ci: fix Claude Code review workflow context and history

[lklimek]

Summary

• Full git history: Changed fetch-depth: 1 → fetch-depth: 0 so git diff, git log, and git merge-base work correctly during review
• MCP for PR context: Agent now uses MCP GitHub tools (not env vars) to get PR number, branches, and changed files — avoids tool permission blocks on shell parameter substitution
• Sub-agent context passing: Prompt explicitly instructs agent to pass PR context to spawned sub-agents (they have no conversation history)
• Previous commits: tightened git allowedTools, added shell utils, loaded dash-platform skill, added claudash plugin

Test plan

• Trigger claudius-review label on a test PR and verify the review completes without "command requires approval" errors
• Verify git history commands (diff, log, merge-base) succeed in the review log
• Confirm sub-agents receive PR context and can produce review comments

🤖 Generated with Claude Code

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

Summary by CodeRabbit

• Chores
  • Updated code review workflow to retain full git history, expand available review plugins, provide richer PR/context prompts, increase interaction limits, and broaden allowed command/tool access to support deeper, more flexible automated analysis.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the Claude code-review GitHub Actions workflow to fetch full git history, add an extra plugin contributor, expand the review prompt with Dash Platform and PR metadata instructions, and broaden the allowed Git/shell/tool command list and max-turns.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/claude-code-review.yml	Changed fetch-depth from 1 to 0; added claudash@lklimek to plugins; extended the review prompt with Dash Platform context and PR metadata instructions; expanded allowedTools with additional Git, shell, and filesystem commands and increased max-turns from 30 to 150.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: add Claude Code review workflow #712: Modifies the same .github/workflows/claude-code-review.yml workflow and earlier introduced the Claude code-review configuration this PR extends.

Poem

🐰 I dug the repo, deep and neat,
Found full history beneath my feet,
Two plugins nibble, prompts now sing,
More tools to hop and do their thing,
Hooray for reviews — a carrot treat! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing the Claude Code review workflow by improving context handling and git history retrieval through fetch-depth and prompt adjustments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/claude-code-review-3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/claude-code-review.yml (1)

81-81: Verify the scope of permissive Bash patterns.

The newly added shell utilities (echo, ls, grep, mkdir, mktemp, pwd) are reasonable for review tasks. However, note that Bash(bash *) and Bash(python3 *) are quite broad and could theoretically allow arbitrary command execution.

Current mitigations appear adequate:

• .claude/settings.json denies editing scripts/** and .github/workflows/**
• Workflow permissions limit write access to issues and pull-requests only

If these permissive patterns were intentional (e.g., for running analysis scripts), the setup looks acceptable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml at line 81, The allowedTools entry
contains overly permissive shell patterns—specifically the tokens Bash(bash *)
and Bash(python3 *)—which permit arbitrary command execution; narrow these by
replacing them with exact commands or constrained argument patterns (e.g.,
Bash(bash -c "specific-script.sh") or Bash(python3 path/to/script.py) or remove
them entirely) and/or add explicit deny rules for editing sensitive paths
referenced in .claude/settings.json; update the allowedTools string (the line
containing allowedTools and the Bash(...) tokens) to the tightened patterns and
rerun the workflow to confirm no needed functionality is broken.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/claude-code-review.yml:
- Line 81: The allowedTools entry contains overly permissive shell
patterns—specifically the tokens Bash(bash *) and Bash(python3 *)—which permit
arbitrary command execution; narrow these by replacing them with exact commands
or constrained argument patterns (e.g., Bash(bash -c "specific-script.sh") or
Bash(python3 path/to/script.py) or remove them entirely) and/or add explicit
deny rules for editing sensitive paths referenced in .claude/settings.json;
update the allowedTools string (the line containing allowedTools and the
Bash(...) tokens) to the tightened patterns and rerun the workflow to confirm no
needed functionality is broken.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fa2be79e-95af-4b3e-8682-f0dd76aec5a4

📥 Commits

Reviewing files that changed from the base of the PR and between 98d5e8a and a229317.

📒 Files selected for processing (1)

• .github/workflows/claude-code-review.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude-code-review.yml:
- Line 81: The allowedTools string currently includes overly broad entries
(notably "Bash(bash *)" and "Bash(python3 *)" and mutable git commands like
"Bash(git checkout *)" and "Bash(git pull *)") which allow arbitrary execution
and repo mutation; edit the allowedTools value to remove or narrowly scope these
entries: remove "Bash(bash *)" and "Bash(python3 *)", replace mutable git
commands ("Bash(git checkout *)", "Bash(git pull *)") with read-only
alternatives (e.g., "Bash(git show *)", "Bash(git diff *)", "Bash(git log *)",
"Bash(git rev-parse *)"), and ensure other Bash(...) entries use explicit,
minimal allowed arguments rather than wildcards in the string assigned to
allowedTools.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aead528a-0fd6-4866-b5ea-2dc2d13c11ed

📥 Commits

Reviewing files that changed from the base of the PR and between a229317 and f3bd9f3.

📒 Files selected for processing (1)

• .github/workflows/claude-code-review.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Tighten allowedTools; this currently collapses the sandbox.

Bash(bash *) and Bash(python3 *) effectively grant arbitrary command execution, and Bash(git checkout *) / Bash(git pull *) let the agent leave or mutate the PR revision it is supposed to review. On untrusted PR content, that defeats the allowlist and can produce comments against a modified tree.

🔒 Suggested narrowing

-            --allowedTools "mcp__*,Read,Write,Edit,Glob,Grep,Agent,Skill,Task,TaskCreate,TaskUpdate,TaskList,TaskGet,TaskOutput,SendMessage,Bash(gh pr *),Bash(gh api *),Bash(git diff *),Bash(git log *),Bash(git fetch *),Bash(git branch *),Bash(git rev-parse *),Bash(git show *),Bash(git pull *),Bash(git checkout *),Bash(cat *),Bash(python3 *),Bash(bash *),Bash(echo *),Bash(ls *),Bash(grep *),Bash(mkdir *),Bash(mktemp *),Bash(pwd *)"
+            --allowedTools "mcp__*,Read,Write,Edit,Glob,Grep,Agent,Skill,Task,TaskCreate,TaskUpdate,TaskList,TaskGet,TaskOutput,SendMessage,Bash(gh pr *),Bash(gh api *),Bash(git diff *),Bash(git log *),Bash(git fetch *),Bash(git branch *),Bash(git rev-parse *),Bash(git show *),Bash(cat *),Bash(echo *),Bash(ls *),Bash(grep *),Bash(mkdir *),Bash(mktemp *),Bash(pwd *)"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml at line 81, The allowedTools string
currently includes overly broad entries (notably "Bash(bash *)" and
"Bash(python3 *)" and mutable git commands like "Bash(git checkout *)" and
"Bash(git pull *)") which allow arbitrary execution and repo mutation; edit the
allowedTools value to remove or narrowly scope these entries: remove "Bash(bash
*)" and "Bash(python3 *)", replace mutable git commands ("Bash(git checkout *)",
"Bash(git pull *)") with read-only alternatives (e.g., "Bash(git show *)",
"Bash(git diff *)", "Bash(git log *)", "Bash(git rev-parse *)"), and ensure
other Bash(...) entries use explicit, minimal allowed arguments rather than
wildcards in the string assigned to allowedTools.