Modify CLAUDE code review workflow settings

[sbryngelson]

User description

Updated CLAUDE code review workflow to modify max turns and refine prompt instructions.

---

CodeAnt-AI Description

Limit Claude review scope, tighten tool access, and extend max turns to 60

What Changed

• Automated Claude code reviews can run up to 60 interaction turns (was 30), allowing longer review sessions.
• Review agent is explicitly forbidden from executing or inspecting code from forked PRs and must only use GitHub API/gh commands and a small, whitelisted set of local files for guidance.
• Allowed local file reads narrowed to CLAUDE.md (root) and files in .claude/rules; general cat and other broad file commands removed.
• The review flow is constrained to a short, ordered sequence of tool calls (list rules, read guidance files if present, fetch PR metadata and diff) and must post a single top-level "Claude Code Review" comment, then stop.
• Output format tightened: include head SHA, files changed count and up to 10 file paths, a 3–6 bullet summary, findings with file+line numbers when possible, and 0–3 improvement suggestions only if no issues found.

Impact

✅ Fewer accidental reads of forked PR code
✅ Clearer, single-comment review summaries
✅ Longer, more thorough automated review sessions

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• Chores
  • Enhanced the code review workflow to increase agent capability and improve review output formatting with structured, comprehensive feedback.
  • Updated review guidance sources to prioritize local configuration files for better code review consistency.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d5123c3 and 4509d53.

📒 Files selected for processing (1)

• .github/workflows/claude-code-review.yml

---

📝 Walkthrough

Walkthrough

The Claude code review workflow is updated to increase agent turns from 30 to 60, refine allowed tools by removing PR commands, prioritize reading local guidance files (CLAUDE.md and .claude/rules/), restructure output format requirements, and simplify comment posting to a single top-level summary.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/claude-code-review.yml	Increases max agent turns to 60, removes pr list, pr status, and issue comment tools, shifts to reading local guidance files instead of inspecting forks, replaces JSON parsing with explicit step-based workflow, redefines output format to include head SHA, changed files, summary bullets, and optional improvement opportunities, and finalizes with single top-level PR comment posting.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Add CLAUDE.md and .claude/rules/ for Claude Code guidance #1255: Introduces CLAUDE.md and .claude/rules/ files that this PR now explicitly reads and references in the workflow.
• Add step to delete previous Claude review comments #1253: Modifies the same workflow to enforce a single top-level "Claude Code Review" comment with specific content requirements matching this PR's output format changes.
• Add Claude Code GitHub Workflow #1238: Original PR that introduced the claude-code-review workflow being refined and enhanced in this update.

Suggested labels

size:S

Poem

🐰 Agent turns now doubled, from thirty to sixty—
Rules read locally, no forks gettin' tricky!
One comment to rule them, with clarity bright,
Workflow streamlined smooth, code review done right! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch max-turnovers

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

This PR refines the CLAUDE code review workflow configuration to optimize tool usage and improve prompt clarity. The changes aim to reduce tool call overhead while maintaining security by restricting file access to only necessary documentation files.

Changes:

• Increased max-turns from 30 to 60 to allow more comprehensive reviews
• Restricted tool allowlist by removing gh pr list, gh pr status, gh issue comment, and limiting cat to specific documentation paths
• Refined prompt instructions with explicit step-by-step guidance and modified output format requirements

[Copilot]

The removal of gh pr list, gh pr status, and gh issue comment from the allowed tools reduces flexibility. If the Claude reviewer needs to list PRs for context or check PR status, it will be unable to do so. Consider whether these capabilities are genuinely unnecessary or if they might be useful for comprehensive reviews.

Suggested change

	"Bash(gh pr comment:*)"
	"Bash(gh pr comment:*)"
	"Bash(gh pr list:*)"
	"Bash(gh pr status:*)"
	"Bash(gh issue comment:*)"

[Copilot]

The restricted cat tool permissions (from "Bash(cat:)" to "Bash(cat CLAUDE.md:)" and "Bash(cat .claude/rules/:)") improve security by preventing arbitrary file reads. However, this might be too restrictive if the reviewer needs to examine other documentation files or configuration files (like .github/workflows/*.yml for context). Verify that these restrictions won't hinder the reviewer's ability to gather necessary context.

[Copilot]

The removal of the fallback instruction "If posting a PR comment is blocked, write the full review to the GitHub Actions job summary instead" eliminates a useful error handling mechanism. If the gh pr comment command fails due to permissions issues or API errors, the review results will be lost. Consider keeping this fallback to ensure review feedback is always captured somewhere.

[Copilot]

The instruction "If no issues: 0–3 improvement opportunities (only if confident)" is ambiguous. The range "0–3" suggests the reviewer can choose to provide zero improvement opportunities, but the parenthetical "(only if confident)" could be interpreted as applying only when providing opportunities or as a general qualifier. Consider clarifying this to "If no issues: provide 0–3 improvement opportunities (only suggest if confident they would be valuable)" or similar wording.

Suggested change

	- If no issues: 0–3 improvement opportunities (only if confident)
	- If no issues: provide 0–3 improvement opportunities (only suggest if confident they would be valuable)

[Copilot]

The removed comment "# IMPORTANT: checkout BASE repo only (safe on forks)" provided valuable security context for why this step is safe in pull_request_target workflows. Removing it makes the workflow less self-documenting. Consider keeping this comment as it explains a critical security consideration.

Suggested change

	steps:
	steps:
	# IMPORTANT: checkout BASE repo only (safe on forks)