fallback-model claude-sonnet-4-6

From e8e575e0a24faf8edf7b58c2ca922cb6e5869366 Mon Sep 17 00:00:00 2001
From: testuser <testuser@macbookair.mynetworksettings.com>
Date: Sat, 11 Apr 2026 01:08:29 -0400
Subject: [PATCH 2/2] fix: add ready_for_review and reopened triggers back to
 claude-code-review workflow

Codex review flagged that dropping ready_for_review causes draft PRs
to miss review entirely when marked ready without a new commit.
---
 .github/workflows/claude-code-review.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 403b567..bfd92a6 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -2,7 +2,7 @@ name: Claude Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [opened, synchronize, ready_for_review, reopened]
 
 concurrency:
   group: claude-code-review-${{ github.event.pull_request.number }}
@@ -50,4 +50,3 @@ jobs:
             - For every deleted function call or side effect, grep to find what depended on it. A removed side effect with no replacement is a bug.
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
-