Add Claude Code Review workflow

[justin808]

Summary

• Adds automated Claude Code PR reviews using the shared reusable workflow from shakacode/.github
• Uses Claude Code's default model (currently Opus 4.6)
• Requires CLAUDE_CODE_OAUTH_TOKEN secret (org-level or repo-level)

Test plan

• Ensure CLAUDE_CODE_OAUTH_TOKEN secret is available (org or repo level)
• Merge and verify review triggers on next PR

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enabled automated code review for pull requests through GitHub Actions integration.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow file is introduced that automatically triggers on pull request events (opened and synchronized) and delegates code review execution to an external workflow from shakacode/.github, passing the required OAuth token secret.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/claude-code-review.yml	New workflow configuration that triggers on PR open/sync events and invokes external Claude code review workflow with CLAUDE_CODE_OAUTH_TOKEN secret.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops with glee ✨
A workflow so sleek, now dancing with ease,
Pull requests reviewed by magic and keys,
The token flows free like carrots on spree,
Claude joins the team—hooray, hooray! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Claude Code Review workflow' directly and clearly summarizes the main change—adding a new GitHub Actions workflow for Claude Code review.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jg/add-review-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/claude-code-review.yml:
- Around line 7-11: The claude-review job currently calls the reusable workflow
via the uses: shakacode/... line but lacks the explicit permissions required by
that external workflow; update the claude-review job to include a permissions
block with contents: read, pull-requests: write, issues: write, and id-token:
write so the caller grants least-privilege access expected by the external
workflow.

🧹 Nitpick comments (2)

.github/workflows/claude-code-review.yml (2)

3-5: Consider adding the reopened event type.

The workflow currently triggers on opened and synchronize events. Adding reopened ensures that when a closed PR is reopened, it will also trigger the Claude Code review, providing consistent coverage.

♻️ Proposed enhancement

 on:
   pull_request:
-    types: [opened, synchronize]
+    types: [opened, synchronize, reopened]

---

9-9: Consider pinning to a specific version or tag for reliability.

The workflow references @main, which is mutable and could introduce unexpected breaking changes if the external workflow is updated. Pinning to a specific version or tag (e.g., @v1.0.0) provides better stability and predictability.

If your organization prefers using @main for easier centralized updates across repositories, that's a valid strategy—just be aware of the reliability trade-off. You might also consider using @main initially and switching to pinned versions once the workflow is stable.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch the external workflow file to check its permission requirements
curl -s https://raw.githubusercontent.com/shakacode/.github/main/.github/workflows/claude-code-review.yml | head -200

Repository: shakacode/sass-resources-loader

Length of output: 911

---

Add explicit permissions to match the external workflow's requirements.

The external reusable workflow at shakacode/.github/.github/workflows/claude-code-review.yml explicitly requires:

• contents: read (to checkout and read repository code)
• pull-requests: write (to post code review comments on PRs)
• issues: write (to post code review comments on issues)
• id-token: write (for token exchange with external services)

Add these permissions explicitly to the calling workflow to follow the principle of least privilege and ensure clarity of intent:

Suggested fix

jobs:
  claude-review:
    permissions:
      contents: read
      pull-requests: write
      issues: write
      id-token: write
    uses: shakacode/.github/.github/workflows/claude-code-review.yml@main
    secrets:
      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

🤖 Prompt for AI Agents

In @.github/workflows/claude-code-review.yml around lines 7 - 11, The
claude-review job currently calls the reusable workflow via the uses:
shakacode/... line but lacks the explicit permissions required by that external
workflow; update the claude-review job to include a permissions block with
contents: read, pull-requests: write, issues: write, and id-token: write so the
caller grants least-privilege access expected by the external workflow.