claude-code-tresor/.github/workflows/claude-code-review.yml at main · alirezarezvani/claude-code-tresor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
---
name: Claude Code Review

'on':
  pull_request:
    types: [opened, synchronize]

# Prevent multiple review runs on rapid PR updates
concurrency:
  group: claude-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  claude-review:
    # Auto-review ALL pull requests with Claude
    # BYPASS: Add [EMERGENCY], [SKIP REVIEW], or [HOTFIX] to PR title
    # BYPASS: Or add 'emergency' or 'skip-review' label to PR
    # SKIP: Release PRs (dev → main) - already reviewed in dev
    if: github.event.pull_request.base.ref != 'main'
    runs-on: ubuntu-latest
    timeout-minutes: 10  # Prevent hung runs (Claude API timeout)
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write  # Required by Claude Code action for OIDC authentication

    steps:
      - name: Check Workflow Kill Switch
        run: |
          if [ -f ".github/WORKFLOW_KILLSWITCH" ]; then
            STATUS=$(grep "STATUS:" .github/WORKFLOW_KILLSWITCH | awk '{print $2}')
            if [ "$STATUS" = "DISABLED" ]; then
              echo "🛑 Workflows disabled by kill switch"
              exit 0
            fi
          fi

      - name: Check for Review Bypass
        id: bypass
        run: |
          PR_TITLE="${{ github.event.pull_request.title }}"
          PR_LABELS="${{ toJSON(github.event.pull_request.labels.*.name) }}"

          # Check for bypass markers in PR title
          if echo "$PR_TITLE" | grep -qE '\[EMERGENCY\]|\[SKIP REVIEW\]|\[HOTFIX\]'; then
            echo "bypass=true" >> $GITHUB_OUTPUT
            echo "reason=PR title contains bypass marker" >> $GITHUB_OUTPUT
            echo "⏭️ BYPASS: PR title contains bypass marker"
            exit 0
          fi

          # Check for bypass labels
          if echo "$PR_LABELS" | grep -qE 'emergency|skip-review|hotfix'; then
            echo "bypass=true" >> $GITHUB_OUTPUT
            echo "reason=PR has bypass label" >> $GITHUB_OUTPUT
            echo "⏭️ BYPASS: PR has bypass label"
            exit 0
          fi

          echo "bypass=false" >> $GITHUB_OUTPUT
          echo "✅ No bypass detected - review will proceed"

      - name: Post Bypass Notice
        if: steps.bypass.outputs.bypass == 'true'
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## ⏭️ Code Review Bypassed

              **Reason**: ${{ steps.bypass.outputs.reason }}

              ⚠️ **Manual review recommended** - This PR was merged without automated code review.

              ---
              *Bypass triggered by emergency procedures*`
            })

      - name: Checkout repository
        if: steps.bypass.outputs.bypass != 'true'
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Run Claude Code Review
        if: steps.bypass.outputs.bypass != 'true'
        id: claude-review
        uses: anthropics/claude-code-action@v1
        continue-on-error: true
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}

            Please review this pull request for Claude Code Tresor - a professional development utilities toolkit.

            Focus on:
            - Code quality and best practices
            - Skill/Agent/Command YAML frontmatter validity
            - Documentation completeness
            - Security concerns (especially in hooks and commands)
            - Breaking changes to v2.0.0 compatibility
            - Integration patterns (Skills → Agents → Commands)

            Use the repository's CLAUDE.md for guidance on project structure and conventions.

            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.

          # Allowed tools for Claude Code review
          claude_args: >-
            --allowed-tools "Bash(gh issue view:*),Bash(gh search:*),
            Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),
            Bash(gh pr view:*),Bash(gh pr list:*)"

      - name: Post fallback review note (quota/timeout)
        if: steps.claude-review.outcome != 'success'
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## ⚠️ Automated Review Skipped

              The automated Claude review could not complete (likely quota or a transient error).

              - You can retry this workflow from the Actions tab
              - Proceed with manual review to unblock
              `
            })