.github: add low-risk label trigger for Claude review with approval#1095
Merged
hieblmi merged 1 commit intolightninglabs:masterfrom Mar 13, 2026
Merged
.github: add low-risk label trigger for Claude review with approval#1095hieblmi merged 1 commit intolightninglabs:masterfrom
hieblmi merged 1 commit intolightninglabs:masterfrom
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
sputn1ck
approved these changes
Mar 12, 2026
starius
approved these changes
Mar 13, 2026
Collaborator
starius
left a comment
starius
left a comment
There was a problem hiding this comment.
LGTM!
Some proposals added.
| - Security concerns | ||
| - Test coverage | ||
|
|
||
| Use the repository's CLAUDE.md for guidance on style and conventions. |
Comment on lines
6
to
7
| pull_request: | ||
| types: [labeled, synchronize] |
Collaborator
There was a problem hiding this comment.
Does it have access to secrets.CLAUDE_CODE_OAUTH_TOKEN?
Codex thinks that we need to add this so it had access to it in PRs from forks:
pull_request:
types: [labeled, synchronize]
+ pull_request_target:
+ types: [labeled, synchronize]
Collaborator
Author
There was a problem hiding this comment.
Yes we have access, the @claude wouldn't work otherwise
|
|
||
| claude-approve: | ||
| if: | | ||
| github.event_name == 'pull_request' && |
Collaborator
There was a problem hiding this comment.
Then we need to replace pull_request with pull_request_target here
Comment on lines
+96
to
+98
| If you find ANY significant issues, do NOT approve. Instead, leave a | ||
| comment explaining the problems using: | ||
| gh pr comment ${{ github.event.pull_request.number }} --body "Your review findings" |
Collaborator
There was a problem hiding this comment.
The bot can request changes to undo its previous approval:
If NOT approving:
gh pr review ${{ github.event.pull_request.number }} --request-changes --body "Claude review: not eligible for low-risk auto-approval. Include intrinsic PR risk and findings w
ith severities."
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| prompt: | |
Collaborator
There was a problem hiding this comment.
I propose to separate intrinsic severity of the PR (e.g. whether it touches any code working with funds) and severity of potential problems found in the PR (where or not PR itself is valid). If any of these is higher than low, do not use auto-approve flow.
Here is the whole prompt:
REPO: ${{ github.repository }}
PR NUMBER: ${{ github.event.pull_request.number }}
Review this pull request thoroughly, checking for:
- Code quality and best practices
- Potential bugs or issues
- Performance considerations
- Security concerns
- Test coverage
Use the repository's AGENTS.md for guidance on style and conventions.
Classify the PR's intrinsic risk severity using one of:
- critical: must block merge
- high: large blast radius or very sensitive code paths
- medium: meaningful production or maintainability risk
- low: constrained blast radius and straightforward rollback
Intrinsic risk is about the impact and sensitivity of changed code,
even when no concrete bug is found.
Any changes touching fund movement, signing/sweeping, swap state
transitions, security/authz/authn logic, secrets handling, or DB
schema/migrations are at least medium risk.
Also classify each finding using one of:
- critical
- high
- medium
- low
- nit
Decision rule:
- Approve ONLY if intrinsic PR risk is low AND highest finding
severity is low or nit.
- If intrinsic PR risk is medium/high/critical, DO NOT approve and
submit a changes-requested review.
- If any finding is medium/high/critical, DO NOT approve and submit
a changes-requested review.
- If uncertain, treat as medium risk.
If approving:
gh pr review ${{ github.event.pull_request.number }} --approve --body "Claude review: intrinsic PR risk low and findings low/nit; safe for low-risk path."
If NOT approving:
gh pr review ${{ github.event.pull_request.number }} --request-changes --body "Claude review: not eligible for low-risk auto-approval. Include intrinsic PR risk and findings with severities."
Collaborator
Author
There was a problem hiding this comment.
Thank you for the great refinement.
hieblmi
force-pushed
the
claude-review-approve
branch
from
3cefdc1 to
9014843
Compare
- Add pull_request_target trigger for fork secret access - Use pull_request_target in claude-approve if-condition - Replace CLAUDE.md references with AGENTS.md - Replace simple approve/comment prompt with comprehensive risk-classification prompt (intrinsic PR risk + finding severity) - Use --request-changes instead of comment when not approving
hieblmi
force-pushed
the
claude-review-approve
branch
from
9014843 to
06d978c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Its up to the PR creator to apply the low-risk label after judging the PR impact.
The first PR reviewer(besides claude) must then assess the severity category.
If they aggree claude's green check counts.
claude-approvejob triggered by thelow-risklabelgh pr review --approveonly if no significant issues are foundpull-requests: writepermission (scoped only to this job)claude-reviewjob (comment-only) remains unchangedTriggers
@claudementionclaude-reviewclaude-reviewlabelclaude-reviewlow-risklabelclaude-approveTest plan
low-risklabel to a clean PR — Claude should review and approvelow-risklabel to a PR with issues — Claude should comment without approving@claudemention andclaude-reviewlabel still work as comment-only