Reusable GitHub Actions

This repository contains reusable GitHub Actions workflows for AI-powered PR code reviews.

Available Workflows

Workflow	AI Model	Description
pr_review_claude.yml	Claude (Anthropic)	Uses Claude Code Action with custom prompts
pr_code_review_claude.yml	Claude (Anthropic)	Uses /code-review plugin with 4 parallel agents
pr_review_codex.yml	Codex (OpenAI)	Uses OpenAI Codex Action
pr_review_kimi.yml	Kimi (Moonshot AI)	Uses Moonshot API directly

Usage

Claude PR Review

name: Claude Code Review

on:
  pull_request:
    types: [opened, ready_for_review]
  issue_comment:
    types: [created]

jobs:
  claude-review:
    if: |
      (github.event_name == 'pull_request' &&
       github.event.pull_request.head.repo.full_name == github.repository) ||
      (github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
       contains(github.event.comment.body, '/claude') &&
       contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association))
    uses: yetanotherco/actions/.github/workflows/pr_review_claude.yml@main
    with:
      custom_prompt: |
        1. **Security vulnerabilities** - Label by criticality (Critical/High/Medium/Low)
           - Solidity: e.g. reentrancy, access control, integer issues
           - Rust: e.g. unsafe blocks, error handling, panics
           - Web/API: e.g. SQL injection, auth bypass, input validation

        2. **Potential bugs** - Logic errors, edge cases, race conditions

        3. **Performance issues** - Only significant (O(n²), N+1 queries, etc.)

        4. **Simplicity** - Prefer simple, readable code

        Guidelines:
        - Be concise and actionable
        - Focus on real issues, not hypothetical improvements
    secrets:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

Inputs:

Input	Required	Default	Description
custom_prompt	Yes	-	Custom review instructions (what to focus on)
model	No	sonnet	Claude model to use
max_turns	No	30	Max turns for Claude

Secrets:

Secret	Required	Description
ANTHROPIC_API_KEY	Yes	Anthropic API key

---

Claude Code Review (Plugin)

This workflow uses the /code-review plugin which launches 4 parallel agents for comprehensive review:

• 2x CLAUDE.md compliance agents - Check adherence to repository guidelines
• 1x Bug detector - Scans for obvious bugs in changes only
• 1x History analyzer - Uses git blame for context-based issues

Issues are scored 0-100 for confidence, and only issues ≥80 are reported (reducing false positives).

name: Claude Code Review (Plugin)

on:
  pull_request:
    types: [opened, ready_for_review]
  issue_comment:
    types: [created]

jobs:
  code-review:
    if: |
      (github.event_name == 'pull_request' &&
       github.event.pull_request.head.repo.full_name == github.repository) ||
      (github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
       contains(github.event.comment.body, '/code-review') &&
       contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association))
    uses: yetanotherco/actions/.github/workflows/pr_code_review_claude.yml@main
    secrets:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

Inputs:

Input	Required	Default	Description
model	No	sonnet	Claude model to use
max_turns	No	30	Max turns for Claude

Secrets:

Secret	Required	Description
ANTHROPIC_API_KEY	Yes	Anthropic API key

Note: This workflow does not require a custom_prompt input. Instead, it reads CLAUDE.md files from your repository for review guidelines. Create a CLAUDE.md at the root of your repo (or in subdirectories) to define coding standards and review criteria.

---

Codex PR Review

name: Codex Code Review

on:
  pull_request:
    types: [opened, ready_for_review]
  issue_comment:
    types: [created]

jobs:
  codex-review:
    if: |
      (github.event_name == 'pull_request' &&
       github.event.pull_request.head.repo.full_name == github.repository) ||
      (github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
       contains(github.event.comment.body, '/codex') &&
       contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association))
    uses: yetanotherco/actions/.github/workflows/pr_review_codex.yml@main
    with:
      custom_prompt: |
        1. **Security vulnerabilities** - Label by criticality (Critical/High/Medium/Low)

        2. **Potential bugs** - Logic errors, edge cases, race conditions

        3. **Performance issues** - Only significant issues

        4. **Simplicity** - Prefer simple, readable code

        Guidelines:
        - Be concise and actionable
        - Focus on real issues, not hypothetical improvements
    secrets:
      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

Inputs:

Input	Required	Default	Description
custom_prompt	Yes	-	Custom review instructions (what to focus on)

Secrets:

Secret	Required	Description
OPENAI_API_KEY	Yes	OpenAI API key

---

Kimi PR Review

name: Kimi Code Review

on:
  pull_request:
    types: [opened, ready_for_review]
  issue_comment:
    types: [created]

jobs:
  kimi-review:
    if: |
      (github.event_name == 'pull_request' &&
       github.event.pull_request.head.repo.full_name == github.repository) ||
      (github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
       contains(github.event.comment.body, '/kimi') &&
       contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association))
    uses: yetanotherco/actions/.github/workflows/pr_review_kimi.yml@main
    with:
      custom_prompt: |
        1. **Security vulnerabilities** - Label by criticality (Critical/High/Medium/Low)

        2. **Potential bugs** - Logic errors, edge cases, race conditions

        3. **Performance issues** - Only significant issues

        4. **Simplicity** - Prefer simple, readable code

        Guidelines:
        - Be concise and actionable
        - Focus on real issues, not hypothetical improvements
    secrets:
      KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}

Inputs:

Input	Required	Default	Description
custom_prompt	Yes	-	Custom review instructions (what to focus on)
max_lines	No	10000	Max lines of diff to review (truncates if larger)

Secrets:

Secret	Required	Description
KIMI_API_KEY	Yes	Moonshot AI API key

---

Setup

1. Add the required API key as a secret in your repository settings
2. Create a workflow file in .github/workflows/ using one of the examples above
3. Customize the custom_prompt to match your project's review criteria

Triggering Reviews

All workflows support two trigger methods:

1. Automatic on PR - Runs when a PR is opened or marked ready for review
2. Manual via comment - Comment on a PR to trigger a review:
   • /claude - Claude PR Review (custom prompt)
   • /code-review - Claude Code Review Plugin (4 parallel agents)
   • /codex - Codex PR Review
   • /kimi - Kimi PR Review

Only repository owners, members, and collaborators can trigger reviews via comments.

Security

Fork PR Protection

All workflows include built-in protection against fork PR secret exposure. When triggered via issue_comment on a fork PR, the workflow will block execution with an error to prevent secrets from being exposed to untrusted code.

Recommended: Add fork protection in your consumer workflow's if condition for pull_request events:

if: |
  (github.event_name == 'pull_request' &&
   github.event.pull_request.head.repo.full_name == github.repository) ||
  ...

This provides defense-in-depth: consumer repos explicitly skip fork PRs, and the shared workflow enforces it as a fail-safe.