cli/.github/workflows/claude-code.yml at b640037f9280ec013c3c4b60acb5504bbdb8ed71 · databricks/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: Claude Code

# AI-assisted PR reviews and interactive @claude mentions.
#
# The actual Claude Code execution runs in eng-dev-ecosystem on
# protected runners whose IPs are allowlisted by the Databricks
# account IP ACL. This workflow is a thin trigger that dispatches
# to eng-dev-ecosystem via the DECO workflow trigger GitHub App.

on:
  # Triggers automatic review when a PR is first opened.
  pull_request:
    types: [opened]

  # Enables @claude mentions in PR conversation comments.
  # (GitHub fires issue_comment for top-level PR comments.)
  issue_comment:
    types: [created]

  # Enables @claude mentions in inline review comments.
  pull_request_review_comment:
    types: [created]

jobs:
  # Automatic review on PR open. For re-reviews, comment "@claude review".
  # Restrict to org members/owners to prevent untrusted users (e.g. external
  # fork PRs) from consuming model serving resources. See:
  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
  review:
    if: |
      github.event_name == 'pull_request' &&
      !github.event.pull_request.head.repo.fork &&
      contains(fromJson('["MEMBER","OWNER"]'), github.event.pull_request.author_association)
    concurrency:
      group: claude-review-${{ github.event.pull_request.number }}
      cancel-in-progress: true
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco
    timeout-minutes: 30
    environment: test-trigger-is
    permissions:
      contents: read

    steps:
      - name: Generate GitHub App token
        id: token
        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
        with:
          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
          owner: databricks-eng
          repositories: eng-dev-ecosystem

      - name: Trigger Claude Code review
        run: |
          gh workflow run cli-claude-code.yml \
            -R databricks-eng/eng-dev-ecosystem \
            --ref main \
            -F pull_request_number=${{ github.event.pull_request.number }} \
            -F event_type=review
        env:
          GH_TOKEN: ${{ steps.token.outputs.token }}

      - name: Track remote run
        run: |
          sleep 10
          RUN_ID=$(gh run list -R databricks-eng/eng-dev-ecosystem \
            --workflow cli-claude-code.yml --limit 1 \
            --json databaseId -q '.[0].databaseId')
          echo "## Claude Code Review" >> "$GITHUB_STEP_SUMMARY"
          echo "[View run](https://github.com/databricks-eng/eng-dev-ecosystem/actions/runs/$RUN_ID)" >> "$GITHUB_STEP_SUMMARY"
          gh run watch "$RUN_ID" -R databricks-eng/eng-dev-ecosystem --exit-status
        env:
          GH_TOKEN: ${{ steps.token.outputs.token }}

  # Interactive @claude mentions (PRs only, trusted authors only).
  # Restrict to org members/owners to prevent untrusted users from triggering
  # Claude with write access to the repo. See:
  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
  assist:
    if: |
      github.event.comment.user.type != 'Bot' &&
      contains(fromJson('["MEMBER","OWNER"]'), github.event.comment.author_association) &&
      (
        (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))
      )
    concurrency:
      group: claude-assist-${{ github.event.issue.number || github.event.pull_request.number }}
      cancel-in-progress: true
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco
    timeout-minutes: 30
    environment: test-trigger-is
    permissions:
      contents: read

    steps:
      - name: Generate GitHub App token
        id: token
        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
        with:
          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
          owner: databricks-eng
          repositories: eng-dev-ecosystem

      - name: Determine PR number
        id: pr
        run: |
          if [ -n "$ISSUE_NUMBER" ]; then
            echo "number=$ISSUE_NUMBER" >> "$GITHUB_OUTPUT"
          else
            echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
          fi
        env:
          ISSUE_NUMBER: ${{ github.event.issue.number }}
          PR_NUMBER: ${{ github.event.pull_request.number }}

      # Skip fork PRs to avoid running Claude against untrusted code.
      # Comment events don't expose fork info in the `if` condition,
      # so we check via API.
      - name: Check if fork PR
        id: fork-check
        run: |
          IS_FORK=$(gh pr view "$PR_NUMBER" --json isCrossRepository --jq '.isCrossRepository')
          echo "is_fork=$IS_FORK" >> "$GITHUB_OUTPUT"
        env:
          PR_NUMBER: ${{ steps.pr.outputs.number }}
          GH_TOKEN: ${{ github.token }}

      - name: Trigger Claude Code assist
        if: steps.fork-check.outputs.is_fork != 'true'
        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'databricks-eng',
              repo: 'eng-dev-ecosystem',
              workflow_id: 'cli-claude-code.yml',
              ref: 'main',
              inputs: {
                pull_request_number: process.env.PR_NUMBER,
                event_type: 'assist',
                comment_body: process.env.COMMENT_BODY
              }
            });
        env:
          COMMENT_BODY: ${{ github.event.comment.body }}
          PR_NUMBER: ${{ steps.pr.outputs.number }}

      - name: Track remote run
        if: steps.fork-check.outputs.is_fork != 'true'
        run: |
          sleep 10
          RUN_ID=$(gh run list -R databricks-eng/eng-dev-ecosystem \
            --workflow cli-claude-code.yml --limit 1 \
            --json databaseId -q '.[0].databaseId')
          echo "## Claude Code Assist" >> "$GITHUB_STEP_SUMMARY"
          echo "[View run](https://github.com/databricks-eng/eng-dev-ecosystem/actions/runs/$RUN_ID)" >> "$GITHUB_STEP_SUMMARY"
          gh run watch "$RUN_ID" -R databricks-eng/eng-dev-ecosystem --exit-status
        env:
          GH_TOKEN: ${{ steps.token.outputs.token }}