From a48e7b603946b8a647204d7a1a20c85dad767b5d Mon Sep 17 00:00:00 2001 From: dkayiwa Date: Mon, 4 May 2026 14:59:03 +0300 Subject: [PATCH 1/2] Add Claude PR review caller workflow (pilot) Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/claude-review.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/claude-review.yml diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml new file mode 100644 index 000000000..edc9e81cb --- /dev/null +++ b/.github/workflows/claude-review.yml @@ -0,0 +1,20 @@ +name: Claude PR Review + +on: + pull_request: + types: [opened, ready_for_review, reopened] + +jobs: + review: + uses: openmrs/openmrs-contrib-gha-workflows/.github/workflows/claude-pr-review.yml@main + secrets: + ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + with: + extra_instructions: | + This is the OpenMRS Reference Application distribution repository. Pay particular attention to: + + - Module version bumps in distribution config: ensure version coherence across modules and that all referenced modules exist in the configured Maven/npm repos. + - Docker base-image pinning: pin to specific tags or digests, not :latest. + - Migration-path implications: if a module bump includes Liquibase changes, call out whether existing deployments will need data migration. + - Configuration files (content packages, frontend configs): flag inconsistencies between backend module versions and frontend ESM versions. + - Liquibase changesets, if any, must be append-only — never edit historical changeSet id/author. From 2b7d894dca2f9289b964d4ad5d52291bcf59ade4 Mon Sep 17 00:00:00 2001 From: dkayiwa Date: Mon, 4 May 2026 15:27:31 +0300 Subject: [PATCH 2/2] Switch to pull_request_target so fork PRs get reviewed pull_request doesn't pass org/repo secrets to PRs from forks, so the Anthropic API key would be empty for the bulk of OpenMRS contributions. pull_request_target runs the workflow YAML from the base branch with secrets available; the reusable workflow now explicitly checks out the PR head SHA. No step executes PR code, so the standard pull_request_target footgun doesn't apply. Also declare permissions explicitly at the caller level so the reusable workflow's pull-requests:write / issues:write requests succeed regardless of repo default workflow permissions. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/claude-review.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index edc9e81cb..27ef88d1f 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -1,11 +1,15 @@ name: Claude PR Review on: - pull_request: + pull_request_target: types: [opened, ready_for_review, reopened] jobs: review: + permissions: + contents: read + pull-requests: write + issues: write uses: openmrs/openmrs-contrib-gha-workflows/.github/workflows/claude-pr-review.yml@main secrets: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}