Enhance Claude CI: incremental reviews, full file context, skip-permissions

[sbryngelson]

Summary

• claude-code-review.yml: Add incremental review mode (only reviews new changes on synchronize), full file context fetching via GitHub API, @claude full review comment trigger, and claude-full-review label trigger
• claude.yml: Add --dangerously-skip-permissions so Claude doesn't hang waiting for approval prompts in CI
• PR template: Add Claude review trigger instructions alongside existing Qodo/CodeRabbit entries
• m_ib_patches.fpp: Replace misleading TODO comments on airfoil leading edge initialization with accurate comment

Test plan

• Open a test PR and verify Claude code review triggers on PR open (full mode)
• Push a commit to the test PR and verify incremental review mode
• Comment @claude full review and verify re-review triggers
• Verify @claude interactive assistant still works in claude.yml

🤖 Generated with Claude Code

[github-actions]

Claude Code Review

Head SHA: 70f90e8

Files changed: 4

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml
• .github/pull_request_template.md
• src/simulation/m_ib_patches.fpp

---

Summary

• Adds incremental review mode to claude-code-review.yml (skips re-reviewing unchanged commits)
• Adds issue_comment trigger so @claude full review comment kicks off a review
• Adds claude-full-review label trigger
• Expands prompt with full-file-context fetching via GitHub API and hidden SHA markers
• Adds --dangerously-skip-permissions to the interactive claude.yml assistant workflow
• Fixes a misleading TODO comment in m_ib_patches.fpp

---

Findings

1. issue_comment trigger has no actor authorization check — medium severity

File: .github/workflows/claude-code-review.yml, job if: condition (~line 8–22)

Any GitHub user (including external contributors, bots, or anonymous accounts) can trigger a full Claude API review by posting a comment containing @claude full review on any open PR. There is no check on github.event.comment.author_association.

Recommendation: Gate on commenter permissions:

github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR'

2. --dangerously-skip-permissions added to the interactive assistant workflow — medium severity

File: .github/workflows/claude.yml, line ~35

claude.yml is the @claude-responds-to-comments interactive assistant, not a read-only review workflow. Adding --dangerously-skip-permissions here means Claude will execute any tool call (write files, run arbitrary bash, etc.) without approval prompts when responding to issue/PR comments. The original workflow likely omitted this flag intentionally to keep the interactive assistant in a supervised mode. The review workflow already had this flag; this PR extends it to the assistant.

Recommendation: Confirm this is intentional. If the goal is only to avoid CLI approval prompts in the review workflow, limit the flag to claude-code-review.yml only.

3. REVIEW_MODE can remain unset for synchronize → labeled edge (minor / cosmetic)

File: .github/workflows/claude-code-review.yml, step Determine PR number and review mode (~line 55–72)

If the job if: condition passes for synchronize, the shell script sets REVIEW_MODE="incremental" — correct. If it passes for labeled, it sets REVIEW_MODE="full" — correct. However the shell elif for labeled duplicates the job-level if: condition. This is harmless redundancy but if the job-level condition ever diverges from the shell conditions, REVIEW_MODE could be unset and output an empty string.

Recommendation: Add a fallback else echo "REVIEW_MODE unset, defaulting to full"; REVIEW_MODE="full" or a set -u guard.

---

Non-issue observations

• The m_ib_patches.fpp comment fix is accurate and non-functional — looks good.
• Phase 3 full-file-context fetch (up to 15 files via GitHub API) is a nice improvement for catching context the diff hides.
• The hidden <!-- claude-review: reviewed_sha=...; mode=... --> marker pattern for incremental reviews is clean.

[github-actions]

Claude Code Review

Head SHA: 06973505cc6a1bf06fef14a4573dd118a4b0a90b

Files changed: 4

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml
• .github/pull_request_template.md
• src/simulation/m_ib_patches.fpp

---

Summary

• Adds incremental review mode (synchronize → diff-only) vs full mode (open/reopen/label/comment)
• Adds issue_comment trigger to allow @claude full review to kick off re-review
• Adds labeled trigger for claude-full-review label
• Adds Phase 3 full-file-context fetching via GitHub API (safe — no local checkout)
• Adds hidden SHA marker in review comments to detect what's already been reviewed
• Removes misleading TODO comments in m_ib_patches.fpp

---

Findings

1. No actor check on @claude full review trigger — cost/abuse risk
File: .github/workflows/claude-code-review.yml, lines 14–20

The issue_comment trigger fires for any commenter. Any GitHub user (including non-collaborators) can post @claude full review on any PR to consume API quota. Consider adding a collaborator or org-member check:

github.event.comment.author_association == 'COLLABORATOR' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'OWNER'

2. --dangerously-skip-permissions added to the interactive assistant workflow (claude.yml)
File: .github/workflows/claude.yml, line 34

The PR description says this prevents hanging on approval prompts in CI. However, claude.yml is the interactive assistant that responds to PR comments and can take arbitrary actions (file edits, shell commands, etc.). Bypassing permission prompts for that workflow is a broader change than the review-only workflow. Confirm this is intentional — the removed comment in claude-code-review.yml explained the flag's purpose clearly, but that context no longer accompanies the flag in claude.yml.

3. PR_NUMBER unset in fallback branch (minor)
File: .github/workflows/claude-code-review.yml, lines 58–79

The final else branch sets REVIEW_MODE=full but never sets PR_NUMBER. The if: guard makes this unreachable in practice, but an explicit PR_NUMBER=""" or a hard error (exit 1) would make the intent clearer and prevent silent failures if the condition logic ever changes.

---

Non-issue observations

• The labeled + synchronize events are distinct and won't conflict: pushing a commit while labeling fires two separate jobs, each posting their own comment. This is acceptable behavior.
• Fetching file contents via gh api .../contents/{path}?ref={head_sha} is the correct safe pattern for pull_request_target — no fork code reaches the runner filesystem.
• The m_ib_patches.fpp comment fix is correct: airfoil_grid_u(1)/airfoil_grid_l(1) are the leading-edge origin points explicitly set before the loop, which starts at i=1 and fills positions via chord-parameterized coordinates — the old TODO was wrong.

[Copilot]

Pull request overview

Enhances the Claude CI workflows with incremental review support, full file context fetching via GitHub API, label/comment triggers for re-reviews, and adds --dangerously-skip-permissions to the interactive Claude workflow.

Changes:

• Add incremental review mode to claude-code-review.yml (only reviews new changes on synchronize events) with full file context fetching and multiple trigger mechanisms
• Add --dangerously-skip-permissions to claude.yml for non-interactive CI runs
• Update PR template with Claude review trigger instructions

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/claude-code-review.yml	Add review mode detection, full file context phase, incremental/full review policies, label and comment triggers
.github/workflows/claude.yml	Add --dangerously-skip-permissions flag
.github/pull_request_template.md	Document Claude review triggers

[github-actions]

Claude Code Review

Head SHA: a57f17a

Files changed: 3

• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml
• .github/pull_request_template.md

Summary:

• Adds incremental review mode triggered on synchronize events (reviews only new changes since last Claude-reviewed SHA)
• Adds issue_comment trigger for @claude full review and labeled trigger for claude-full-review label
• Extends prompt with Phase 3 full-file context fetching via GitHub API (up to 15 files at head SHA)
• Adds --dangerously-skip-permissions to the interactive claude.yml assistant workflow
• PR body mentions a m_ib_patches.fpp comment fix, but that file is not in the diff — likely dropped before merging

---

Findings:

1. PR_NUMBER left unset in fallback branch — .github/workflows/claude-code-review.yml, mode-detection step

else
  REVIEW_MODE="full"
fi

The else branch sets REVIEW_MODE but never sets PR_NUMBER. If a new github.event_name is ever added to the trigger list, downstream steps receive an empty pr_number output and the gh pr view / gh pr diff calls silently fail or error. Add PR_NUMBER=""" echo 'ERROR: unknown event'; exit 1 or at minimum set a safe sentinel.

2. No permission check on @claude full review comments — .github/workflows/claude-code-review.yml, condition block

contains(github.event.comment.body, '@claude full review')

Any GitHub user (including unauthenticated drive-bys on public repos) can post this comment and trigger a full review with Phase 3 file fetches (up to 15 API calls per invocation). Consider adding an author-association guard:

github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'COLLABORATOR'

Without this, the workflow is trivially abusable for API quota exhaustion.

3. synchronize unconditionally triggers incremental reviews on every push
Every git push to any open PR (including WIP / draft commits) fires Phase 3 fetches. This can be expensive at scale. Consider adding a github.event.pull_request.draft == false guard to skip draft PRs, or a minimum-lines-changed threshold.

4. --dangerously-skip-permissions added to interactive assistant — .github/workflows/claude.yml, line ~35
The interactive claude.yml workflow responds to arbitrary @claude commands from PR participants. Adding --dangerously-skip-permissions means Claude will execute any tool call (file writes, shell commands, etc.) without prompting. The previous claude-code-review.yml note explicitly warned against using the sandbox-disabling flag for good reason. This change should be carefully scoped — at minimum, document why this is safe in this context, or restrict it to the review workflow only where the prompt is controlled.

5. Incremental SHA-marker parsing is fragile
The hidden marker <!-- claude-review: reviewed_sha=<sha>; mode=<mode> --> is produced and consumed by the same Claude prompt. If Claude truncates the comment, reformats it, or the marker is embedded mid-comment rather than at the end, incremental mode silently falls back to a full review (or misidentifies the base SHA). Consider using a structured GitHub Actions cache or a dedicated PR label (e.g., reviewed-sha:<sha>) as the authoritative state store instead.

---

Improvement opportunities (low priority):

• The synchronize path in the mode-detection step has an unreachable else — all pull_request_target actions are already covered by the preceding if/elif arms. The final else REVIEW_MODE="full" is dead code; removing it reduces confusion.
• The new Phase 3 instructions in the prompt are quite long (~40 lines). Consider moving them to a dedicated .claude/rules/review-instructions.md file and using cat in the prompt, keeping the YAML more maintainable.

[github-actions]

Claude Code Review

Head SHA: a57f17a

Files changed: 3

• .github/pull_request_template.md
• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

Summary:

• Adds incremental review mode (only new findings on synchronize pushes) with hidden SHA marker tracking
• Adds issue_comment trigger for @claude full review in PR comments
• Adds labeled trigger for claude-full-review label
• Adds Phase 3 full file context fetching via GitHub API (up to 15 files)
• Adds --dangerously-skip-permissions to both the review workflow and the interactive claude.yml assistant

---

Findings

1. --dangerously-skip-permissions in interactive claude.yml — moderate concern
.github/workflows/claude.yml +35

The interactive assistant workflow (claude.yml) allows anyone with comment access to trigger Claude for general assistance tasks. Adding --dangerously-skip-permissions means Claude will execute shell commands, write files, and perform other sensitive operations without pausing for approval. In the code-review workflow this is safe (Claude only calls read-only gh commands), but in the general assistant context this lowers the barrier to unintended or malicious action. Consider scoping this flag to the review workflow only, or auditing what additional_permissions the assistant workflow grants.

2. PR_NUMBER may be empty in edge cases
.github/workflows/claude-code-review.yml +53–71 (the mode step)

If github.event_name is neither pull_request_target nor issue_comment (e.g., future event type added to on:), PR_NUMBER is never set. The step then outputs pr_number= (empty), and the subsequent gh pr view / gh pr diff calls will fail with an unhelpful error. Add a fallback or exit 1 at the bottom of the else path:

else
  echo "Unexpected event: ${{ github.event_name }}" >&2
  exit 1
fi

3. PR description references m_ib_patches.fpp but the file is absent from the diff
The PR body states: "m_ib_patches.fpp: Replace misleading TODO comments…" but changedFiles is 3 and only the two workflow files and the PR template are listed. Either the change was dropped before the PR was opened or the summary is stale. If this was intentional, the description should be updated.

4. synchronize behavior change (intentional, but worth flagging)
Previously every push triggered a full review. Now pushes run incremental mode and may post no comment at all if no new issues are found. Reviewers accustomed to seeing a fresh full review on each push should be aware of this change. The @claude full review trigger and claude-full-review label provide a manual escape hatch, which is good.

---

Minor / no action required

• The if: guard on the job correctly gates issue_comment events to PRs only (github.event.issue.pull_request != null). This is the standard safe pattern.
• Phase 3 file fetching limits (15 files, skip >500 lines) are reasonable to avoid runaway token usage.
• The hidden marker approach (<!-- claude-review: reviewed_sha=...; mode=... -->) is simple and workable.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e7b9859e-b64d-444b-b6ca-df769dfe59f9

📥 Commits

Reviewing files that changed from the base of the PR and between 93e3d09 and a57f17a.

📒 Files selected for processing (3)

• .github/pull_request_template.md
• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml

---

📝 Walkthrough

Walkthrough

This pull request modifies the GitHub Actions workflows and pull request template to expand Claude-based code review capabilities. The changes add new trigger mechanisms for Claude reviews via annotations (@claude full review) and labels (claude-full-review), update the code review workflow to support multiple activation paths including labeled PR events and issue comments, introduce a multi-phase review process with local guidance and file context fetching via the GitHub API, add new job permissions, and include a mode computation step to differentiate between full and incremental review types. Additionally, a new workflow input parameter is introduced to support permission skipping in the Claude Code GitHub Action.

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}