feat: add automated Renovate PR review workflow

[MH4GF]

Summary

• Added GitHub Actions workflow to automatically review Renovate PRs using Claude AI
• Workflow triggers on PR creation/update and posts AI-generated code reviews
• Helps streamline the review process for dependency updates

Test plan

• Workflow will be tested when Renovate creates PRs for dependency updates
• Can be manually tested by triggering the workflow on a test PR

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2a77c92

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
liam-app	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 25, 2025 6:13am
liam-erd-sample	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 25, 2025 6:13am
liam-storybook	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 25, 2025 6:13am

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
liam-docs	⬜️ Ignored (Inspect)	Visit Preview		Jun 25, 2025 6:13am

[supabase]

Updates to Preview Branch (claude-renovate-review) ↗︎

Deployments	Status	Updated
Database	✅	Wed, 25 Jun 2025 06:08:16 UTC
Services	✅	Wed, 25 Jun 2025 06:08:16 UTC
APIs	✅	Wed, 25 Jun 2025 06:08:16 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks	Status	Updated
Configurations	✅	Wed, 25 Jun 2025 06:08:22 UTC
Migrations	✅	Wed, 25 Jun 2025 06:08:22 UTC
Seeding	✅	Wed, 25 Jun 2025 06:08:22 UTC
Edge Functions	✅	Wed, 25 Jun 2025 06:08:22 UTC

---

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

[qodo-merge-for-open-source]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The workflow uses ANTHROPIC_API_KEY secret which could be exposed in logs if the action fails. Additionally, using @main for the third-party action instead of a pinned version creates supply chain security risks. The broad permissions (pull-requests: write, id-token: write) combined with external action usage could potentially be exploited if the action is compromised.

⚡ Recommended focus areas for review Security Risk The workflow uses a third-party action anthropics/claude-code-action@main which could pose security risks. Using @main instead of a pinned version means the action could change unexpectedly. The action also has broad permissions including pull-requests: write and id-token: write. uses: anthropics/claude-code-action@main with: Missing Validation The workflow condition only checks for specific bot usernames but doesn't validate that the PR is actually from Renovate or contains dependency updates. A malicious actor could potentially trigger this workflow by creating a PR with a similar username. if: github.actor == 'renovate[bot]' || github.actor == 'renovate-bot' permissions: API Key Exposure The workflow references ANTHROPIC_API_KEY secret but there's no validation that this secret exists or is properly configured. If the secret is missing, the workflow may fail or expose error messages containing sensitive information. anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} allowed_tools: "mcp__github__create_pending_pull_request_review,mcp__github__add_pull_request_review_comment_to_pending_review,mcp__github__submit_pending_pull_request_review,mcp__github__get_pull_request_diff,mcp__github__get_pull_request"

[qodo-merge-for-open-source]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	✅ Pin action to specific version Suggestion Impact: The suggestion influenced the commit to change from @main to a pinned version, though @beta was used instead of the suggested @v1.0.0 code diff: - uses: anthropics/claude-code-action@main + uses: anthropics/claude-code-action@beta Using @main for the action version creates instability and security risks as it points to the latest commit. Pin to a specific version or tag to ensure reproducible builds and prevent potential breaking changes or malicious code injection. .github/workflows/renovate-review.yml [23-24] - name: Auto review Renovate PR - uses: anthropics/claude-code-action@main + uses: anthropics/[email protected] [Suggestion processed] Suggestion importance[1-10]: 9 __ Why: The suggestion correctly points out a security and stability risk. Using @main for a GitHub Action can introduce breaking changes or malicious code unexpectedly. Pinning to a specific, trusted version tag (e.g., @v1.0.0) is a critical best practice for creating reproducible and secure CI/CD workflows.	High
General	Add error handling and timeout The workflow lacks error handling and timeout configuration for the AI review step. Add timeout and continue-on-error settings to prevent workflow failures from blocking Renovate PRs indefinitely. .github/workflows/renovate-review.yml [66-67] anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} allowed_tools: "mcp__github__create_pending_pull_request_review,mcp__github__add_pull_request_review_comment_to_pending_review,mcp__github__submit_pending_pull_request_review,mcp__github__get_pull_request_diff,mcp__github__get_pull_request" +timeout-minutes: 10 +continue-on-error: true Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a potential issue where the AI review step could hang or fail, blocking the workflow. Adding timeout-minutes and continue-on-error to the step is a good practice for improving the workflow's resilience and preventing it from becoming a bottleneck.	Medium
Update

[hoshinotsuyoshi]

LGTM!