chore(deps): bump next from 15.3.3 to 15.4.8 #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude Code Review | |
| on: | |
| pull_request: | |
| types: [opened] # Only run when PR is first created, not on every commit | |
| # Optional: Only run on specific file changes | |
| # paths: | |
| # - "src/**/*.ts" | |
| # - "src/**/*.tsx" | |
| # - "src/**/*.js" | |
| # - "src/**/*.jsx" | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number to review' | |
| required: true | |
| type: number | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.inputs.pr_number }} | |
| cancel-in-progress: true | |
| jobs: | |
| claude-review: | |
| # For automatic runs: only allow members/collaborators/owners | |
| # For manual runs: always allow (since only repo members can trigger workflows) | |
| if: | | |
| github.event_name == 'workflow_dispatch' || | |
| github.event.pull_request.author_association == 'OWNER' || | |
| github.event.pull_request.author_association == 'MEMBER' || | |
| github.event.pull_request.author_association == 'COLLABORATOR' | |
| runs-on: | |
| group: neondatabase-protected-runner-group | |
| labels: linux-ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: read | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/pull/{0}/head', github.event.inputs.pr_number) || '' }} | |
| - name: Run Claude Code Review | |
| id: claude-review | |
| uses: anthropics/claude-code-action@v1 | |
| with: | |
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | |
| prompt: | | |
| # Code Review Task | |
| **REPO:** ${{ github.repository }} | |
| **PR:** ${{ github.event.pull_request.number || github.event.inputs.pr_number }} | |
| **COMMIT:** ${{ github.event.pull_request.head.sha }} | |
| ## Context | |
| This is the **Neon MCP Server** - a Model Context Protocol server bridging LLMs to Neon Postgres API. | |
| Review this PR with understanding of: | |
| - MCP tool/handler architecture (see CLAUDE.md lines 83-122) | |
| - TypeScript ES2022 + Node16 ESM requirements | |
| - Tool registration pattern: definitions.ts → toolsSchema.ts → handlers/ → tools.ts | |
| - Multi-call state management for migrations/tuning tools | |
| ## What's Already Automated (Don't Review) | |
| - ❌ Lint errors → `bun run lint` (automated by pr.yml) | |
| - ❌ Build failures → `bun run build` (automated by pr.yml) | |
| - ❌ Formatting issues → Automated | |
| ## Focus Your Review On (Significant Issues Only) | |
| 1. **Architecture & Design** | |
| - Does new tool follow the tool registration pattern? | |
| - Is handler properly typed in NEON_HANDLERS? | |
| - Are Zod schemas correctly defined in toolsSchema.ts? | |
| 2. **Security Vulnerabilities** | |
| - SQL injection risks (tool handlers using raw SQL) | |
| - Secrets exposure (API keys, tokens logged or returned) | |
| - Input validation gaps (Zod schema completeness) | |
| - Command injection in bash tool uses | |
| 3. **Logic Bugs** | |
| - Error handling gaps (unhandled promise rejections) | |
| - State management issues (branch ID tracking for multi-call tools) | |
| - Edge cases not covered (null/undefined handling) | |
| 4. **Performance Issues** | |
| - N+1 API call patterns | |
| - Inefficient Neon API usage | |
| - Missing pagination handling | |
| - Unnecessary data fetching | |
| 5. **Testing Gaps** | |
| - Missing Braintrust evaluations for new tools | |
| - Uncovered edge cases in existing tests | |
| - Integration test scenarios missing | |
| 6. **MCP-Specific Issues** | |
| - Tool descriptions not clear for LLMs | |
| - Missing analytics tracking (trackEvent calls) | |
| - Error handling doesn't use ToolError pattern | |
| - Missing Sentry error capture | |
| ## Review Instructions | |
| ### Step 1: Analyze the PR | |
| Use `gh pr view` and `gh pr diff` to understand the changes. | |
| ### Step 2: Identify Significant Issues | |
| - Read the full diff and changed files | |
| - For each significant issue, note: file path, line number, severity, description | |
| - Only flag issues a human reviewer would care about (not lint/format) | |
| ### Step 3: Post Inline Comments | |
| For each significant issue (max 5 per file), post an inline comment using: | |
| ```bash | |
| gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number || github.event.inputs.pr_number }}/comments -f body="COMMENT_BODY" -f path="relative/path/to/file.ts" -F line=42 -f side="RIGHT" -f commit_id="${{ github.event.pull_request.head.sha || github.sha }}" | |
| ``` | |
| **IMPORTANT:** | |
| - Use a SINGLE LINE command (no backslashes or line continuations) | |
| - For this PR, use: `gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number || github.event.inputs.pr_number }}/comments` | |
| - Commit SHA: `${{ github.event.pull_request.head.sha || github.sha }}` | |
| - Post comments for EVERY significant issue you find (not just a summary) | |
| - Keep the body text concise and use \n for line breaks within the body parameter | |
| **Inline Comment Format:** | |
| - Use emoji severity: 🔴 Critical | 🟡 Important | 🔵 Consider | |
| - Start with **[Category]** (Security/Logic/Performance/Architecture/Testing) | |
| - Explain the issue clearly | |
| - Provide actionable fix or suggestion | |
| - Reference CLAUDE.md patterns when applicable | |
| **Example:** | |
| ``` | |
| 🔴 **[Security]**: Potential SQL injection vulnerability. User input is concatenated directly into SQL query.\n\n**Fix:** Use parameterized queries:\n\`\`\`typescript\nconst result = await query('SELECT * FROM users WHERE name = $1', [userName]);\n\`\`\` | |
| ``` | |
| Note: In the actual gh command, newlines are represented as \n within the body parameter. | |
| ### Step 4: Post Summary Comment | |
| After posting inline comments, create a summary with: | |
| - Review statistics (files, lines, issues) | |
| - Severity breakdown (🔴, 🟡, 🔵 counts) | |
| - Key findings (2-3 most critical issues) | |
| - What looks good (2-3 positive aspects) | |
| - Note that lint/build are automated | |
| Use `gh pr comment` to post the summary. | |
| ## Guidelines | |
| - **Be selective**: Only comment on significant issues worth a human's attention | |
| - **Be specific**: Reference exact lines, provide clear fixes | |
| - **Be constructive**: Explain the "why" behind suggestions | |
| - **Be project-aware**: Use CLAUDE.md patterns and terminology | |
| - **Don't duplicate**: Skip issues automated tools will catch | |
| # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md | |
| # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options | |
| claude_args: '--allowed-tools "Bash(gh:*)"' |