TorchEasyRec/.github/workflows/code_review.yml at master · alibaba/TorchEasyRec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Claude Code Review Workflow
#
# Triggered by adding the "claude-review" label to a PR.
# Uses stored OAuth credentials on self-hosted runner (no ANTHROPIC_API_KEY needed).
#
# Usage:
#   1. Contributor opens PR
#   2. Collaborator adds "claude-review" label when ready for review
#   3. Workflow triggers, removes the label, runs Claude review
#   4. Want to re-review after changes? Add the label again
#
# ---- Runner One-Time Setup ----
# SSH into tzrec-codereview-runner as the runner user and run:
#
#   # Install bun
#   curl -fsSL https://bun.sh/install | bash
#
#   # Install Claude Code
#   curl -fsSL https://claude.ai/install.sh | sh
#
#   # Clone claude-code-action at pinned version and install deps (for MCP inline comment server)
#   git clone --branch v1 https://github.com/anthropics/claude-code-action.git /opt/claude-code-action
#   cd /opt/claude-code-action && bun install
#
#   # Configure MCP server for inline PR comments (~/.claude/mcp.json)
#   mkdir -p ~/.claude && cat > ~/.claude/mcp.json << 'EOF'
#   {
#     "mcpServers": {
#       "github_inline_comment": {
#         "command": "bun",
#         "args": ["run", "/opt/claude-code-action/src/mcp/github-inline-comment-server.ts"]
#       }
#     }
#   }
#   EOF
#
#   # Login (stores OAuth credentials for headless use)
#   claude /login
#
#   # Verify headless mode works without API key
#   unset ANTHROPIC_API_KEY && unset ANTHROPIC_BASE_URL
#   claude -p "Say hello"
#
# If auth fails after a long period, re-run `claude /login` on the runner.
# Do NOT use --bare flag — it disables OAuth/keychain reads.
# ---- End Setup ----

name: Code Review

on:
  pull_request_target:
    types: [labeled]

concurrency:
  group: codereview-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  review:
    if: github.event.label.name == 'claude-review'
    runs-on: tzrec-codereview-runner
    timeout-minutes: 30
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Remove label to allow re-triggering later
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh pr edit ${{ github.event.pull_request.number }} \
            --repo ${{ github.repository }} \
            --remove-label claude-review

      # Checkout trusted .claude/ files from base branch (not the PR author's code)
      - name: Checkout trusted agent files
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.base.sha }}
          sparse-checkout: .claude
          path: trusted-claude

      # Checkout PR code for review
      - name: Checkout PR code
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 1
          path: pr-code

      # rm first: cp -r into an existing dir nests instead of replacing (GHSA-f9x3-9rgg-92p7).
      - name: Use trusted agent files
        run: |
          rm -rf pr-code/.claude
          cp -r trusted-claude/.claude pr-code/.claude

      - name: RunCodeReview
        working-directory: pr-code
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO_OWNER: ${{ github.repository_owner }}
          REPO_NAME: ${{ github.event.repository.name }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          # No ANTHROPIC_API_KEY — uses stored OAuth from `claude /login` on the runner
          # MCP server inherits env vars (GITHUB_TOKEN, REPO_OWNER, REPO_NAME, PR_NUMBER)
        run: |
          set -euo pipefail

          # Resolve full bun path (bun installed to ~/.bun/bin/ — not in Claude's subprocess PATH)
          BUN_PATH="$(which bun 2>/dev/null || echo "$HOME/.bun/bin/bun")"
          echo "bun path: $BUN_PATH ($("$BUN_PATH" --version))"

          MCP_CONFIG="{\"mcpServers\":{\"github_inline_comment\":{\"command\":\"${BUN_PATH}\",\"args\":[\"run\",\"/opt/claude-code-action/src/mcp/github-inline-comment-server.ts\"]}}}"

          claude -p \
            --output-format stream-json \
            --verbose \
            --mcp-config "$MCP_CONFIG" \
            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr comment:*),Read,Grep,Glob,Agent" \
            -- "/review-pr REPO: ${{ github.repository }} PR_NUMBER: ${PR_NUMBER}"