From 06fa7028dd2847061d3289adeca1c0fc5bbbb835 Mon Sep 17 00:00:00 2001
From: Robert Fujara <robert.fujara@gmail.com>
Date: Fri, 13 Feb 2026 15:11:01 +0100
Subject: [PATCH 1/3] "Claude PR Assistant workflow"

---
 .github/workflows/claude.yml | 50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 .github/workflows/claude.yml

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 0000000..79fe056
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,50 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+          # claude_args: '--allowed-tools Bash(gh pr:*)'
+

From 529ce41d46c41c9ef6cd666d7c5f626326004456 Mon Sep 17 00:00:00 2001
From: Robert Fujara <robert.fujara@gmail.com>
Date: Fri, 13 Feb 2026 15:11:02 +0100
Subject: [PATCH 2/3] "Claude Code Review workflow"

---
 .github/workflows/claude-code-review.yml | 44 ++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/claude-code-review.yml

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
new file mode 100644
index 0000000..4f6145b
--- /dev/null
+++ b/.github/workflows/claude-code-review.yml
@@ -0,0 +1,44 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, ready_for_review, reopened]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
+          plugins: 'code-review@claude-code-plugins'
+          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://code.claude.com/docs/en/cli-reference for available options
+

From a721b4b6a44f3fe953ce37a578e235c5d1be2427 Mon Sep 17 00:00:00 2001
From: Robert Fujara <robert.fujara@workato.com>
Date: Fri, 13 Feb 2026 15:24:15 +0100
Subject: [PATCH 3/3] Configure Claude Code Review with focused review
 instructions

Updated the Claude Code Review workflow to include specific review guidelines
and tool permissions. The workflow now provides clear instructions to focus on
critical issues, skip minor formatting concerns, and post a simple LGTM when
appropriate. Also added research capability for Workato documentation.

Also updated pre-commit hooks to latest versions and configured pip-audit
to use pip 26.0+ to fix CVE-2026-1703 vulnerability.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/claude-code-review.yml | 13 ++++++++++---
 .pre-commit-config.yaml                  | 11 +++++------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index 4f6145b..0bde998 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -38,7 +38,14 @@ jobs:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           plugin_marketplaces: 'https://github.com/anthropics/claude-code.git'
           plugins: 'code-review@claude-code-plugins'
-          prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://code.claude.com/docs/en/cli-reference for available options
+          claude_args: '--allowedTools WebSearch,WebFetch,Bash,Skill,Read,Glob'
+          prompt: |
+            /code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }} --comment
 
+            Review instructions:
+            - Focus on critical issues or best practices violations
+            - In case no issues or violations are found, post: "✅ LGTM"
+            - Do NOT comment on what's already good, etc.
+            - Skip minor style/formatting issues
+
+            NOTE: If appropriate, research Workato's public documentation for core concepts or API details.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d1bb195..796095c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
       - id: debug-statements
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.13.0
+    rev: v0.15.1
     hooks:
       - id: ruff
         exclude: ^(client/|src/workato_platform_cli/client/)
@@ -22,7 +22,7 @@ repos:
         exclude: ^(client/|src/workato_platform_cli/client/)
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.18.1
+    rev: v1.19.1
     hooks:
       - id: mypy
         args: [--explicit-package-bases]
@@ -48,12 +48,11 @@ repos:
 
   # pip-audit for dependency security auditing
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.9.0
+    rev: v2.10.0
     hooks:
       - id: pip-audit
-        # Temporary workaround: ignoring pip vulnerability GHSA-4xh5-x5gv-qwph (pip 25.2).
-        # Remove this ignore once a patched version of pip is available.
-        args: [--format=json, --ignore-vuln=GHSA-4xh5-x5gv-qwph]
+        args: [--format=json]
+        additional_dependencies: ['pip>=26.0']
 
   # Local hooks for project-specific tasks
   - repo: local