[CDX-265] Add CC workflow

[Alexey-Pavlov]

No description provided.

[Copilot]

Pull request overview

This PR adds Claude Code workflow integration to enable automated PR reviews. It introduces a GitHub Actions workflow that triggers on pull request events and includes comprehensive review guidelines documentation.

• Adds automated Claude PR review workflow using Constructor.io's shared workflow resources
• Includes detailed review command documentation with coding standards, security guidelines, and output formatting
• Configures workflow to trigger on PR open, ready_for_review, and synchronize events

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/claude-review.yml	Adds GitHub Actions workflow configuration for automated Claude-powered PR reviews
.claude/commands/review.md	Adds comprehensive review command documentation including process guidelines, coding standards, security audit criteria, and output formatting requirements

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using secrets: inherit passes all repository secrets to the reusable workflow. Ensure that the shared workflow at Constructor-io/shared-claude-code-resources-public is trusted and that no sensitive secrets should be restricted from this workflow. Consider explicitly passing only required secrets if possible for better security control.

Suggested change

	secrets: inherit
	secrets:
	CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}

[Copilot]

[nitpick] The instruction references origin/master but line 7 mentions "against master (or main)". For consistency and to handle repositories using main as the default branch, consider using origin/main or adding a note about checking which default branch is used.

Suggested change

	- Run `git merge-base origin/master [branch]` to find the common ancestor commit
	- Run `git merge-base origin/[default branch] [branch]` to find the common ancestor commit
	- Replace `[default branch]` with your repository's default branch name (usually `master` or `main`)

[Copilot]

[nitpick] The output format template shows "## Code Review Results" as a heading followed immediately by another "## ✅ Strengths" heading at the same level. Consider either making "Code Review Results" a higher-level heading (single #) or removing it to avoid having two consecutive same-level headings.

Suggested change

	## Code Review Results
	# Code Review Results

[constructor-claude-bedrock]

Code Review Summary

This PR adds a GitHub Actions workflow to enable automated Claude Code reviews on pull requests. The workflow is simple and well-structured, using a reusable workflow from the shared Constructor.io resources repository.

Detailed Feedback

[File: .github/workflows/claude-review.yml]

Positives:

• ✅ Clean and minimal workflow configuration
• ✅ Appropriate trigger events: opened, ready_for_review, and synchronize cover the main PR lifecycle
• ✅ Uses a reusable workflow from a centralized location, promoting maintainability
• ✅ secrets: inherit correctly passes repository secrets to the reusable workflow
• ✅ Workflow name is descriptive and follows naming conventions

Observations:

1. Consistency with existing workflows: Other workflows in this repository (e.g., run-tests.yml, linter.yml) specify branches explicitly:

   on:
     pull_request:
       branches:
         - "**"

   While the current configuration (without branch specification) will trigger on all branches by default, adding explicit branch configuration would make it consistent with other workflows and more explicit about intent.

2. Draft PRs: The workflow triggers on ready_for_review but not on draft PRs initially, which is good practice as it avoids running reviews on incomplete work. However, it's worth noting that the absence of a draft trigger is intentional behavior.

3. Permissions: The workflow doesn't specify any permissions block. While secrets: inherit passes secrets, the reusable workflow should handle permissions appropriately. This is fine, but if the reusable workflow needs specific permissions (like pull-requests: write), you may want to verify those are available.

Security Considerations

• ✅ Uses a pinned reference (@main) to the reusable workflow from a trusted Constructor.io repository
• ✅ No inline scripts or third-party actions that could introduce security risks
• ⚠️ Minor suggestion: Consider pinning to a specific commit SHA or version tag instead of @main for better reproducibility and security. This prevents unexpected changes if the reusable workflow is updated.

Recommendations (Optional Improvements)

1. Add branch specification for consistency (optional):

   on:
     pull_request:
       branches:
         - "**"
       types: [opened, ready_for_review, synchronize]

2. Consider version pinning (optional but recommended):

   uses: Constructor-io/shared-claude-code-resources-public/.github/workflows/claude-code-review.yml@v1.0.0

   Or use a commit SHA for stronger guarantees.

3. Add a comment in the workflow file explaining what the reusable workflow does, especially if team members are unfamiliar with it.

Conclusion

This is a solid addition to the repository's CI/CD pipeline. The workflow is correctly configured and follows GitHub Actions best practices. The code is ready to merge as-is, though the optional improvements above could enhance consistency and security if desired.

Status: ✅ Approved - No blocking issues found.

Great work on keeping the workflow simple and maintainable!