This workflow uses Claude Code to provide automated code reviews with false-positive filtering, posting feedback directly on pull requests.
- False-Positive Filtering - Multi-angle review with confidence scoring (only 75+ reported)
- Drupal Coding Standards - Checks for common violations
- Zivtech Git Conventions - Validates commit message format
- Security Checks - Flags XSS, SQL injection, access issues
- Interactive Mode - Mention
@claudein PR comments for follow-ups
Inspired by Claude Code's code-review skill, the workflow:
-
Reviews from 5 angles:
- CLAUDE.md / Drupal standards compliance
- Obvious bugs (shallow scan)
- Git history context
- Commit conventions
- Security issues
-
Scores each issue 0-100:
- 0: False positive
- 25: Can't verify
- 50: Real but nitpicky
- 75: Verified, impacts functionality
- 100: Definitely real
-
Filters out issues under 75
-
Ignores known false positives:
- Pre-existing issues
- Linter/typechecker catches
- Intentional changes
- Lines not modified in PR
-
Copy the workflow to
.github/workflows/ai-code-quality-check.yml -
Add secrets as repository or org secrets:
ANTHROPIC_API_KEY- Your Anthropic API keyZIVTECH_SKILLS_DEPLOY_KEY- SSH deploy key forzivtech/zivtech-claude-skills(read access)
-
Create the deploy key (one-time setup):
# Generate a new SSH key pair ssh-keygen -t ed25519 -f zivtech-skills-deploy -N "" -C "zivtech-skills-deploy-key" # Add the PUBLIC key to zivtech/zivtech-claude-skills as a deploy key # GitHub β zivtech-claude-skills β Settings β Deploy keys β Add # Add the PRIVATE key as a secret to your org/repo # GitHub β Your Repo β Settings β Secrets β ZIVTECH_SKILLS_DEPLOY_KEY cat zivtech-skills-deploy # Copy this as the secret value
-
Test - Open a PR targeting
masterormain
The workflow automatically installs these Claude skills:
| Skill | Source | Purpose |
|---|---|---|
| drupal-coding-standards | zivtech/zivtech-claude-skills |
Drupal PHP, Twig, JS, CSS standards |
| zivtech-development-workflow | zivtech/zivtech-claude-skills |
Git branch/commit conventions |
| drupal-security | madsnorgaard/agent-resources |
Security vulnerability checks |
Skills are read from ~/.claude/skills/ during each review.
By default reviews files in:
web/modules/custom/web/themes/custom/
Edit the prompt in the workflow to customize paths.
Mention @claude in PR comments for follow-ups:
@claude Can you explain this issue in more detail?
If issues found:
### Code Review
Found 2 issues:
1. Missing leading backslash on Drupal:: call (Drupal standards)
https://github.com/org/repo/blob/abc123/file.php#L42
2. Commit message missing ticket number (Zivtech conventions)
---
π€ Generated with Claude Code
If no issues:
### Code Review
No issues found. Checked for bugs, Drupal standards, and commit conventions.
π€ Generated with Claude Code
| Category | Checks |
|---|---|
| Drupal Standards | 2-space indent, elseif, \Drupal::, $this->t(), Html::escape() |
| Zivtech Conventions | TICKET-123: Description format, imperative mood |
| Security | XSS, SQL injection, access controls |
| Bugs | Logic errors, null checks, edge cases |
- Replace
OPENAI_API_KEYwithANTHROPIC_API_KEY - Remove
OPENAI_CODE_REVIEW_PROMPTandOPENAI_CODE_REVIEW_MODEL