|
| 1 | +name: PR Commands |
| 2 | + |
| 3 | +on: |
| 4 | + issue_comment: |
| 5 | + types: [created] |
| 6 | + pull_request_review_comment: |
| 7 | + types: [created] |
| 8 | + pull_request_review: |
| 9 | + types: [submitted] |
| 10 | + issues: |
| 11 | + types: [opened, assigned] |
| 12 | + |
| 13 | +jobs: |
| 14 | + # ============================================================================= |
| 15 | + # Job: Claude Interactive (/claude) |
| 16 | + # ============================================================================= |
| 17 | + claude-interactive: |
| 18 | + name: Claude Interactive |
| 19 | + if: | |
| 20 | + github.actor == '0x666c6f' && ( |
| 21 | + (github.event_name == 'issue_comment' && (github.event.comment.body == '/claude' || startsWith(github.event.comment.body, '/claude ') || startsWith(github.event.comment.body, '/claude\n'))) || |
| 22 | + (github.event_name == 'pull_request_review_comment' && (github.event.comment.body == '/claude' || startsWith(github.event.comment.body, '/claude ') || startsWith(github.event.comment.body, '/claude\n'))) || |
| 23 | + (github.event_name == 'pull_request_review' && github.event.review.body && (github.event.review.body == '/claude' || startsWith(github.event.review.body, '/claude ') || startsWith(github.event.review.body, '/claude\n'))) || |
| 24 | + (github.event_name == 'issues' && ( |
| 25 | + github.event.issue.title == '/claude' || |
| 26 | + startsWith(github.event.issue.title, '/claude ') || |
| 27 | + startsWith(github.event.issue.title, '/claude\n') || |
| 28 | + (github.event.issue.body && ( |
| 29 | + github.event.issue.body == '/claude' || |
| 30 | + startsWith(github.event.issue.body, '/claude ') || |
| 31 | + startsWith(github.event.issue.body, '/claude\n') |
| 32 | + )) |
| 33 | + )) |
| 34 | + ) |
| 35 | + runs-on: ubuntu-latest |
| 36 | + concurrency: |
| 37 | + group: claude-interactive-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} |
| 38 | + cancel-in-progress: false |
| 39 | + permissions: |
| 40 | + contents: write |
| 41 | + pull-requests: write |
| 42 | + issues: write |
| 43 | + id-token: write |
| 44 | + actions: read |
| 45 | + |
| 46 | + steps: |
| 47 | + - name: Checkout repository |
| 48 | + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
| 49 | + with: |
| 50 | + fetch-depth: 0 |
| 51 | + |
| 52 | + - name: Run Claude Code |
| 53 | + id: claude |
| 54 | + uses: anthropics/claude-code-action@905d4eb99ab3d43143d74fb0dcae537f29ac330a # v1 |
| 55 | + with: |
| 56 | + claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
| 57 | + trigger_phrase: "/claude" |
| 58 | + |
| 59 | + additional_permissions: | |
| 60 | + actions: read |
| 61 | +
|
| 62 | + claude_args: | |
| 63 | + --model claude-opus-4-5-20251101 |
| 64 | + --max-turns 200 |
| 65 | + --system-prompt "You are an expert DevOps engineer working on a Helm charts repository for Kubernetes infrastructure. |
| 66 | +
|
| 67 | + ## Your Expertise |
| 68 | + - Helm chart best practices (templates, helpers, values, dependencies) |
| 69 | + - Kubernetes resources (Deployments, Services, ConfigMaps, Secrets, RBAC) |
| 70 | + - Security best practices (securityContext, NetworkPolicy, RBAC) |
| 71 | + - Observability (Prometheus, metrics, logging) |
| 72 | +
|
| 73 | + ## When Making Code Changes |
| 74 | + - Follow existing patterns in the repository |
| 75 | + - Use proper Helm templating syntax |
| 76 | + - Ensure backward compatibility |
| 77 | + - Add comments for complex logic" |
| 78 | + --allowed-tools "Bash(gh:*),Bash(helm:*),Bash(kubectl:*),Bash(git:*),Read,Glob,Grep,Write,Edit" |
| 79 | +
|
| 80 | + # ============================================================================= |
| 81 | + # Job: Claude Code Review (/claude-review) |
| 82 | + # ============================================================================= |
| 83 | + claude-review: |
| 84 | + name: Claude Code Review |
| 85 | + if: | |
| 86 | + github.actor == '0x666c6f' && ( |
| 87 | + (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '/claude-review')) || |
| 88 | + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '/claude-review')) || |
| 89 | + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '/claude-review')) |
| 90 | + ) |
| 91 | + runs-on: ubuntu-latest |
| 92 | + concurrency: |
| 93 | + group: claude-review-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} |
| 94 | + cancel-in-progress: true |
| 95 | + permissions: |
| 96 | + contents: read |
| 97 | + pull-requests: write |
| 98 | + issues: write |
| 99 | + id-token: write |
| 100 | + actions: read |
| 101 | + |
| 102 | + env: |
| 103 | + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} |
| 104 | + HEAD_REPO: ${{ github.repository }} |
| 105 | + HEAD_SHA: ${{ github.sha }} |
| 106 | + |
| 107 | + steps: |
| 108 | + - name: Fetch PR metadata |
| 109 | + env: |
| 110 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 111 | + run: | |
| 112 | + pr_number="${PR_NUMBER}" |
| 113 | + pr_json="$(gh api repos/${{ github.repository }}/pulls/${pr_number})" |
| 114 | + head_repo="$(echo "$pr_json" | jq -r .head.repo.full_name)" |
| 115 | + head_sha="$(echo "$pr_json" | jq -r .head.sha)" |
| 116 | +
|
| 117 | + if [ "$head_repo" != "${{ github.repository }}" ]; then |
| 118 | + echo "PR from fork; skipping." |
| 119 | + echo "SKIP_WORKFLOW=true" >> "$GITHUB_ENV" |
| 120 | + exit 0 |
| 121 | + fi |
| 122 | +
|
| 123 | + echo "HEAD_REPO=$head_repo" >> "$GITHUB_ENV" |
| 124 | + echo "HEAD_SHA=$head_sha" >> "$GITHUB_ENV" |
| 125 | +
|
| 126 | + - name: Checkout PR head |
| 127 | + if: env.SKIP_WORKFLOW != 'true' |
| 128 | + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 |
| 129 | + with: |
| 130 | + repository: ${{ env.HEAD_REPO }} |
| 131 | + ref: ${{ env.HEAD_SHA }} |
| 132 | + fetch-depth: 0 |
| 133 | + |
| 134 | + - name: Setup Helm |
| 135 | + if: env.SKIP_WORKFLOW != 'true' |
| 136 | + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 |
| 137 | + with: |
| 138 | + version: v3.16.4 |
| 139 | + |
| 140 | + - name: Install kubeconform |
| 141 | + if: env.SKIP_WORKFLOW != 'true' |
| 142 | + run: | |
| 143 | + KUBECONFORM_VERSION=v0.6.1 |
| 144 | + KUBECONFORM_SHA256=7f84c1e4109fb72f151da41bdffea05e1e37591f179de51adc048c83533ad215 |
| 145 | + curl -fsSLo /tmp/kubeconform.tar.gz "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" |
| 146 | + echo "${KUBECONFORM_SHA256} /tmp/kubeconform.tar.gz" | sha256sum -c - |
| 147 | + tar xzf /tmp/kubeconform.tar.gz |
| 148 | + sudo mv kubeconform /usr/local/bin/ |
| 149 | +
|
| 150 | + - name: Cache Helm dependencies |
| 151 | + if: env.SKIP_WORKFLOW != 'true' |
| 152 | + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 |
| 153 | + with: |
| 154 | + path: | |
| 155 | + ~/.cache/helm |
| 156 | + **/charts/*.tgz |
| 157 | + key: helm-deps-${{ hashFiles('**/Chart.lock') }} |
| 158 | + restore-keys: | |
| 159 | + helm-deps- |
| 160 | +
|
| 161 | + - name: Run Claude Code Review |
| 162 | + if: env.SKIP_WORKFLOW != 'true' |
| 163 | + id: claude-review |
| 164 | + uses: anthropics/claude-code-action@905d4eb99ab3d43143d74fb0dcae537f29ac330a # v1 |
| 165 | + with: |
| 166 | + claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
| 167 | + prompt: | |
| 168 | + ## Review Task |
| 169 | + Perform a code review on PR #${{ github.event.issue.number || github.event.pull_request.number }}. |
| 170 | +
|
| 171 | + Use `gh pr diff ${{ github.event.issue.number || github.event.pull_request.number }}` to see the changes, then use `gh pr view ${{ github.event.issue.number || github.event.pull_request.number }}` to get PR details. |
| 172 | +
|
| 173 | + ## Helm Charts Repository - Specialized Review Guidelines |
| 174 | +
|
| 175 | + This is a **Helm charts repository** for Kubernetes infrastructure. Apply these domain-specific checks: |
| 176 | +
|
| 177 | + ### Helm Chart Quality |
| 178 | + - **Chart.yaml**: Verify version bumps follow semver, dependencies are correct, apiVersion is v2 |
| 179 | + - **values.yaml**: Check for sensible defaults, proper structure, documented options |
| 180 | + - **templates/**: Validate helper usage, proper indentation, correct YAML generation |
| 181 | + - **Chart.lock**: Ensure dependencies are locked and up-to-date |
| 182 | +
|
| 183 | + ### Kubernetes Best Practices |
| 184 | + - **Resources**: Verify requests/limits are set appropriately |
| 185 | + - **Probes**: Check liveness/readiness probes are configured |
| 186 | + - **Security**: Ensure securityContext, runAsNonRoot, readOnlyRootFilesystem |
| 187 | + - **Labels**: Validate app.kubernetes.io/* standard labels |
| 188 | + - **PDB**: Check PodDisruptionBudget for HA deployments |
| 189 | +
|
| 190 | + ### Security Focus |
| 191 | + - **Secrets**: NO hardcoded credentials (use ExternalSecrets/Vault) |
| 192 | + - **Images**: No :latest tags, prefer digest pinning |
| 193 | + - **RBAC**: Minimal required permissions |
| 194 | + - **NetworkPolicy**: Proper network segmentation where needed |
| 195 | + - **ServiceAccount**: Dedicated accounts with minimal privileges |
| 196 | +
|
| 197 | + ### Review Output Format |
| 198 | + Categorize findings by severity prefix in your comments: |
| 199 | + - `[CRITICAL]`: Must fix before merge (security vulnerabilities, breaking changes) |
| 200 | + - `[HIGH]`: Should fix (best practice violations, potential issues) |
| 201 | + - `[MEDIUM]`: Consider fixing (improvements, minor issues) |
| 202 | + - `[LOW]`: Nice to have (style, documentation) |
| 203 | +
|
| 204 | + ### How to Post Your Review |
| 205 | + - Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues on specific lines |
| 206 | + - Use `gh pr comment` for top-level summary feedback |
| 207 | + - Only post GitHub comments - don't submit review text as messages |
| 208 | +
|
| 209 | + ### Validation Commands Available |
| 210 | + - `helm lint helm/charts/<name>` - Lint a chart |
| 211 | + - `helm template helm/charts/<name>` - Render templates |
| 212 | + - `helm template helm/charts/<name> | kubeconform --ignore-missing-schemas` - Validate rendered YAML |
| 213 | +
|
| 214 | + claude_args: | |
| 215 | + --model claude-opus-4-5-20251101 |
| 216 | + --max-turns 200 |
| 217 | + --allowed-tools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(helm lint:*),Bash(helm template:*),Bash(helm dependency:*),Bash(kubeconform:*),Read,Glob,Grep" |
0 commit comments