Skip to content
Claude PR Review

fix(preview): rewrite Set-Cookie to SameSite=None in the proxy #3511

Sign in to view logs

fix(preview): rewrite Set-Cookie to SameSite=None in the proxy

fix(preview): rewrite Set-Cookie to SameSite=None in the proxy #3511

Workflow file for this run

.github/workflows/claude-pr-review.yml at f39203f
name: Claude PR Review
# https://github.com/anthropics/claude-code-action/blob/main/examples/pr-review-comprehensive.yml
on:
pull_request_target:
types: [opened, synchronize, ready_for_review, reopened]
# Restrict default permissions; each job declares only what it needs.
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
claude-review:
environment: ai-bots
outputs:
context_sha: ${{ steps.context.outputs.context_sha }}
# Only review code from regular contributors since claude code has non-trivial costs.
# It's also a safe-guard for preventing malicious PRs from doing bad things although we restrict
# the permissions and tools allowed in this job.
# https://github.com/anthropics/claude-code-action/blob/main/examples/pr-review-filtered-authors.yml
if: >-
contains(
fromJSON('["wwwillchen","keppo-bot","keppo-bot[bot]","dyad-assistant","azizmejri1","princeaden1","nourzakhama2003","ryangroch"]'),
github.event.pull_request.user.login
)
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
pull-requests: read
env:
REVIEW_CONTEXT_PATH: tmp/pr-review/claude-context.json
REVIEW_PROMPT_PATH: tmp/pr-review/claude-prompt.txt
REVIEW_OUTPUT_PATH: tmp/pr-review/claude-review.md
REVIEW_FINDINGS_PATH: tmp/pr-review/claude-findings.json
REVIEW_SUBAGENT_INSTRUCTIONS: >-
Use exactly 1 review sub-agent total. That single sub-agent must apply
all three personas together: Correctness & Debugging Expert, Code
Health Expert, and UX Wizard. Do not spawn one sub-agent per persona,
and do not spawn any additional review sub-agents.
steps:
- name: Checkout trusted workflow repo
uses: actions/checkout@v5
with:
repository: ${{ github.repository }}
ref: ${{ github.sha }}
fetch-depth: 1
persist-credentials: false
- name: Setup Node
uses: actions/setup-node@v5
with:
node-version: v24.13.1
- name: Build PR review context
id: context
env:
GITHUB_TOKEN: ${{ github.token }}
GITHUB_REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
OUTPUT_PATH: ${{ env.REVIEW_CONTEXT_PATH }}
run: node scripts/pr-review/build-context.mjs
- name: Render Claude review prompt
id: render-prompt
env:
TEMPLATE_PATH: .github/prompts/claude-pr-review.txt
OUTPUT_PATH: ${{ env.REVIEW_PROMPT_PATH }}
OUTPUT_NAME: prompt
CONTEXT_PATH: ${{ env.REVIEW_CONTEXT_PATH }}
OUTPUT_MD_PATH: ${{ env.REVIEW_OUTPUT_PATH }}
OUTPUT_FINDINGS_PATH: ${{ env.REVIEW_FINDINGS_PATH }}
run: node scripts/issue-agent/render-template.mjs
- name: PR Review
uses: anthropics/claude-code-action@v1.0.96
env:
# Default is 32,000 which Claude willl sometimes hit.
# https://code.claude.com/docs/en/settings
CLAUDE_CODE_MAX_OUTPUT_TOKENS: 48000
with:
# anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# See: https://github.com/anthropics/claude-code-action/blob/v1/docs/security.md
github_token: ${{ github.token }}
allowed_non_write_users: "princeaden1,nourzakhama2003,ryangroch" # remember, we already filter above.
allowed_bots: "keppo-bot[bot]"
# Disable progress tracking (try to save tokens)
track_progress: false
display_report: false
prompt: ${{ steps.render-prompt.outputs.prompt }}
claude_args: |
--model claude-opus-4-6
- name: Upload Claude review artifact
uses: actions/upload-artifact@v6
with:
name: claude-pr-review
path: |
${{ env.REVIEW_CONTEXT_PATH }}
${{ env.REVIEW_OUTPUT_PATH }}
${{ env.REVIEW_FINDINGS_PATH }}
if-no-files-found: error
retention-days: 1
post-claude-review:
environment: ai-bots
needs: claude-review
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
actions: read
contents: read
env:
REVIEW_CONTEXT_PATH: tmp/pr-review/claude-context.json
REVIEW_OUTPUT_PATH: tmp/pr-review/claude-review.md
REVIEW_FINDINGS_PATH: tmp/pr-review/claude-findings.json
steps:
- name: Download Claude review artifact
uses: actions/download-artifact@v7
with:
name: claude-pr-review
path: tmp/pr-review
- name: Refresh trusted post-agent helpers
uses: actions/checkout@v5
with:
repository: ${{ github.repository }}
ref: ${{ github.sha }}
fetch-depth: 1
persist-credentials: false
path: tmp/pr-review/trusted-post-agent
- name: Validate Claude review summary
env:
CONTEXT_PATH: ${{ env.REVIEW_CONTEXT_PATH }}
REVIEW_PATH: ${{ env.REVIEW_OUTPUT_PATH }}
EXPECTED_CONTEXT_SHA: ${{ needs.claude-review.outputs.context_sha }}
run: node tmp/pr-review/trusted-post-agent/scripts/pr-review/validate-review-summary.mjs
- name: Validate Claude findings
id: validate-findings
continue-on-error: true
env:
CONTEXT_PATH: ${{ env.REVIEW_CONTEXT_PATH }}
REVIEW_PATH: ${{ env.REVIEW_OUTPUT_PATH }}
FINDINGS_PATH: ${{ env.REVIEW_FINDINGS_PATH }}
EXPECTED_CONTEXT_SHA: ${{ needs.claude-review.outputs.context_sha }}
run: node tmp/pr-review/trusted-post-agent/scripts/pr-review/validate-review.mjs
- name: Warn when Claude findings validation fails
if: ${{ steps.validate-findings.outcome == 'failure' }}
run: |
echo "::warning::Claude findings validation failed; skipped inline comments."
echo "Claude findings validation failed; skipped inline comments." >> "$GITHUB_STEP_SUMMARY"
- name: Create fresh post-review token
id: post-token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ vars.DYAD_GITHUB_APP_ID }}
private-key: ${{ secrets.DYAD_GITHUB_APP_PRIVATE_KEY }}
permission-pull-requests: write
permission-issues: write
- name: Post Claude inline review comments
id: post-inline
if: ${{ steps.validate-findings.outcome == 'success' }}
continue-on-error: true
env:
GITHUB_TOKEN: ${{ steps.post-token.outputs.token }}
GITHUB_REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
CONTEXT_PATH: ${{ env.REVIEW_CONTEXT_PATH }}
FINDINGS_PATH: ${{ env.REVIEW_FINDINGS_PATH }}
REVIEW_LABEL: Claude
run: node tmp/pr-review/trusted-post-agent/scripts/pr-review/post-inline-review.mjs
- name: Warn when Claude inline posting fails
if: ${{ steps.post-inline.outcome == 'failure' }}
run: |
echo "::warning::Claude inline comment posting failed; summary comment still posted."
echo "Claude inline comment posting failed; summary comment still posted." >> "$GITHUB_STEP_SUMMARY"
- name: Post Claude review comment
if: ${{ always() && steps.post-token.outcome == 'success' }}
uses: actions/github-script@v8
env:
REVIEW_PATH: ${{ env.REVIEW_OUTPUT_PATH }}
with:
github-token: ${{ steps.post-token.outputs.token }}
script: |
const fs = require('node:fs');
const reviewPath = process.env.REVIEW_PATH;
if (!reviewPath) {
throw new Error('REVIEW_PATH is required');
}
const summary = fs.readFileSync(reviewPath, 'utf8').trim();
if (!summary) {
throw new Error('Validated Claude review is missing summary text');
}
const owner = context.repo.owner;
const repo = context.repo.repo;
const issue_number = context.payload.pull_request.number;
const body = [
'<!-- pr-review:claude -->',
'## :mag: Dyadbot Code Review Summary',
'',
summary,
].join('\n');
await github.rest.issues.createComment({
owner,
repo,
issue_number,
body,
});
core.info('Created Claude review comment');