ci: switch to plugin-based code review with sticky comment

.github/workflows/claude-code-review.yml

@@ -4,51 +4,49 @@ on:
   pull_request:
     types: [opened, synchronize, ready_for_review, reopened]
 
+concurrency:
+  group: claude-code-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:
   claude-review:
+    if: github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
       issues: read
-      actions: write
       id-token: write
+      actions: read
 
     steps:
       - name: Checkout repository
+        timeout-minutes: 60
         uses: actions/checkout@v4
         with:
-          fetch-depth: 1
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
 
       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@v1.0.88
+        timeout-minutes: 60
+        uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           use_sticky_comment: true
           track_progress: true
           allowed_bots: 'claude,claude[bot]'
+          additional_permissions: |
+            actions: read
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
           prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
-
-            Review this pull request. For each changed skill file:
-            - Check that the frontmatter (name, description) is accurate and well-written
-            - Flag any hardcoded secrets, tokens, or personal data that should be env vars
-            - Note any broken references (paths, tool names, commands that don't exist)
-            - Call out anything that contradicts how the skill actually works
-
-            Keep feedback concise and actionable. Skip praise.
-            Use inline comments for specific code issues.
-            Use `gh pr comment` for top-level feedback.
-            If everything looks good and there are no issues, post a comment saying "LGTM" followed by one sentence summarizing what you reviewed.
+            /code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }} --comment
 
-            REVIEW SUBMISSION:
-            After completing your review, submit a formal GitHub review using gh pr review:
-            - If you found issues: `gh pr review ${{ github.event.pull_request.number }} --request-changes --body "Summary of issues found"`
-            - If LGTM: `gh pr review ${{ github.event.pull_request.number }} --approve --body "LGTM - brief summary"`
-            If gh pr review fails (e.g. permissions), fall back to posting a comment with `gh pr comment` instead.
-          claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*)"
-            --model claude-opus-4-6
-            --fallback-model claude-sonnet-4-6
+            Additional checks for this repo (skill files):
+            - Flag hardcoded secrets, tokens, or personal data that should be env vars or placeholders.
+            - Check that frontmatter (name, description) in skill .md files is accurate and well-written.
+            - Flag broken references: paths, tool names, or commands that do not exist.
+            - For every deleted function call or side effect, grep to find what depended on it. A removed side effect with no replacement is a bug.
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options