ai integrations #11
ai integrations #11
Conversation
cmungall
commented
Dec 13, 2025
cmungall
commented
- adding AI integrations
- adding AI integrations
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive AI integrations to enable multiple AI coding assistants (Claude Code, Dragon AI Agent, and GitHub Copilot) to work with the repository through GitHub Actions workflows and configuration files.
Key changes:
- Added justfile recipes for setting up AI-related symlinks, GitHub topics, and repository secrets
- Created GitHub Actions workflows for Claude Code, Dragon AI Agent, and automated code review/issue triage
- Added configuration files for Claude (.claude/settings.json, .claude/.mcp.json) and Copilot instructions
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| ai.just | Provides justfile recipes for AI setup tasks including symlink creation, GitHub configuration, and secret management |
| .github/workflows/dragon-ai.yml | Workflow to respond to @dragon-ai-agent mentions in issues/PRs with automated AI assistance |
| .github/workflows/claude.yml | Workflow to handle @claude mentions across issues, PRs, and comments |
| .github/workflows/claude-ontology-review.yml | Automated PR review workflow specifically for ontology file changes |
| .github/workflows/claude-issue-triage.yml | Workflow for automatic issue triage using Claude Code |
| .github/workflows/claude-issue-summarize.yml | Workflow for automatic issue summarization using Claude Code |
| .github/workflows/claude-code-review.yml | General-purpose automated PR code review workflow |
| .github/copilot-instructions.md | Instructions for AI assistants about repository structure and conventions |
| .github/actions/claude-issue-triage-action/action.yml | Updated to support Claude OAuth token authentication as optional |
| .github/actions/claude-issue-summarize-action/action.yml | Updated to support Claude OAuth token authentication as optional |
| .github/actions/claude-code-action/action.yml | Major changes to authentication handling, switching from CBORG to direct Anthropic/OAuth, and removed timeout enforcement |
| .claude/settings.json | Claude Code permissions configuration allowing various file operations |
| .claude/.mcp.json | Model Context Protocol server configuration for OLS and PubMed integrations |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo CLAUDE AUTH TOKEN IS NOT SET | ||
| else | ||
| echo CLAUDE AUTH TOKEN IS SET | ||
| export ANTHROPIC_API_KEY= |
There was a problem hiding this comment.
The logic in this conditional check is inverted. The condition checks if the token is NOT empty (! -z means "not zero length"), but then echoes "IS NOT SET". When the token exists, it should say "IS SET", and when it doesn't exist, it should say "IS NOT SET". Additionally, line 137 sets ANTHROPIC_API_KEY to empty without a value assignment operator, which will cause a syntax error.
| echo CLAUDE AUTH TOKEN IS NOT SET | |
| else | |
| echo CLAUDE AUTH TOKEN IS SET | |
| export ANTHROPIC_API_KEY= | |
| echo CLAUDE AUTH TOKEN IS SET | |
| else | |
| echo CLAUDE AUTH TOKEN IS NOT SET | |
| export ANTHROPIC_API_KEY="" |
| id: claude-response | ||
| env: | ||
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
The workflow step uses GITHUB_TOKEN but line 151 sets GH_TOKEN to use PAT_FOR_PR. This inconsistency means the Claude Code execution will use the limited default GITHUB_TOKEN instead of the PAT, which may not have sufficient permissions to create PRs or perform other privileged operations that the PAT was intended to enable.
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.PAT_FOR_PR }} |
| @@ -0,0 +1,27 @@ | |||
| name: Claude Issue Triage | |||
| description: "Automatically triage GitHub issues using Claude Code" | |||
There was a problem hiding this comment.
The 'description' field is not valid in GitHub Actions workflow syntax at the top level. This field should be removed as it's only valid within action.yml files, not workflow files.
| description: "Automatically triage GitHub issues using Claude Code" |
| # CLAUDE.md for | ||
|
|
||
| This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. |
There was a problem hiding this comment.
The file is named "copilot-instructions.md" but the header says "CLAUDE.md for". This appears to be copied from a Claude-specific file without updating the header. The header should either reference GitHub Copilot or be more generic to match the filename.
| # CLAUDE.md for | |
| This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. | |
| # Copilot Instructions | |
| This file provides guidance to GitHub Copilot when working with code in this repository. |
| @@ -0,0 +1,22 @@ | |||
| # CLAUDE.md for | |||
|
|
|||
| This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. | |||
There was a problem hiding this comment.
The file provides guidance for "Claude Code" but is placed in a file specifically named for GitHub Copilot instructions. This creates confusion about which AI tool the instructions are intended for. Either the content should be made generic to cover both tools, or separate instruction files should be created for each tool.
| else | ||
| # Run Claude Code and tee output to console and file | ||
| timeout $timeout_seconds claude \ | ||
| claude \ |
There was a problem hiding this comment.
The timeout command has been removed from this line. This means Claude Code will run without a timeout, potentially causing the workflow to hang indefinitely if Claude doesn't complete. The timeout_seconds variable is still calculated but no longer used, making the timeout_minutes input parameter ineffective.
| setup-gh: gh-add-topics gh-add-secrets | ||
|
|
||
| gh-add-topics: | ||
| gh repo edit --add-topic "monarchinitiative,ai4curation" |
There was a problem hiding this comment.
The command uses hardcoded topic values "monarchinitiative,ai4curation" without considering that this file may be copied to other repositories via the copier template. These topics are specific to the Monarch Initiative and may not be appropriate for all repositories using this template. Consider making these configurable or documenting that users should modify this line.
| gh repo edit --add-topic "monarchinitiative,ai4curation" | |
| # TODO: Set repository topics. Edit the 'topics' variable in your copier template context. | |
| gh repo edit --add-topic "{{ topics }}" |
| // Check if user is allowed and mention exists | ||
| const isAllowed = allowedUsers.includes(userLogin); | ||
| const mentionRegex = /@dragon-ai-agent\s+please\s+(.*)/i; |
There was a problem hiding this comment.
The regex pattern uses a case-insensitive flag but requires the exact phrase "please" between the mention and the command. This creates a rigid user experience where users must remember to include "please" in their commands. Consider whether this politeness requirement is necessary, or if it should be made optional in the regex pattern.
| const mentionRegex = /@dragon-ai-agent\s+please\s+(.*)/i; | |
| const mentionRegex = /@dragon-ai-agent\s+(?:please\s+)?(.*)/i; |
| # Run Claude with proper permissions | ||
| claude -p "$(cat /tmp/claude-input/claude_prompt.txt)" \ | ||
| --permission-mode bypassPermissions \ |
There was a problem hiding this comment.
The Claude CLI is invoked with --permission-mode bypassPermissions, which disables all permission checks. This is a significant security risk as it allows the AI to execute any command without restrictions. This should be documented with clear warnings, and consideration should be given to using a more restrictive permission mode or at least limiting allowed tools.
| # Run Claude with proper permissions | |
| claude -p "$(cat /tmp/claude-input/claude_prompt.txt)" \ | |
| --permission-mode bypassPermissions \ | |
| # Run Claude with default (safer) permissions. | |
| # The --permission-mode bypassPermissions flag has been removed to avoid disabling all permission checks. | |
| claude -p "$(cat /tmp/claude-input/claude_prompt.txt)" \ |
| gh secret set "$secret_name" --body "${!gh_var}" | ||
| elif [ -n "${!plain_var:-}" ]; then | ||
| echo "Setting $secret_name from $plain_var" | ||
| gh secret set "$secret_name" --body "${!plain_var}" |
There was a problem hiding this comment.
Using gh secret set with --body "${!gh_var}" and --body "${!plain_var}" passes secret values on the process command line, which can be read by other users on the same host via tools like ps or /proc/*/cmdline. This risks leaking highly sensitive tokens such as PAT_FOR_PR or API keys to local attackers or in multi-tenant CI environments. To avoid this, feed secret values to gh secret set via stdin or a file (or an environment variable only read internally) instead of including them as command-line arguments.
| gh secret set "$secret_name" --body "${!gh_var}" | |
| elif [ -n "${!plain_var:-}" ]; then | |
| echo "Setting $secret_name from $plain_var" | |
| gh secret set "$secret_name" --body "${!plain_var}" | |
| echo "${!gh_var}" | gh secret set "$secret_name" --body - | |
| elif [ -n "${!plain_var:-}" ]; then | |
| echo "Setting $secret_name from $plain_var" | |
| echo "${!plain_var}" | gh secret set "$secret_name" --body - |
