feat: Add Claude Code Action automated PR review workflow

[mkczarkowski]

This PR introduces automated code review using Claude Code Action on all pull
requests.

Changes

• New workflow: .github/workflows/cca-review.yml
  • Triggers on PR opened, synchronize, ready_for_review, and reopened events
  • Runs Claude Code Action to review PRs with focus on:
    • Code quality and best practices
    • Potential bugs or issues
    • Security implications
    • Performance considerations
  • Takes project context documents (@.ai/project-prd, @.ai/tech-stack) into
    account
  • Provides feedback via inline PR comments

Fork-friendly implementation

• Conditional execution: Skips workflow for forked PRs to prevent secret access
  failures
• Uses if: github.event.pull_request.head.repo.full_name == github.repository
  condition
• External contributors see "skipped" status instead of cryptic failures

Configuration

• Runs in integration environment
• Requires ANTHROPIC_API_KEY secret
• Uses minimal permissions (read contents, write PR comments)
• Enabled tools: inline comments, gh pr commands
• Tracks progress during review

This automation will help maintain code quality and catch potential issues early
while remaining friendly to community contributions.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Guard Claude review job when secrets are unavailable

This workflow executes on every pull_request, but it unconditionally passes secrets.ANTHROPIC_API_KEY into anthropics/claude-code-action@v1. For PRs that originate from forks (the default case for external contributors), GitHub does not expose repository secrets to the workflow, so this step will fail at startup and mark the whole check as failed even though the PR author cannot fix it. Consider skipping the job for forked PRs or conditionally running the step only when the secret is set, otherwise community submissions will always see a broken required check.

Useful? React with 👍 / 👎.

[github-actions]

✅ All checks have passed successfully!

• Lint: ✅
• Unit Tests: ✅
• E2E Tests: ✅

Coverage reports have been uploaded as artifacts.

[github-actions]

✅ All checks have passed successfully!

• Lint: ✅
• Unit Tests: ✅
• E2E Tests: ✅

Coverage reports have been uploaded as artifacts.

[github-actions]

✅ All checks have passed successfully!

• Lint: ✅
• Unit Tests: ✅
• E2E Tests: ✅

Coverage reports have been uploaded as artifacts.