[SOURCE-193] Add Claude PR review workflow#36896
Open
xopham wants to merge 3 commits into
Open
Conversation
Brings the read-only Claude review pipeline over from the sandbox repo (DataDog/docs-actions-sandbox-xopham). Comment `/review` on a PR to trigger Claude to produce a JSON review payload that the post job sanitizes and submits via the GitHub API. Three-job security model: - gate (contents: read, pull-requests: read): verifies the commenter has repo write access via the collaborators/.../permission API and resolves head_sha/base_sha once. - review (contents: read, pull-requests: read): runs Claude with --allowedTools "Read,Glob,Grep" only and no write capability on GitHub. The PR head lives in __untrusted/, the pinned PR diff in __untrusted_diff/, and the trusted scripts/schemas/style guide are sparse-checked out from the default branch. - post (contents: read, pull-requests: write): re-validates the JSON against .github/schemas/create-review.json (Ajv with SHA-512 pinned via npm ci), re-scans for GitHub/Anthropic token patterns, and submits a single review through pulls.createReview. Requires the CLAUDE_API_KEY repo secret. Falls back to a failure-shape review comment with a workflow-run link if anything fails. Files added: - .github/workflows/claude_review.yml - .github/scripts/validate_review.js (Ajv shape check) - .github/scripts/scan_secrets.js (GitHub + Anthropic token patterns) - .github/scripts/package.json + package-lock.json (pinned ajv 8.20.0) - .github/scripts/.gitignore (node_modules; overrides repo-level package-lock.json exclude) - .github/schemas/create-review.json (vendored slice of GitHub's pulls.createReview request body) - .claude/pr-review.md (review style guide) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8387723671
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
KSerrania
approved these changes
May 21, 2026
Contributor
KSerrania
left a comment
KSerrania
left a comment
There was a problem hiding this comment.
Codex comments look accurate to me and should be looked at, otherwise LGTM
Four changes from PR review: 1. Narrow `.claude/` sparse-checkout to just `pr-review.md`. The repo's `.claude/settings.json` enables Claude Code plugins from external marketplaces, which can register hooks, MCP servers, and agents that would expand the review job's tool surface beyond Read,Glob,Grep. 2. Lock the read-only tool surface from four angles in `claude_args`: `--tools "Read,Glob,Grep"` (restricts available set), `--allowedTools "Read,Glob,Grep"` (auto-approves them), `--permission-mode dontAsk` (blocks permission prompts), `--disallowedTools "Bash,Edit,Write,MultiEdit,NotebookEdit"` (explicit denial). `--allowedTools` alone only pre-approves; the additional flags make the restriction explicit and survive future Claude Code default changes. 3. Constrain `side` and `start_side` to LEFT/RIGHT in the review schema. Upstream publishes them as plain strings with an example, but the runtime API rejects any other value and fails the whole review. The enum catches typos like `right` at the schema layer. 4. Add CODEOWNERS entries giving @DataDog/sdlc-security sole ownership of the workflow, scripts, and schema. `.claude/pr-review.md` stays on the default ownership since it is review instructions, not part of the security boundary. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Pinned to commit 20c8abf165d5f85ab3fc970db9498436377dc9d1 (released 2026-05-21, the current latest). No automated bumper for this in the repo — Dependabot/Renovate aren't configured. Manual bump. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
devindford
approved these changes
May 21, 2026
Contributor
devindford
left a comment
devindford
left a comment
There was a problem hiding this comment.
Looks good from my side of things
hestonhoffman
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the read-only Claude review pipeline over from the sandbox repo (
DataDog/docs-actions-sandbox-xopham). Comment/reviewon a PR to have Claude produce a JSON review payload that the post job sanitizes and submits via the GitHub API.Security model — three-job split
gatecontents: read, pull-requests: readcollaborators/.../permission; resolveshead_sha+base_shaonce.reviewcontents: read, pull-requests: read(no write)--allowedTools "Read,Glob,Grep"only. PR head lives in__untrusted/, the pinned diff in__untrusted_diff/. Trusted scripts/schemas/style guide come from the default branch.postcontents: read, pull-requests: write.github/schemas/create-review.json, re-scans for GitHub + Anthropic token patterns, submits a single review throughpulls.createReview.Failure cases (token leaks, malformed JSON, missing artifact) produce a failure-shape review comment with a workflow-run link.
Prerequisites
CLAUDE_API_KEYrepo secret must be set before the workflow can run successfully.Files added
.github/workflows/claude_review.yml.github/scripts/validate_review.js— Ajv shape check.github/scripts/scan_secrets.js— GitHub + Anthropic token-pattern regex list.github/scripts/package.json+package-lock.json— pinnedajv8.20.0, SHA-512 verified vianpm ci.github/scripts/.gitignore—node_modules/plus a negation that overrides the repo-levelpackage-lock.jsonexclude (the lockfile is whatnpm ciuses for integrity).github/schemas/create-review.json— vendored slice of GitHub'spulls.createReviewrequest body.claude/pr-review.md— review style guideTest plan
CLAUDE_API_KEYis configured as a repo secret/reviewon a small docs PR; gate should pass for write-access commentersRead,Glob,Greponly/reviewtriggers🤖 Generated with Claude Code