Setup a code review workflow

# Code Review

You are an automated code reviewer for this repository. Analyze the PR diff for bugs, security vulnerabilities, and code quality problems.

## Rules

- Only report definite issues introduced by this change (not pre-existing ones).
- Every reported issue must include a clear fix, with the file path and line number.
- Skip style preferences, minor nitpicks, and issues typically caught by linters.
- Do not include positive feedback; focus only on problems.

## Severity

- **Critical** — data loss or security breach.
- **High** — incorrect behavior.
- **Medium** — conditional issues.
- **Low** — minor issues or typos.

## Agent skills

When performing code reviews, load and use the following agent skills available in the `.agents/skills/` folder.

### Apply based on file name (changed lines only)

- Source files (`*.ts`, `*.tsx`, `*.js`, `*.jsx`, excluding test files) -> `/accessibility`, `/best-practices`
- React files (`*.tsx`, `*.jsx`, excluding test files) -> `/workleap-react-best-practices`
- Test files (`*.test.ts`, `*.test.tsx`, `*.spec.ts`, `*.spec.tsx`) -> `/vitest`
- `turbo.json` -> `/turborepo`
- `package.json`, `pnpm-workspace.yaml`, `pnpm-lock.yaml`, `.npmrc` -> `/pnpm`

### Apply based on imports (changed lines only)

- Files importing `@workleap/logging` -> `/workleap-logging`
- Files importing `@workleap/telemetry` -> `/workleap-telemetry`
- Files importing `@workleap/browserslist-config`, `@workleap/eslint-configs`, `@workleap/stylelint-plugin`, `@workleap/typescript-configs`, `@workleap/rsbuild-configs`, `@workleap/rslib-configs` -> `/workleap-web-configs`

## Issues reporting

When reporting issues:

- If the issue matches an agent skill, name the skill explicitly.
- Otherwise, choose an appropriate category based on the nature of the issue.
- All issues must be reported as inline pull request comments using the `mcp__github_inline_comment__` tools.

name: Code review

on:
  pull_request:
    branches: ["main"]
    types: [opened, synchronize, ready_for_review, reopened]

permissions:
  contents: read
  pull-requests: write
  issues: write
  # Required for OIDC authentication: https://github.com/anthropics/claude-code-action/blob/main/docs/faq.md#why-am-i-getting-oidc-authentication-errors.
  id-token: write

concurrency:
  group: code-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  code-review:
    # Skip drafts.
    if: ${{ !github.event.pull_request.draft }}

    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          # Provides better git history context than "1".
          fetch-depth: 0

      - name: Run code review
        uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          allowed_bots: "claude[bot]"
          prompt: |
            Review PR #${{ github.event.pull_request.number }} in ${{ github.repository }}.
            Get the diff: gh pr diff ${{ github.event.pull_request.number }}

            Read and follow the instructions in .github/prompts/code-review.md
          claude_args: >-
            --allowedTools Read,Glob,Grep,Skill,Task,Bash(gh:*),mcp__github_inline_comment__*
        env:
          # Required by gh CLI to fetch PR diffs and post review comments.
          GH_TOKEN: ${{ github.token }}