feat: add GitHub Actions workflows and PR review template

ducpm2303 · claude · ducpm2303 · commit 9c52312e903d · 2026-04-03T22:34:42.000+07:00
.github/workflows/validate.yml:
- Runs validate-plugins.sh on every push/PR to main
- Validates all JSON files (marketplace, plugin manifests, hooks)
- Checks version consistency across all plugin manifests

.github/workflows/pr-review.yml:
- Reviews PRs to this repo using claude-code-action@v1
- Checks SKILL.md quality, globs specificity, hook safety,
  version consistency, and references/ split recommendations

templates/java-pr-review.yml:
- Copy-paste template for users to add to their Java projects
- Runs security scan (OWASP), performance scan (N+1), and code
  review on every PR touching .java or build files
- Posts structured comment with severity-coded findings table

README: added GitHub Actions section with setup instructions

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml
@@ -0,0 +1,51 @@
+name: PR Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - 'plugins/**/*.md'
+      - 'plugins/**/*.json'
+      - 'scripts/**'
+
+concurrency:
+  group: pr-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            Review this pull request to the claude-java-plugins repository.
+
+            Focus specifically on:
+            1. **SKILL.md quality** — does the description start with a verb and include trigger phrases? Is content version-gated where needed (Java 8+, Spring Boot 3.x+)?
+            2. **rules/*.md** — do new rule files have a `globs:` frontmatter that is as specific as possible?
+            3. **commands/*.md** — does the command description clearly state what it does and when to use it?
+            4. **hooks.json** — is the shell command safe? No destructive operations, no data exfiltration?
+            5. **plugin.json** — are name, version, description present? Is the version consistent with marketplace.json?
+            6. **References** — if a SKILL.md is over 80 lines, suggest moving templates to references/
+
+            Format your review as:
+            ## Summary
+            One paragraph overview of what changed.
+
+            ## Issues
+            For each issue: `file:line — [SEVERITY] description and suggestion`
+            Severities: `REQUIRED` (must fix), `SUGGESTED` (quality improvement), `NOTE` (informational)
+
+            ## Looks Good
+            Highlight anything well done.
+
+            Do NOT comment on prose style or subjective wording choices.
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -0,0 +1,51 @@
+name: Validate Plugins
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate plugin structure
+        run: |
+          chmod +x scripts/validate-plugins.sh
+          ./scripts/validate-plugins.sh
+
+      - name: Validate JSON files
+        run: |
+          echo "Checking marketplace.json..."
+          jq empty .claude-plugin/marketplace.json
+          echo "Checking all plugin.json files..."
+          for f in plugins/*/.claude-plugin/plugin.json; do
+            echo "  $f"
+            jq empty "$f"
+          done
+          echo "Checking all hooks.json files..."
+          for f in plugins/*/hooks/hooks.json; do
+            echo "  $f"
+            jq empty "$f"
+          done
+          echo "All JSON valid."
+
+      - name: Check version consistency
+        run: |
+          MARKETPLACE_VERSION=$(jq -r '.metadata.version' .claude-plugin/marketplace.json)
+          echo "Marketplace version: $MARKETPLACE_VERSION"
+          FAIL=0
+          for f in plugins/*/.claude-plugin/plugin.json; do
+            PLUGIN_VERSION=$(jq -r '.version' "$f")
+            PLUGIN_NAME=$(jq -r '.name' "$f")
+            if [ "$PLUGIN_VERSION" != "$MARKETPLACE_VERSION" ]; then
+              echo "VERSION MISMATCH: $PLUGIN_NAME is $PLUGIN_VERSION, marketplace is $MARKETPLACE_VERSION"
+              FAIL=1
+            else
+              echo "  OK: $PLUGIN_NAME @ $PLUGIN_VERSION"
+            fi
+          done
+          exit $FAIL
diff --git a/README.md b/README.md
@@ -153,6 +153,31 @@ brew install jdtls        # macOS
 
 ---
 
+## GitHub Actions — Automated PR Review
+
+Use the same skills that run locally to automatically review every Java PR in CI.
+
+### Quick setup
+
+1. Copy [`templates/java-pr-review.yml`](templates/java-pr-review.yml) to `.github/workflows/java-pr-review.yml` in your Java project
+2. Add `ANTHROPIC_API_KEY` to your repo secrets (Settings → Secrets → Actions)
+3. Push — every PR touching `.java` or build files gets an automated review
+
+### What gets reviewed
+
+Every PR automatically checks:
+- **Code quality** — naming, logic errors, null risks, resource leaks
+- **Security** — OWASP Top 10, hardcoded secrets, SQL injection, missing `@Valid`
+- **Performance** — N+1 queries, eager fetch on collections, missing pagination
+
+Results are posted as a single structured comment with severity-coded findings.
+
+### Our own CI
+
+This repo runs `.github/workflows/validate.yml` on every push — it runs `validate-plugins.sh` and verifies version consistency across all plugin manifests.
+
+---
+
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for a full authoring guide covering skills, rules, commands, and agents.
diff --git a/templates/java-pr-review.yml b/templates/java-pr-review.yml
@@ -0,0 +1,130 @@
+# ============================================================
+# Java PR Review — powered by claude-java-plugins
+# ============================================================
+# Copy this file to .github/workflows/java-pr-review.yml
+# in your Java project.
+#
+# Requirements:
+#   1. Add ANTHROPIC_API_KEY to your repo secrets:
+#      Settings → Secrets and variables → Actions → New secret
+#   2. Install claude-java-plugins:
+#      /plugin marketplace add ducpm2303/claude-java-plugins
+#      /plugin install java-core@java-plugins
+#      /plugin install java-spring@java-plugins   # if Spring Boot project
+#      /plugin install java-quality@java-plugins  # for security + perf + test review
+#
+# What it does:
+#   - Reviews every PR that touches Java/build files
+#   - Runs security scan (OWASP Top 10)
+#   - Runs performance scan (N+1, threading, memory)
+#   - Checks test quality and coverage gaps
+#   - Posts a consolidated review comment on the PR
+# ============================================================
+
+name: Java PR Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - '**/*.java'
+      - '**/pom.xml'
+      - '**/build.gradle'
+      - '**/build.gradle.kts'
+
+# Cancel in-progress runs on the same PR to save API costs
+concurrency:
+  group: java-pr-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  java-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0   # full history for better diff context
+
+      - uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # Optional: pin to a specific model for cost control
+          # claude_args: --model claude-sonnet-4-6
+          prompt: |
+            You are reviewing a Java pull request. Analyse only the changed files
+            in this PR (do not review unchanged files).
+
+            Run these three checks in sequence. Complete all three before posting.
+
+            ---
+
+            ## Check 1 — Code Review (java-core)
+
+            For each changed .java file:
+            - Logic errors, null pointer risks, or incorrect control flow
+            - Naming violations: classes should be PascalCase, methods camelCase,
+              constants SCREAMING_SNAKE_CASE
+            - Version-inappropriate patterns (flag Java 8 idioms if project uses Java 17+)
+            - Resource leaks (unclosed streams, connections)
+            - Missing or incorrect exception handling
+
+            ---
+
+            ## Check 2 — Security Scan (java-quality)
+
+            - Hardcoded credentials, API keys, or tokens in source code
+            - SQL string concatenation (SQL injection risk)
+            - Missing @Valid on @RequestBody parameters
+            - Logging of passwords, tokens, or PII
+            - Weak cryptography (MD5, SHA-1, DES)
+            - @CrossOrigin(origins = "*") in non-test code
+
+            ---
+
+            ## Check 3 — Performance Scan (java-quality)
+
+            - @OneToMany or @ManyToMany without FetchType.LAZY
+            - Repository method calls inside loops (N+1 pattern)
+            - findAll() without Pageable on large entity tables
+            - String concatenation inside loops (use StringBuilder)
+            - Creating DateTimeFormatter, Pattern, or ObjectMapper inside methods
+
+            ---
+
+            ## Output Format
+
+            Post a single consolidated comment structured as:
+
+            ### Java PR Review
+
+            **Summary:** [1-2 sentences about the overall change]
+
+            **Security** — [CLEAN / X issue(s) found]
+            **Performance** — [CLEAN / X issue(s) found]
+            **Code Quality** — [CLEAN / X issue(s) found]
+
+            ---
+
+            #### Issues (sorted by severity)
+
+            | Severity | File | Finding |
+            |----------|------|---------|
+            | 🔴 CRITICAL | `path/File.java:42` | SQL injection risk: string concat in query |
+            | 🟠 HIGH | `path/File.java:18` | N+1: repository call inside loop |
+            | 🟡 MEDIUM | `path/File.java:55` | Missing @Valid on request body |
+            | 🔵 NOTE | `path/File.java:10` | Consider using var (Java 10+) |
+
+            #### Positive Notes
+            [Highlight anything done well — good patterns, good test coverage, correct use of version features]
+
+            ---
+
+            Rules:
+            - Only report actual findings, not hypothetical ones
+            - Do NOT comment on formatting, whitespace, or import order (use a linter for that)
+            - Do NOT repeat findings — one entry per issue
+            - If all three checks are clean, post a short "LGTM" comment with a brief summary
