Merge branch 'main' into release-please--branches--main

windcbf · web-flow · commit ed403da0a29e · 2026-01-17T15:46:15.000-08:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,6 +1,9 @@
 # Default owners for everything
 * @OpenNHP/maintainers
 
+# Claude bot for automated code review (REQUEST_CHANGES blocks merge)
+* @claude[bot]
+
 # Core protocol
 /nhp/core/ @OpenNHP/core-team
 /nhp/common/ @OpenNHP/core-team
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -0,0 +1,101 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  # Respond to @claude mentions
+  claude-mentions:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Restrict tools to safe GitHub CLI operations
+          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh issue list:*),Bash(gh issue comment:*),Bash(gh search:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh pr diff:*),Bash(gh pr comment:*),Bash(gh pr review:*),Bash(gh pr checks:*)"'
+
+  # Automatic code review on PR open/update
+  claude-pr-review:
+    if: |
+      github.event_name == 'pull_request' &&
+      (github.event.action == 'opened' || github.event.action == 'synchronize') &&
+      github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Restrict tools to safe GitHub CLI operations for PR review
+          claude_args: '--allowed-tools "Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr review:*),Bash(gh pr checks:*),Bash(gh pr comment:*)"'
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            You are a senior code reviewer. Review this PR thoroughly.
+
+            Use the repository's CLAUDE.md for guidance on project conventions, code style, and architecture.
+
+            ## Review Criteria (in order of severity)
+            1. **Security vulnerabilities** - injection, auth bypass, secrets exposure, OWASP top 10
+            2. **Bugs and logic errors** - null refs, race conditions, off-by-one, error handling
+            3. **Breaking changes** - API compatibility, data migrations, config changes
+            4. **Performance issues** - N+1 queries, memory leaks, blocking calls
+            5. **Code quality** - unclear logic, missing validation, poor error messages
+
+            ## Review Instructions
+            Use `gh pr review` to submit a GitHub PR review:
+            - If you find ANY issues in categories 1-3 (security, bugs, breaking changes):
+              `gh pr review ${{ github.event.pull_request.number }} --request-changes --body "your review"`
+            - If you find only minor issues (categories 4-5):
+              `gh pr review ${{ github.event.pull_request.number }} --comment --body "your review"`
+            - If the code looks good:
+              `gh pr review ${{ github.event.pull_request.number }} --approve --body "your review"`
+
+            ## Response Format
+            Start your review with a summary line:
+            - "🚨 **Changes Requested** - Found [N] issue(s) that must be addressed"
+            - "💬 **Comment** - Found [N] suggestion(s) for improvement"
+            - "✅ **Approved** - Code looks good"
+
+            Then list specific issues with file paths and line numbers.
+            Be constructive and actionable. Focus on significant issues, not style nitpicks.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -12,7 +12,19 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - name: Release Please
+        uses: googleapis/release-please-action@v4
         with:
           release-type: go
           token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
