"Claude Code Review workflow"

"Update Claude PR Assistant workflow"
chore: bump Claude Code version to 2.0.24
2026-01-23 23:14:13 +08:00 · 2025-10-20 21:12:14 -07:00 · 2025-10-20 21:12:12 -07:00 · 2025-10-20 19:12:24 +00:00 · 2025-10-20 17:58:41 +00:00 · 2025-10-20 09:14:27 -07:00
24 changed files with 123 additions and 40 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: oven-sh/setup-bun@v2
        with:
@@ -24,7 +24,7 @@ jobs:
  prettier:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: oven-sh/setup-bun@v1
        with:
@@ -39,7 +39,7 @@ jobs:
  typecheck:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: oven-sh/setup-bun@v2
        with:
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -0,0 +1,57 @@
 name: Claude Code Review
 on:
  pull_request:
    types: [opened, synchronize]
    # Optional: Only run on specific file changes
    # paths:
    #   - "src/**/*.ts"
    #   - "src/**/*.tsx"
    #   - "src/**/*.js"
    #   - "src/**/*.jsx"
 jobs:
  claude-review:
    # Optional: Filter by PR author
    # if: |
    #   github.event.pull_request.user.login == 'external-contributor' ||
    #   github.event.pull_request.user.login == 'new-developer' ||
    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - name: Run Claude Code Review
        id: claude-review
        uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}
            Please review this pull request and provide feedback on:
            - Code quality and best practices
            - Potential bugs or issues
            - Performance considerations
            - Security concerns
            - Test coverage
            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -13,7 +13,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -23,6 +23,7 @@ jobs:
      pull-requests: read
      issues: read
      id-token: write
      actions: read # Required for Claude to read CI results on PRs
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@@ -34,6 +35,16 @@ jobs:
        uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          claude_args: |
+
-            --allowedTools "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
+          # This is an optional setting that allows Claude to read CI results on PRs
-            --model "claude-opus-4-1-20250805"
+          additional_permissions: |
            actions: read
          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
          # prompt: 'Update the pull request description to include a summary of changes.'
          # Optional: Add claude_args to customize behavior and configuration
          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
          # claude_args: '--allowed-tools Bash(gh pr:*)'
--- a/.github/workflows/issue-triage.yml
+++ b/.github/workflows/issue-triage.yml
@@ -14,7 +14,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
      next_version: ${{ steps.next_version.outputs.next_version }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
@@ -91,7 +91,7 @@ jobs:
      contents: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
@@ -116,7 +116,7 @@ jobs:
    environment: production
    steps:
      - name: Checkout base-action repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          repository: anthropics/claude-code-base-action
          token: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}
--- a/.github/workflows/test-settings.yml
+++ b/.github/workflows/test-settings.yml
@@ -67,7 +67,7 @@ jobs:
        uses: ./base-action
        with:
          prompt: |
-            Use Bash to echo "This should not work"
+            Run the command `echo $HOME` to check the home directory path
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          settings: |
            {
@@ -163,7 +163,7 @@ jobs:
        uses: ./base-action
        with:
          prompt: |
-            Use Bash to echo "This should not work from file"
+            Run the command `echo $HOME` to check the home directory path
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          settings: "test-settings.json"
--- a/action.yml
+++ b/action.yml
@@ -177,7 +177,7 @@ runs:
        # Install Claude Code if no custom executable is provided
        if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
          echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 1.0.127
+          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.24
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
        else
          echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
--- a/base-action/README.md
+++ b/base-action/README.md
@@ -336,7 +336,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
--- a/base-action/action.yml
+++ b/base-action/action.yml
@@ -99,7 +99,7 @@ runs:
      run: |
        if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
          echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 1.0.127
+          curl -fsSL https://claude.ai/install.sh | bash -s 2.0.24
        else
          echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
          # Add the directory containing the custom executable to PATH
--- a/base-action/examples/issue-triage.yml
+++ b/base-action/examples/issue-triage.yml
@@ -32,7 +32,7 @@ jobs:
                  "--rm",
                  "-e",
                  "GITHUB_PERSONAL_ACCESS_TOKEN",
-                  "ghcr.io/github/github-mcp-server:sha-7aced2b"
+                  "ghcr.io/github/github-mcp-server:sha-23fa0dd"
                ],
                "env": {
                  "GITHUB_PERSONAL_ACCESS_TOKEN": "${{ secrets.GITHUB_TOKEN }}"
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -127,7 +127,7 @@ For performance, Claude uses shallow clones:
 If you need full history, you can configure this in your workflow before calling Claude in the `actions/checkout` step.
 ```
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  depth: 0 # will fetch full repo history
 ```
--- a/docs/security.md
+++ b/docs/security.md
@@ -13,13 +13,28 @@
 - **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
 - **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions
 ## ⚠️ Prompt Injection Risks
 **Beware of potential hidden markdown when tagging Claude on untrusted content.** External contributors may include hidden instructions through HTML comments, invisible characters, hidden attributes, or other techniques. The action sanitizes content by stripping HTML comments, invisible characters, markdown image alt text, hidden HTML attributes, and HTML entities, but new bypass techniques may emerge. We recommend reviewing the raw content of all input coming from external contributors before allowing Claude to process it.
 ## GitHub App Permissions
-The [Claude Code GitHub app](https://github.com/apps/claude) requires these permissions:
+The [Claude Code GitHub app](https://github.com/apps/claude) requests the following permissions:
- **Pull Requests**: Read and write to create PRs and push changes
+### Currently Used Permissions
- **Issues**: Read and write to respond to issues
+
- **Contents**: Read and write to modify repository files
+- **Contents** (Read & Write): For reading repository files and creating branches
 - **Pull Requests** (Read & Write): For reading PR data and creating/updating pull requests
 - **Issues** (Read & Write): For reading issue data and updating issue comments
 ### Permissions for Future Features
 The following permissions are requested but not yet actively used. These will enable planned features in future releases:
 - **Discussions** (Read & Write): For interaction with GitHub Discussions
 - **Actions** (Read): For accessing workflow run data and logs
 - **Checks** (Read): For reading check run results
 - **Workflows** (Read & Write): For triggering and managing GitHub Actions workflows
 ## Commit Signing
--- a/docs/solutions.md
+++ b/docs/solutions.md
@@ -35,7 +35,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 1
@@ -89,7 +89,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 1
@@ -153,7 +153,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 1
@@ -211,7 +211,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 1
@@ -268,7 +268,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 1
@@ -344,7 +344,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
@@ -456,7 +456,7 @@ jobs:
      pull-requests: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0
@@ -513,7 +513,7 @@ jobs:
      security-events: write
      id-token: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/examples/ci-failure-auto-fix.yml
+++ b/examples/ci-failure-auto-fix.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          ref: ${{ github.event.workflow_run.head_branch }}
          fetch-depth: 0
--- a/examples/claude.yml
+++ b/examples/claude.yml
@@ -26,7 +26,7 @@ jobs:
      actions: read # Required for Claude to read CI results on PRs
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/examples/issue-deduplication.yml
+++ b/examples/issue-deduplication.yml
@@ -15,7 +15,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/examples/issue-triage.yml
+++ b/examples/issue-triage.yml
@@ -14,7 +14,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0
--- a/examples/manual-code-analysis.yml
+++ b/examples/manual-code-analysis.yml
@@ -23,7 +23,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 2 # Need at least 2 commits to analyze the latest
--- a/examples/pr-review-comprehensive.yml
+++ b/examples/pr-review-comprehensive.yml
@@ -16,7 +16,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/examples/pr-review-filtered-authors.yml
+++ b/examples/pr-review-filtered-authors.yml
@@ -18,7 +18,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/examples/pr-review-filtered-paths.yml
+++ b/examples/pr-review-filtered-paths.yml
@@ -19,7 +19,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 1
--- a/src/create-prompt/index.ts
+++ b/src/create-prompt/index.ts
@@ -709,7 +709,7 @@ What You CANNOT Do:
 - Modify files in the .github/workflows directory (GitHub App permissions do not allow workflow modifications)
 When users ask you to perform actions you cannot do, politely explain the limitation and, when applicable, direct them to the FAQ for more information and workarounds:
-"I'm unable to [specific action] due to [reason]. You can find more information and potential workarounds in the [FAQ](https://github.com/anthropics/claude-code-action/blob/main/FAQ.md)."
+"I'm unable to [specific action] due to [reason]. You can find more information and potential workarounds in the [FAQ](https://github.com/anthropics/claude-code-action/blob/main/docs/faq.md)."
 If a user asks for something outside these capabilities (and you have no other tools provided), politely explain that you cannot perform that action and suggest an alternative approach if possible.
--- a/src/mcp/install-mcp-server.ts
+++ b/src/mcp/install-mcp-server.ts
@@ -209,7 +209,7 @@ export async function prepareMcpConfig(
          "GITHUB_PERSONAL_ACCESS_TOKEN",
          "-e",
          "GITHUB_HOST",
-          "ghcr.io/github/github-mcp-server:sha-efef8ae", // https://github.com/github/github-mcp-server/releases/tag/v0.9.0
+          "ghcr.io/github/github-mcp-server:sha-23fa0dd", // https://github.com/github/github-mcp-server/releases/tag/v0.17.1
        ],
        env: {
          GITHUB_PERSONAL_ACCESS_TOKEN: githubToken,
Author	SHA1	Message	Date
Wanghong Yuan	721b4c6d2f	"Claude Code Review workflow"	2025-10-20 21:12:14 -07:00
Wanghong Yuan	67caede2ad	"Update Claude PR Assistant workflow"	2025-10-20 21:12:12 -07:00
GitHub Actions	fd20c95358	chore: bump Claude Code version to 2.0.24	2025-10-20 19:12:24 +00:00
GitHub Actions	d808160c26	chore: bump Claude Code version to 2.0.23	2025-10-20 17:58:41 +00:00
Okumura Takahiro	3eacedbeb7	Update github-mcp-server to v0.17.1 (#613 )	2025-10-20 09:14:27 -07:00
Dale Seo	f52f12eba5	chore: upgrade actions/checkout from v4 to v5 (#632 )	2025-10-20 09:11:13 -07:00
GitHub Actions	4a85933f25	chore: bump Claude Code version to 2.0.22	2025-10-17 22:29:52 +00:00
GitHub Actions	ba6edd55ef	chore: bump Claude Code version to 2.0.21	2025-10-17 00:48:29 +00:00
GitHub Actions	06461dddff	chore: bump Claude Code version to 2.0.20	2025-10-16 16:51:26 +00:00
GitHub Actions	c2a94eead0	chore: bump Claude Code version to 2.0.19	2025-10-15 22:29:38 +00:00
Ashwin Bhat	1c0c3eaced	docs: document GitHub App permissions in security guide (#607 ) Clarifies which permissions are currently used (Contents, Pull Requests, Issues) versus those requested for planned future features (Discussions, Actions, Checks, Workflows). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>	2025-10-15 10:12:11 -07:00
GitHub Actions	23d2d6c6b4	chore: bump Claude Code version to 2.0.17	2025-10-15 16:58:01 +00:00
GitHub Actions	e8bad57227	chore: bump Claude Code version to 2.0.15	2025-10-14 17:50:14 +00:00
GitHub Actions	0a6d62601b	chore: bump Claude Code version to 2.0.14	2025-10-10 21:25:16 +00:00
GitHub Actions	777ffcbfc9	chore: bump Claude Code version to 2.0.13	2025-10-09 17:53:02 +00:00
GitHub Actions	dc58efed33	chore: bump Claude Code version to 2.0.12	2025-10-09 16:41:48 +00:00
GitHub Actions	e5437bfbc5	chore: bump Claude Code version to 2.0.11	2025-10-08 20:36:56 +00:00
GitHub Actions	b2dd1006a0	chore: bump Claude Code version to 2.0.10	2025-10-07 21:14:39 +00:00
GitHub Actions	ac1a3207f3	chore: bump Claude Code version to 2.0.9	2025-10-06 21:57:24 +00:00
Ashwin Bhat	521d069da7	docs: add prompt injection security note (#604 ) * docs: add prompt injection security note Add warning about potential hidden markdown in untrusted content from external contributors. Documents existing sanitization measures while acknowledging new bypass techniques may emerge. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Update docs/security.md Co-authored-by: David Dworken <dworken@anthropic.com> * format --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: David Dworken <dworken@anthropic.com>	2025-10-06 09:51:50 -07:00
GitHub Actions	7e4b782d5f	chore: bump Claude Code version to 2.0.8	2025-10-04 23:17:33 +00:00
GitHub Actions	4fb0ef3be0	chore: bump Claude Code version to 2.0.5	2025-10-02 19:29:43 +00:00
GitHub Actions	14ac8aa20e	chore: bump Claude Code version to 2.0.1	2025-10-01 02:30:10 +00:00
Ashwin Bhat	90d189f3ab	fix: update permission test prompts to trigger actual tool usage (#596 ) Changed test prompts from communication-style echo commands to legitimate technical operations. This ensures Claude attempts the Bash tool call (which then gets blocked by permissions) instead of refusing based on communication guidelines. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>	2025-09-30 18:04:13 -07:00
GitHub Actions	9c09b26b2d	chore: bump Claude Code version to 2.0.2	2025-10-01 00:48:36 +00:00
GitHub Actions	2086c977a5	chore: bump Claude Code version to 2.0.1	2025-09-30 02:45:30 +00:00
GitHub Actions	851ef5b84e	chore: bump Claude Code version to 2.0.0	2025-09-29 16:45:58 +00:00
Song Huang	1ce8153c18	docs: fix the faq doc link (#593 )	2025-09-28 10:02:17 -07:00
GitHub Actions	00391ab25e	chore: bump Claude Code version to 1.0.128	2025-09-27 16:44:46 +00:00