Modify Claude Code Review workflow settings

[sbryngelson]

Updated Claude Code Review workflow to adjust permissions and commands.

Description

Summarize your changes and the motivation behind them.

Fixes #(issue)

Type of change

• Bug fix
• New feature
• Refactor
• Documentation
• Other: describe

Testing

How did you test your changes?

Checklist

• I added or updated tests for new behavior
• I updated documentation if user-facing behavior changed

See the developer guide for full coding standards.

GPU changes (expand if you modified src/simulation/)

• GPU results match CPU results
• Tested on NVIDIA GPU or AMD GPU

Summary by CodeRabbit

• Chores
  • Updated automated code review workflow configuration for enhanced GitHub integration and reliability.
  • Code review comments are now more concise with minimal summaries and focused findings.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 97a6dac and 8c3eb47.

📒 Files selected for processing (1)

• .github/workflows/claude-code-review.yml

---

📝 Walkthrough

Walkthrough

The Claude Code Review GitHub Actions workflow is updated to refine CLI path handling, expand allowed Bash tools (including gh commands and find), increase max-turns to 80, remove debug output settings, clarify security practices via prompt updates, and adjust PR comment posting behavior to post one summary and stop.

Changes

Cohort / File(s)

Summary

Claude Code Review Workflow Configuration .github/workflows/claude-code-review.yml

Streamlined PATH setup; expanded allowed Bash tools (gh pr view/diff/comment, gh api, find); increased claude_args max-turns from 60 to 80; removed show_full_output flag; clarified prompt guidance on PR/fork code access restrictions; added support for reading local guidance from ./CLAUDE.md and ./.claude/rules/*.md (max 10 files); reorganized tool-call guidance with reduced output; changed PR comment behavior to post one top-level summary then stop; added job-summary fallback if posting is blocked.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Refactor Claude Code Review workflow #1257: Overlaps on claude_args adjustment, allowed tooling expansion, prompt/posting guidance updates, and job-summary fallback behavior.
• Claude fix #1259: Shares modifications to allowed CLI tools, prompt/instruction wording, and PR comment posting behavior adjustments.
• Modify CLAUDE code review workflow settings #1261: Covers max-turns configuration increase and local guidance rules from ./CLAUDE.md and ./.claude/rules/* files.

Suggested labels

size:S

Poem

🐰 A workflow refined, with tools expanded wide,
One comment posted, then aside we glide,
From local guidance files we now may read,
More turns allowed, to review with speed!
The Claude agent hops with grace so keen,
Security strengthened in each code review scene. ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude-new-again

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Claude Code Review

Head SHA: 8c3eb47
Files changed: 1

• .github/workflows/claude-code-review.yml

Summary

• Replaces a separate mkdir -p ~/.local/bin step with an inline env: PATH: injection on the Claude action step — simpler and more idiomatic for GHA.
• Tightens --allowedTools from the broad Bash(gh:*) to specific sub-commands (gh pr view, gh pr diff, gh pr comment, gh api), reducing blast radius from fork-triggered workflows.
• Increases --max-turns from 60 → 80 and removes show_full_output: true (output goes to job summary instead).
• Hardens the prompt by clarifying that the reviewer must use 2>/dev/null || true guards and xargs -I{} for safe local-file reading, and adds a fallback to write output to the job summary if commenting is blocked.
• Prompt wording is tightened ("minimal", "then STOP") to reduce unnecessary tool calls.

Findings

No correctness or security issues found.

Minor observations (improvement opportunities):

1. PATH env var injection (line ~21): ${{ env.PATH }} expands to the PATH at workflow parse time, which on GitHub-hosted runners is evaluated in the env: context before the step runs — this is correct and works as intended. No issue, just worth noting it differs slightly from echo ... >> $GITHUB_PATH (persistent) vs. step-scoped env: (scoped to this step only). Both are fine here since only one step needs it.

2. find ... | xargs -I{} cat (prompt line ~3): The xargs -I{} pattern with cat is fine for up to 10 files, but will silently truncate if any filename contains newlines (unlikely for .md files). A minor note, not a real risk.

3. Bash(find:*) added to allowedTools: This new permission allows find broadly. In a pull_request_target context (where the base repo is checked out), find on the workspace is safe since fork code isn't executed — consistent with the existing cat, ls, grep permissions.

Overall: This is a clean, well-motivated improvement to scope and security of the review workflow. The changes are correct and the tradeoffs are sound.

[github-actions]

Claude Code Review

Head SHA: 8c3eb47
Files changed: 1

• .github/workflows/claude-code-review.yml

Summary

• Replaces the separate "Ensure ~/.local/bin exists" step with an inline env: PATH injection in the Claude Code Review step — simpler and equivalent.
• Increases --max-turns from 60 → 80 to give the reviewer more headroom.
• Narrows the --allowedTools list from the broad Bash(gh:*) to specific sub-commands (gh pr view, gh pr diff, gh pr comment, gh api), tightening the security boundary.
• Adds Bash(find:*) and removes show_full_output: true.
• Improves the prompt instructions: more explicit about not reading fork code, uses shell-safe one-liners for reading local guidance, and adds a fallback path (write review to job summary) if posting the comment is blocked.

Findings

No blocking issues. A few items worth noting:

1. PATH injection style (line ~36): Setting PATH via env: on the step is a valid approach, but ${{ env.PATH }} may expand to an empty string in some runner environments if PATH hasn't been set as an output from a prior step. The equivalent pattern /home/runner/.local/bin:$PATH in a run: step would be more portable. That said, the anthropics/claude-code-action likely sets its own environment, so this is low-risk in practice.

2. Bash(find:*) addition (line ~55): Adding find to the allowed tools could allow traversal of the checked-out (base) repo tree. The prompt already restricts reading to CLAUDE.md and .claude/rules/, but there is no tool-level enforcement of that restriction. The step-3 prompt command already uses find .claude/rules -maxdepth 1 -name "*.md", which is appropriately scoped. Acceptable, but worth noting that the tool permission is broader than the prompt instruction.

3. show_full_output: true removed: This was previously used to surface full Claude output in CI logs. Removing it means debugging review failures will be harder. Consider whether this is intentional.

4. Prompt fallback behavior (last line of prompt): The new fallback (write the full review to the GitHub Actions job summary) is a good addition for observability when comment posting is restricted.

Improvement Opportunities

• The --allowedTools list still includes Bash(grep:*), Bash(sed:*), Bash(awk:*), Bash(python3:*), etc., which could operate on checked-out fork code. If the intent is to restrict the review agent to GitHub API only, consider removing these or adding prompt-level guardrails against using them on workspace files.
• Document the motivation for the --max-turns increase (e.g., in the PR description or a comment) so future maintainers understand why this was bumped.

[Copilot]

Pull request overview

This PR modifies the Claude Code Review workflow configuration to enhance security, improve command specificity, and streamline the review process. The changes focus on refining permissions for bash commands and updating workflow instructions.

Changes:

• Replaced manual PATH setup with environment variable configuration
• Increased max-turns from 60 to 80 and refined allowed bash tool permissions to be more specific
• Updated review instructions with clearer constraints and fallback behavior for comment posting

[Copilot]

Using a hardcoded path /home/runner/.local/bin reduces portability across different runner environments. Consider using $HOME/.local/bin instead to maintain consistency with the previous approach while being more flexible.

Suggested change

	PATH: /home/runner/.local/bin:${{ env.PATH }}
	PATH: $HOME/.local/bin:${{ env.PATH }}