Org-wide GitHub defaults and shared reusable workflows.
.github/workflows/biggiepockets-review.yml is a reusable workflow that runs a
two-stage AI code review on a pull request:
- Codex first pass — reviews the diff against the PR's JIRA ticket and writes findings.
- Claude verify & synthesize — validates Codex's findings, reviews the diff independently (grepping for callers/tests, factoring in the existing PR discussion), checks the change against the ticket's acceptance criteria, and decides a single verdict.
The BiggiePockets service account then submits the resulting approve /
request_changes review on the PR. If the PR has no BIG-XXXXX key in its title (or the
ticket can't be fetched), the review degrades gracefully to a diff-based review instead of
failing.
The review logic lives centrally in this repo. Each consuming repo only adds a thin caller workflow that owns the triggers and gating and delegates to this one.
Do this once per repo you want BiggiePockets to review.
The Claude verification stage uses anthropics/claude-code-action,
which needs two things: the official Claude GitHub app
installed, and a CLAUDE_CODE_OAUTH_TOKEN secret it can authenticate with. From a clone of
the target repo, run the slash command in Claude Code:
/install-github-app
It walks you through both — but the two halves have very different scopes:
- App install — once for the whole org. If the Claude app is already installed org-wide, skip the app-installation step; you do not need to reinstall it per repo.
- Auth token — per repo.
/install-github-appwritesCLAUDE_CODE_OAUTH_TOKENas a repo secret, not an org secret, so this is the part you actually need on each new repo. If you'd rather set it once, addCLAUDE_CODE_OAUTH_TOKENas an organization secret by hand and skip this command entirely.
You need admin access on the repo and an authenticated gh CLI. (If the command fails,
install the app manually from https://github.com/apps/claude and add the token by hand.)
Create .github/workflows/biggiepockets-review.yml in the target repo:
name: BiggiePockets Code Review
# Thin caller for the org-wide reusable review workflow in BiggerPockets/.github.
# This file owns the triggers and gating; the review logic lives centrally.
on:
pull_request:
types: [review_requested]
workflow_dispatch:
inputs:
pr:
description: 'PR number to review'
required: true
type: string
jobs:
review:
# React to a manual dispatch, or to BiggiePockets specifically being requested.
if: >-
github.event_name == 'workflow_dispatch' ||
github.event.requested_reviewer.login == 'BiggiePockets'
uses: BiggerPockets/.github/.github/workflows/biggiepockets-review.yml@main
with:
pr: ${{ github.event.pull_request.number || inputs.pr }}
secrets: inheritThe reusable workflow consumes several secrets via secrets: inherit: credentials for the
two AI review providers, an Atlassian email + API token to fetch the PR's JIRA ticket for
intent, and a personal access token for the BiggiePockets service account that submits the
review. (The Claude auth secret is set by /install-github-app in step 1; the rest you add
yourself.) Configure them as organization secrets (recommended — set once, available to
every repo) or as per-repo secrets if you prefer to scope them.
The exact secret names each step expects are visible in the env: and with: blocks of
.github/workflows/biggiepockets-review.yml.
The BiggiePockets service account must have access to the repo so it can be requested as a reviewer and post the review. Add it as a collaborator (or via a team) with at least write access.
Once installed, trigger a review either way:
- Request a review — add BiggiePockets as a reviewer on the PR. The workflow fires
on
review_requestedand only runs when BiggiePockets specifically is the requested reviewer. - On demand — run the
BiggiePockets Code Reviewworkflow via Actions → workflow_dispatch and pass the PR number. (Available once the caller file is on the repo's default branch.)