Skip to content

tools: claude: remove restriction for draft PRs#441

Open
pzmarzly wants to merge 1 commit intofacebook:mainfrom
pzmarzly:push-lxmlysnzsrvq
Open

tools: claude: remove restriction for draft PRs#441
pzmarzly wants to merge 1 commit intofacebook:mainfrom
pzmarzly:push-lxmlysnzsrvq

Conversation

@pzmarzly
Copy link
Contributor

I took this github.event.pull_request.draft check from the AI review workflow we were using before (/code-review:code-review).

But it may be useful to iterate on your PR with the help of Claude review bot, while keeping it hidden from review queue at the same time. AI review can easily add a few iteration loops when making a PR.

Let's remove this one line.

@github-actions
Copy link

Claude: Looks good. Clean one-line change, rationale is sound -- allowing Claude to review draft PRs enables faster iteration without cluttering the human review queue.

One optional consideration: you may want to add ready_for_review to the pull_request_target event types. Currently, if an author opens a draft (Claude reviews), iterates, then marks the PR ready-for-review without pushing a new commit, Claude won't produce a fresh review for the final state. Adding ready_for_review would cover that edge case. Not blocking since this was already the pre-existing behavior for non-draft PRs.

Copy link
Contributor

@qdeslandes qdeslandes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm concerned this could lead to abuse. Open PR with numerous changes to trigger Claude can be found easily, draft PR not so much?

@pzmarzly pzmarzly marked this pull request as draft February 25, 2026 18:04
@pzmarzly
Copy link
Contributor Author

I converted this PR to draft, can you still see it?

@pzmarzly
Copy link
Contributor Author

pzmarzly commented Feb 25, 2026

Claude, can you advise us here?
EDIT: apparently the GH Action cannot :/
EDIT2: I ran the question locally:

A few things to consider:
  1. The concurrency group with cancel-in-progress: true already limits cost — only one review runs per PR at a time. Rapid pushes just cancel previous runs.
  2. The real abuse vector is external contributors, not project members. But the workflow already checks out upstream code (not the PR branch), so the security model is fine. The
  cost is just API credits for Claude reviews on junk PRs.
  3. Practical mitigations if abuse becomes a problem:
    - Add a label-based gate (e.g., only review if a needs-review label is present)
    - Restrict to known collaborators with if: github.event.pull_request.author_association != 'NONE'
    - Rate-limit per author

@pzmarzly pzmarzly marked this pull request as ready for review February 25, 2026 18:36
@github-actions
Copy link

Claude: review of facebook/bpfilter #441 (663b755)

No issues found. Clean single-line removal of the draft PR guard from the Claude review workflow.

  • Commit message follows project conventions (tools: claude: remove restriction for draft PRs)
  • No security regression: the workflow's security model (checking out upstream, not the PR branch) already handles untrusted PRs regardless of draft status
  • Cost of running on draft PRs is mitigated by cancel-in-progress: true on the concurrency group
  • YAML formatting remains consistent after the removal
  • No documentation updates needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants