Claude fix

[sbryngelson]

CodeAnt-AI Description

Improve Claude code review workflow for safer and clearer PR reviews

What Changed

• The workflow now checks out the base repository only (safe on forks) and runs in pull_request_target with explicit instruction not to execute or inspect checked-out fork code.
• Review tooling and allowed commands expanded (JSON parsing utilities and many shell helpers) and the action uses a safer skip-permissions flag; this enables reviews that rely on API/gh commands and json parsing instead of running forked code.
• Workflow permission for issues is elevated to write so the action can post or update review comments; if posting is blocked the review is written to the Actions job summary.
• Output and posting behavior clarified: post a single top-level PR comment titled "Claude Code Review" (or "Claude Code Review (updated)" when applicable) with file list, concise summary, and findings or improvement opportunities.
• Removed the .claude/settings.json file that previously declared a smaller set of allowed tools.

Impact

✅ Fewer security exposures from forked PRs
✅ Clearer, consistent PR review comments
✅ Fewer blocked reviews when posting comments (job summary fallback)

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• Chores
  • Enhanced code review workflow configuration for improved security and consistency in automated reviews.
  • Updated automated code review process with standardized output formatting and refined permission settings.
  • Adjusted code review comment posting to use unified format for clearer feedback presentation.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c0da7ca and 5bd3c35.

📒 Files selected for processing (2)

• .claude/settings.json
• .github/workflows/claude-code-review.yml

---

📝 Walkthrough

Walkthrough

This pull request removes the allowedTools configuration from .claude/settings.json and updates the Claude code-review GitHub Actions workflow with safer fork handling, elevated permissions, expanded allowed commands, revised prompts, standardized output format, and simplified comment-posting behavior.

Changes

Cohort / File(s)	Summary
Settings Configuration .claude/settings.json	Removed the entire allowedTools array, eliminating all previously defined tool permissions (including Bash commands, Python, and Git operations).
Workflow Updates .github/workflows/claude-code-review.yml	Multiple changes: switched to base-repo checkout for fork safety; elevated issues permission from read to write; updated marketplace plugin configuration with double-quoted URLs; expanded allowed Claude commands to include text utilities (sed, awk, head, tail, wc, sort, uniq, cut, xargs, jq); revised allowed gh commands for broader pr/issue/api access; enhanced prompt guidance with pull_request_target semantics and optional CLAUDE.md reading; standardized output to three-part structure with minimum improvement opportunities; and refactored result posting to use single "Claude Code Review" comment instead of iterative updates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Update excluded paths in .fortlsrc #1248: Overlapping modifications to claude-code-review.yml with changes to allowed-tools/claude_args configuration and prompt/output settings.
• Fix claude 01 #1250: Directly related through allowedTools configuration changes—one removes it entirely while the other refines the tool permissions.
• Add step to delete previous Claude review comments #1253: Related through modifications to the comment-posting logic in the workflow, transitioning from iterative comment updates to standardized single-comment behavior.

Suggested labels

size:M

Poem

🐰 With tools set free and workflows refined,
The code review now sees a safer mind,
Expanded commands help the Claude explore,
While fork protection guards the sacred door—
A single comment speaks the truth at last! 🌟

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codeant-ai]

Sequence Diagram

The workflow was changed to run in pull_request_target, checkout the base repo only, run the Claude code-review action with a safer skip-permissions flag and expanded allowed gh/json tools, and publish a single top-level PR comment (or fall back to the job summary). This diagram shows the main success path for generating and posting the review.

sequenceDiagram
    participant GitHub as "GitHub PR Event"
    participant Actions as "Actions Runner (pull_request_target)"
    participant Claude as "anthropics/claude-code-action"
    participant GHAPI as "GitHub API / gh CLI"

    GitHub->>Actions: pull_request_target triggers workflow
    Actions->>Actions: Checkout BASE repository only (safe on forks)
    Actions->>Claude: Run Claude action (--dangerously-skip-permissions, allowedTools...)
    Claude->>GHAPI: Fetch PR metadata, files, and diff via gh / API
    GHAPI-->>Claude: PR files and diff
    Claude->>GHAPI: Post single top-level "Claude Code Review" comment (or update) 
    alt Posting blocked
        Claude->>Actions: Write full review to Actions job summary (fallback)
    end

Loading

---

Generated by CodeAnt AI

[codeant-ai]

Suggestion: Update the workflow prompt so that the Claude reviewer explicitly reads and follows MFC's contribution and GPU documentation, and focuses on correctness and the documented PR-pattern triggers rather than style, as required by the project's AI review rules. [custom_rule]

Severity Level: Minor ⚠️

Suggested change

	Output requirements (even if no issues):
	Before reviewing code, fetch and skim these MFC-specific docs from the base repository:
	- docs/documentation/contributing.md (especially "Common Pitfalls", "What to Review", and PR-pattern triggers)
	- docs/documentation/gpuParallelization.md (GPU macro API and GPU rules)
	Prioritize correctness, numerical and physics issues, MPI/GPU correctness, precision mixing, and memory issues over formatting or lint-only concerns, which are enforced by pre-commit/CI.

Why it matters? ⭐

The project's AI review rules (provided in the prompt for this task) require reviewers to prioritize correctness, numerical/physics/MPI/GPU issues, and to consult the repo's contribution and GPU documentation (docs/documentation/contributing.md and docs/documentation/gpuParallelization.md). The proposed improved prompt explicitly instructs the automated reviewer to read those MFC docs and to emphasize correctness-related checks over style (which is already enforced by pre-commit). This directly enforces a documented custom rule and is therefore a substantive, beneficial change rather than a cosmetic tweak. The improved YAML is syntactically valid and clearly narrows the review focus to the repository's stated priorities.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** .github/workflows/claude-code-review.yml
**Line:** 72:72
**Comment:**
	*Custom Rule: Update the workflow prompt so that the Claude reviewer explicitly reads and follows MFC's contribution and GPU documentation, and focuses on correctness and the documented PR-pattern triggers rather than style, as required by the project's AI review rules.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

Updates the GitHub Actions workflow that runs Claude-based automated code review on pull_request_target, aiming to make fork PR handling safer and to adjust the Claude tool configuration.

Changes:

• Switches checkout behavior to only fetch the base repository (not the fork PR head).
• Updates Claude invocation (plugins, prompt instructions, and the allowed tool list).
• Removes .claude/settings.json, consolidating tool allowlisting into the workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/claude-code-review.yml	Adjusts permissions, checkout behavior, and Claude tool/prompt configuration for PR reviews.
.claude/settings.json	Deleted; previous allowed-tools configuration removed from repo config.

[Copilot]

The current --allowedTools list is very broad (gh api:* plus python3:* and many shell text utilities). In a pull_request_target job with secrets, a prompt-injected PR can use python3 (or other tooling) to read environment variables and leak tokens via PR comments/logs. Tighten this to only the exact gh commands/endpoints and parsing tools required (prefer jq over python3 here), and avoid wildcard gh api:* if possible.

[Copilot]

issues: write expands the workflow token scope compared to the previous issues: read. If this job only needs to post PR comments, keep this permission read-only (or omit it) and remove gh issue comment:* from the allowed tools; otherwise, please justify why issue write access is required in a pull_request_target workflow that runs with secrets on forked PRs.

[Copilot]

The --dangerously-skip-permissions flag is risky in a pull_request_target workflow because it can undermine the whole point of restricting capabilities via --allowedTools. Consider removing this flag and relying on a minimal allowedTools set plus least-privilege GitHub token permissions to reduce prompt-injection blast radius.

Suggested change

--dangerously-skip-permissions