vmtest/.github/workflows/ai-code-review.yml at 31b4d9a176d591fb0d59b3b71679789da7d0fc37 · kernel-patches/vmtest · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: AI Code Review

permissions:
  contents: read
  id-token: write
  issues: write
  pull-requests: write

on:
  pull_request:
    types: [opened, review_requested]

jobs:
  get-commits:
    # This codition is an indicator that we are running in a context of PR owned by kernel-patches org
    if: ${{ github.repository == 'kernel-patches/bpf' && vars.AWS_REGION }}
    runs-on: [self-hosted, x86_64]
    continue-on-error: true
    outputs:
      commits: ${{ steps.get-commits.outputs.commits }}
    steps:

      - name: Download Linux source tree
        uses: libbpf/ci/get-linux-source@v3
        with:
          repo: ${{ github.event.pull_request.head.repo.clone_url }}
          rev: ${{ github.event.pull_request.head.sha }}
          dest: .kernel
        env:
          REFERENCE_REPO_PATH: /libbpfci/mirrors/linux
          FETCH_DEPTH: 100

      # Get the list of commits and trigger a review job for each separate commit
      # As a safeguard, check no more than the first 50 commits
      - name: Get PR commits
        id: get-commits
        run: |
          cd .kernel
          tmp=$(mktemp)
          git rev-list ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | head -n 50 > pr_commits.txt
          cat pr_commits.txt | jq -R -s -c 'split("\n")[:-1]' > $tmp
          echo "commits=$(cat $tmp)" >> $GITHUB_OUTPUT

  ai-review:
    needs: get-commits
    runs-on: [self-hosted, x86_64]
    strategy:
      matrix:
        commit: ${{ fromJson(needs.get-commits.outputs.commits) }}
      fail-fast: false
    env:
      AWS_REGION: us-west-2
    steps:
      - name: Checkout CI code
        uses: actions/checkout@v5
        with:
          sparse-checkout: |
            .github
            ci

      - name: Generate GitHub App token
        id: app-token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.KP_REVIEW_BOT_APP_ID }}
          private-key: ${{ secrets.KP_REVIEW_BOT_APP_PRIVATE_KEY }}

      - name: Configure AWS Credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_BEDROCK_ROLE }}
          aws-region: us-west-2

      - name: Set up .claude/settings.json
        shell: bash
        run: |
          mkdir -p ~/.claude
          cp ci/claude/settings.json ~/.claude/settings.json

      - name: Download Linux source tree
        uses: libbpf/ci/get-linux-source@v3
        with:
          repo: ${{ github.event.pull_request.head.repo.clone_url }}
          rev: ${{ github.event.pull_request.head.sha }}
          dest: .kernel
        env:
          REFERENCE_REPO_PATH: /libbpfci/mirrors/linux
          FETCH_DEPTH: 100

      # This manipulation is necessary to make sure that
      # ${{ github.workspace }} is the root of the Linux git repo
      - name: Move linux source in place
        shell: bash
        run: |
          rm -rf .git .github ci
          cd .kernel
          mv -t .. $(ls -A)
          cd ..
          rmdir .kernel

      - name: Checkout target commit
        shell: bash
        run: |
          git checkout -b patch-series.local
          git checkout ${{ matrix.commit }}

      - name: Get patch subject
        id: get-patch-subject
        shell: bash
        run: |
          subject=$(git log -1 --pretty=format:"%s" ${{ matrix.commit }})
          echo "subject=$subject" >> $GITHUB_OUTPUT

      - name: Checkout prompts repo
        uses: actions/checkout@v5
        with:
          repository: 'masoncl/review-prompts'
          path: 'review'

      - uses: anthropics/claude-code-action@v1
        with:
          show_full_output: true
          github_token: ${{ steps.app-token.outputs.token }}
          use_bedrock: "true"
          claude_args: '--max-turns 100 --model us.anthropic.claude-opus-4-5-20251101-v1:0'
          prompt: |
            Current directory is the root of a Linux Kernel git repository.

            Read the prompt review/review-core.md

            Using the prompt, do a deep dive regression analysis of the HEAD commit.

            Use commit range ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} for the false-positive-guide.md section.

      # If Claude produced review-inline.txt then it found something
      # Post a comment on PR and fail the job
      - name: Check review-inline.txt
        id: check_review
        shell: bash
        run: |
          review_file=$(find ${{ github.workspace }} -name review-inline.txt)
          if [ -s "$review_file" ]; then
              cat $review_file || true
              echo "review_file=$review_file" >> $GITHUB_OUTPUT
          fi

      - name: Comment on PR
        if: steps.check_review.outputs.review_file != ''
        uses: actions/github-script@v8
        env:
          REVIEW_FILE: ${{ steps.check_review.outputs.review_file }}
          PATCH_SUBJECT: ${{ steps.get-patch-subject.outputs.subject }}
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            const commentScript = require('./ci/claude/post-pr-comment.js');
            await commentScript({github, context});

      - name: Fail CI job if review file exists
        if: steps.check_review.outputs.review_file != ''
        run: |
          echo "Review file found - failing the CI job"
          exit 42