_private/qwestly-docs/Engineering/automated-pr-review.md

Table of Contents

Automated PR Review (Claude Code)

Every PR opened or updated in the candidate repo triggers an automated review by Claude Code. The review posts inline comments on changed files and a summary comment on the PR — all under the qwestly[bot] identity.

Comments appear from qwestly[bot] because the workflow uses the qwestly GitHub App for gh pr comment calls.

Triggers

  • PR opened or synchronized — runs automatically
  • Comment codebot on a PR — re-runs the review (useful after pushing more commits without triggering synchronize)

Workflow file

.github/workflows/claude-code-review.yml — uses anthropics/claude-code-action@beta.

What it does

  1. Checks out the PR branch and the base branch
  2. Initializes the packages/ui submodule (see below)
  3. Computes the diff between the PR branch and its base
  4. Runs Claude Code with a restricted tool set:
    • mcp__github_inline_comment__create_inline_comment — posts inline comments on specific file/line pairs
    • Bash(gh pr comment:*) — posts a single summary comment on the PR
  5. Writes a pipeline summary to $GITHUB_STEP_SUMMARY

Claude Code is instructed to only flag issues with high confidence (bugs, security, performance, test gaps) — it skips nitpicks and style preferences.

Required secrets

Both of these are organization-level secrets — every repo in the Qwestly org inherits them automatically. No per-repo setup needed.

Secret Scope Purpose
CLAUDE_CODE_OAUTH_TOKEN Org Authenticates the anthropics/claude-code-action
GH_QWESTLY_UI_TOKEN Org GitHub fine-grained PAT with read access to qwestly/qwestly-ui
GITHUB_TOKEN Auto Standard Actions token — always available

Submodule: packages/ui

Repos with a packages/ui submodule (like candidate) need it checked out for TypeScript paths like @/packages/ui/* to resolve. The workflow runs ./scripts/init-submodule.sh after checkout. This script:

  • Syncs submodule URLs from .gitmodules
  • If GH_QWESTLY_UI_TOKEN is set, overrides the submodule remote URL to an authenticated HTTPS URL (https://enotionz:<token>@github.com/qwestly/qwestly-ui.git)
  • Runs git submodule update --init --recursive

Since GH_QWESTLY_UI_TOKEN is an org secret, the submodule init step works out of the box in any repo that has the script and submodule configured.

Adding the workflow to another repo

  1. Copy .github/workflows/claude-code-review.yml from candidate to the target repo
  2. If the repo has a packages/ui submodule, make sure ./scripts/init-submodule.sh is present (copy it from candidate too)
  3. Done — no secrets to configure, both tokens are org-level