-
Notifications
You must be signed in to change notification settings - Fork 56
80 lines (73 loc) · 3.35 KB
/
consumer-claude-code.yml
File metadata and controls
80 lines (73 loc) · 3.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
## Copyright (C) 2026 - 2026 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## AI-Assisted
## Managed by pkg_update_consumer_workflows. Byte-identical
## across consumers; this file is `cp`-ed from
## developer-meta-files/consumer-templates/.github/workflows/consumer-claude-code.yml.
## DO NOT hand-edit this file in the consumer repo - changes
## will be overwritten on the next propagation pass.
##
## Reusable docs:
## https://github.com/org-ai-assisted/developer-meta-files/blob/master/.github/workflows/reusable-claude-code-review.yml
name: Claude Code Review
on:
pull_request:
branches: [master]
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
workflow_dispatch:
permissions:
contents: read
## issue_comment / pull_request_review_comment fire with
## github.ref = default branch (NOT the PR head ref). Plain
## ${{ github.ref }} would queue unrelated PRs' comment-triggered
## runs into the same group. The PR/issue-number fallback chain
## isolates per-PR.
##
## Bot-vs-human split via the trailing actor-class suffix: when
## the Claude action posts a review comment, it does so as
## claude[bot], which fires this workflow again. Without the
## split, that bot-triggered run would land in the same
## concurrency group as the in-flight human @claude request, and
## 'cancel-in-progress: true' below would cancel the review
## mid-flight before any output reached the PR. The job-level
## 'if:' filter further down catches the bot run (claude[bot]'s
## own comment body does not contain '@claude'), but by then
## concurrency has already done the damage. GitHub's standard
## '[bot]' suffix on App accounts (claude[bot],
## github-advanced-security[bot], dependabot[bot], ...) lets a
## single endsWith() check isolate all bot-authored events into
## a separate group so they only cancel each other.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}-${{ endsWith(github.actor, '[bot]') && 'bot' || 'human' }}
cancel-in-progress: true
jobs:
review:
## Pre-filter comment events for the '@claude' substring before
## the runner spins up. The reusable's job-level 'if:' enforces
## the same gate plus the allowed-users roster check, but doing
## the cheap substring test here too prevents a runner from
## starting (and stopping seconds later) for every unrelated
## comment on every issue/PR. pull_request and workflow_dispatch
## events pass through unconditionally.
if: |
github.event_name == 'pull_request' ||
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'issue_comment'
&& contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment'
&& contains(github.event.comment.body, '@claude'))
uses: org-ai-assisted/developer-meta-files/.github/workflows/reusable-claude-code-review.yml@master
## Explicit secret forwarding (NOT 'secrets: inherit'). With
## inherit, every caller-side secret would flow into the
## reusable; the explicit map caps the reusable's secrets
## context to exactly ANTHROPIC_API_KEY.
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
permissions:
contents: read
pull-requests: write
issues: write
id-token: write