ci(github-actions): @claude Notion MCP 연동 + 코드리뷰 인라인 코멘트 게시#713
Merged
Conversation
… + 코드리뷰 --comment 게시 활성화 - claude.yml: 런타임 .mcp.json 생성 step + NOTION_TOKEN/OPENAPI_MCP_HEADERS env + allowedTools에 mcp__notion__* 추가 (backend 검증 설정 미러링, 프론트 패키지매니저 권한 보존) - claude-code-review.yml: /code-review prompt에 --comment 추가 (automation 모드에서 결과가 PR에 안 올라오던 문제 수정) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthrough두 GitHub Actions 워크플로우가 Claude 도구 통합을 확장합니다. Code Review 워크플로우는 인라인 PR 코멘트 기능을 추가하고, Claude 워크플로우는 Notion MCP 서버 통합(설정 생성, 인증, 도구 권한)을 추가합니다. ChangesClaude GitHub Actions 워크플로우 향상
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude.yml:
- Around line 51-58: Replace movable tags for third-party GitHub Actions with
commit SHAs: update the anthropics/claude-code-action@v1 reference to its
specific commit SHA and do the same for slackapi/slack-github-action@v2.1.0;
keep the same env variables (OPENAPI_MCP_HEADERS and NOTION_TOKEN) and any
claude_args settings but point the actions to immutable SHAs to prevent tag
movement or takeover.
- Around line 42-43: Pin the external MCP invocation and action to immutable
versions and add a trust gate: replace the open npx call "npx -y
`@notionhq/notion-mcp-server`" with an exact pin (e.g., use
"`@notionhq/notion-mcp-server`@vX.Y.Z" or a specific commit SHA) and pin
"anthropics/claude-code-action@v1" to its commit SHA instead of the tag;
restrict secrets/permission exposure by gating use of NOTION_TOKEN and write
permissions (mcp__notion__*, contents/pull-requests/issues: write) behind an
approval/allowlist check (use github.actor allowlist, required
reviewers/approval, branch/PR state or a conditional that only runs the MCP step
for trusted actors/branches) so those steps never run on untrusted triggers.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4dd3578b-2318-4433-8096-675cb485ec0f
📒 Files selected for processing (2)
.github/workflows/claude-code-review.yml.github/workflows/claude.yml
Comment on lines
+42
to
+43
| "command": "npx", | ||
| "args": ["-y", "@notionhq/notion-mcp-server"] |
There was a problem hiding this comment.
MCP 서버/외부 액션은 exact pin(버전·커밋)하고, 비신뢰 트리거에 대한 시크릿/쓰기 도구 노출을 차단하세요.
.github/workflows/claude.yml의npx -y@notionhq/notion-mcp-server``는 버전이 고정되어 있지 않아 업스트림 변경 시 워크플로우 재현성과 공급망 안전성이 떨어집니다. exact 버전으로 pin 하세요.anthropics/claude-code-action@v1는 태그로만 고정되어 있고, 해당 실행 경로는 secrets 및contents/pull-requests/issues: write권한을 사용합니다. commit SHA로 pin 하세요.- 트리거가
@claude문자열 포함 여부에만 의존해NOTION_TOKEN같은 시크릿과mcp__notion__*,Bash(npx *)등 강력 툴이 노출됩니다.github.actor/승인자/브랜치/PR 상태 등으로 신뢰 게이트를 추가하세요.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 42 - 43, Pin the external MCP
invocation and action to immutable versions and add a trust gate: replace the
open npx call "npx -y `@notionhq/notion-mcp-server`" with an exact pin (e.g., use
"`@notionhq/notion-mcp-server`@vX.Y.Z" or a specific commit SHA) and pin
"anthropics/claude-code-action@v1" to its commit SHA instead of the tag;
restrict secrets/permission exposure by gating use of NOTION_TOKEN and write
permissions (mcp__notion__*, contents/pull-requests/issues: write) behind an
approval/allowlist check (use github.actor allowlist, required
reviewers/approval, branch/PR state or a conditional that only runs the MCP step
for trusted actors/branches) so those steps never run on untrusted triggers.
Comment on lines
51
to
+58
| uses: anthropics/claude-code-action@v1 | ||
| env: | ||
| # Notion MCP 서버(@notionhq/notion-mcp-server)가 OpenAPI 호출 시 사용할 인증 헤더. | ||
| # npx 자식 프로세스가 step env를 자동 상속하므로 MCP config 파일에는 별도로 명시하지 않음. | ||
| # 토큰은 "스터디 플랫폼 : 코드 제로투원" 페이지에 connection된 integration의 권한 범위 내에서만 동작. | ||
| OPENAPI_MCP_HEADERS: '{"Authorization":"Bearer ${{ secrets.NOTION_TOKEN }}","Notion-Version":"2022-06-28"}' | ||
| # @notionhq/notion-mcp-server가 NOTION_TOKEN을 직접 읽는 케이스 fallback. | ||
| NOTION_TOKEN: ${{ secrets.NOTION_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the referenced workflow and the area around the reported lines
echo "=== .github/workflows/claude.yml (around lines 40-80) ==="
nl -ba .github/workflows/claude.yml | sed -n '40,90p'
# Check for any other third-party action refs in the workflow
echo
echo "=== action@ refs in .github/workflows/claude.yml ==="
rg -n "uses:\s*[^/\s]+/[^@\s]+@([^\s]+)" .github/workflows/claude.yml || true
# Check whether anthropics/claude-code-action is pinned elsewhere in the repo
echo
echo "=== anthropics/claude-code-action@ occurrences (repo-wide) ==="
rg -n "anthropics/claude-code-action@" . || trueRepository: code-zero-to-one/study-platform-client
Length of output: 201
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 1) Print the reported region with line numbers (using cat -n)
echo "=== .github/workflows/claude.yml (around lines 40-80) ==="
cat -n .github/workflows/claude.yml | sed -n '40,90p'
# 2) Find any action refs of the form owner/name@ref in this workflow
echo
echo "=== action@ refs in .github/workflows/claude.yml ==="
rg -n "uses:\s*[^/\s]+/[^@\s]+@([^\s]+)" .github/workflows/claude.yml || true
# 3) Check if anthropics/claude-code-action is referenced elsewhere
echo
echo "=== anthropics/claude-code-action@ occurrences (repo-wide) ==="
rg -n "anthropics/claude-code-action@" . || trueRepository: code-zero-to-one/study-platform-client
Length of output: 2676
써드파티 GitHub Actions는 커밋 SHA로 pin 하세요 (moving tag 금지)
.github/workflows/claude.yml에서anthropics/claude-code-action@v1를 사용 중이며, 해당 step이NOTION_TOKEN을 받고(env)claude_args에Write도구 허용이 포함되어 있어(--allowedTools ...Write...) tag 이동/탈취 시 즉시 영향이 큽니다.- 같은 이유로
slackapi/slack-github-action@v2.1.0도 SHA로 고정하는 것을 권장합니다(SLACK_BOT_TOKEN사용).
🧰 Tools
🪛 zizmor (1.25.2)
[error] 51-51: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude.yml around lines 51 - 58, Replace movable tags for
third-party GitHub Actions with commit SHAs: update the
anthropics/claude-code-action@v1 reference to its specific commit SHA and do the
same for slackapi/slack-github-action@v2.1.0; keep the same env variables
(OPENAPI_MCP_HEADERS and NOTION_TOKEN) and any claude_args settings but point
the actions to immutable SHAs to prevent tag movement or takeover.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
배경
@claude멘션 시 client 레포에서만 Notion MCP 조회가 안 됨 → 원인: clientclaude.yml이 애초에 MCP 미설정 (backend에만 설정돼 있었음)./code-review가--comment없이 실행돼 결과가 모델 출력에만 남고 PR엔 게시 안 됨.변경
.mcp.json생성 step 추가 (Notion MCP 서버 자동 로드)Run Claude Codestep에OPENAPI_MCP_HEADERS/NOTION_TOKENenv 추가claude_argsallowedTools에mcp__notion__*추가 (프론트 패키지매니저 권한은 보존)/code-reviewprompt에--comment추가 → findings가 PR 인라인 코멘트로 게시됨사전 조건
NOTION_TOKEN시크릿 client 레포에 등록 완료적용 시점
@claude멘션(issue_comment 트리거)은 기본 브랜치(develop) 머지 후 동작.관련: 백엔드(mvp) PR #1133 (코드리뷰 --comment 동일 수정)
🤖 Generated with Claude Code
Summary by CodeRabbit
릴리스 노트
새 기능
개선사항