Merge pull request #81 from scality/setup/claude-code-review

nicolas2bert · web-flow · commit 68d98f097ea6 · 2026-02-27T09:19:44.000+01:00
Introduce claude code review workflow
diff --git a/.claude/skills/review-pr/SKILL.md b/.claude/skills/review-pr/SKILL.md
@@ -0,0 +1,135 @@
+---
+name: review-pr
+description: Review a PR on scality/workflows (reusable GitHub Actions workflows for the Scality org)
+argument-hint: <pr-number-or-url>
+disable-model-invocation: true
+allowed-tools: Bash(gh repo view *), Bash(gh pr view *), Bash(gh pr diff *), Bash(gh pr comment *), Bash(gh api *), Bash(git diff *), Bash(git log *), Bash(git show *)
+---
+
+# Review GitHub PR
+
+You are an expert code reviewer. Review this PR:
+
+## Determine PR target
+
+Parse `` to extract the repo and PR number:
+
+- If arguments contain `REPO:` and `PR_NUMBER:` (CI mode), use those values directly.
+- If the argument is a GitHub URL (starts with `https://github.com/`), extract `owner/repo` and the PR number from it.
+- If the argument is just a number, use the current repo from `gh repo view --json nameWithOwner -q .nameWithOwner`.
+
+## Output mode
+
+- **CI mode** (arguments contain `REPO:` and `PR_NUMBER:`): post inline comments and summary to GitHub.
+- **Local mode** (all other cases): output the review as text directly. Do NOT post anything to GitHub.
+
+## Repo context
+
+This is the **Scality reusable GitHub Actions workflows repository**. It provides standardized CI/CD workflow templates consumed by downstream Scality repos. It contains:
+
+- Reusable workflow definitions (`.github/workflows/*.yaml`) — Docker builds, Trivy scanning, LFS warnings, Claude code review
+- MkDocs Material documentation (`docs/`, `mkdocs.yml`)
+- Test fixtures (`tests/docker/`) — Dockerfiles used to validate workflows
+- Dependabot configuration for automated dependency updates
+- Python dependencies only for docs tooling (`requirements.txt`)
+
+PRs typically involve: workflow YAML changes, action version bumps (Dependabot), documentation updates, and test Dockerfile modifications.
+
+## Steps
+
+1. **Fetch PR details:**
+
+```bash
+gh pr view <number> --repo <owner/repo> --json title,body,headRefOid,author,files
+gh pr diff <number> --repo <owner/repo>
+```
+
+2. **Read changed files** to understand the full context around each change (not just the diff hunks).
+
+3. **Analyze the changes** against these criteria:
+
+| Area | What to check |
+|------|---------------|
+| Workflow syntax | Valid GitHub Actions YAML — correct `on` triggers, proper `uses` references, required `inputs`/`secrets` declarations, job dependency chains |
+| Action version pinning | Actions should pin to a specific major version tag (e.g., `@v6`), not `@main` or a full SHA without comment |
+| Secret exposure | No credentials, tokens, or keys in plain text; secrets passed only via `secrets:` blocks |
+| Permissions | Jobs use least-privilege `permissions:` — no unnecessary `write` scopes |
+| Breaking changes | Changes to workflow `inputs`, `secrets`, or `outputs` that would break downstream callers |
+| Backward compatibility | Renamed/removed inputs must have a migration path for consuming repos |
+| Docker best practices | Multi-stage builds, minimal base images, no unnecessary `RUN` layers, proper use of build cache |
+| Trivy/security scanning | Correct SARIF output, proper severity thresholds, rate-limiting mitigations |
+| Documentation sync | Workflow changes reflected in corresponding `docs/*.md` files |
+| MkDocs config | Valid `mkdocs.yml` navigation, no broken internal links |
+| Test coverage | New workflow features have corresponding test scenarios in `tests/` |
+| Security | OWASP-relevant issues — command injection in `run:` steps, untrusted input in expressions |
+
+4. **Deliver your review:**
+
+### If CI mode: post to GitHub
+
+#### Part A: Inline file comments
+
+For each specific issue, post a comment on the exact file and line:
+
+```bash
+gh api -X POST -H "Accept: application/vnd.github+json" "repos/<owner/repo>/pulls/<number>/comments" -f body="Your comment<br><br>— Claude Code" -f path="path/to/file" -F line=<line_number> -f side="RIGHT" -f commit_id="<headRefOid>"
+```
+
+**Never use newlines in bash commands** — use `<br>` for line breaks in comment bodies. The command must stay on a single line.
+
+Each inline comment must:
+- Be short and direct — say what's wrong, why it's wrong, and how to fix it in 1-3 sentences
+- No filler, no complex words, no long explanations
+- When the fix is a concrete line change (not architectural), include a GitHub suggestion block so the author can apply it in one click:
+  ````
+  ```suggestion
+  corrected-line-here
+  ```
+  ````
+  Only suggest when you can show the exact replacement. For architectural or design issues, just describe the problem.
+- Never put `<br>` inside code blocks or suggestion blocks — `<br>` renders as literal text in code. Use `<br>` only in regular comment text.
+- End with: `— Claude Code`
+
+Use the line number from the **new version** of the file (the line number you'd see after the PR is merged), which corresponds to the `line` parameter in the GitHub API.
+
+#### Part B: Summary comment
+
+```bash
+gh pr comment <number> --repo <owner/repo> --body "LGTM<br><br>Review by Claude Code"
+```
+
+**Never use newlines in bash commands** — use `<br>` for line breaks in comment bodies. The command must stay on a single line.
+
+Do not describe or summarize the PR. For each issue, state the problem on one line, then list one or more suggestions below it:
+
+```
+- <issue>
+  - <suggestion>
+  - <suggestion>
+```
+
+If no issues: just say "LGTM". End with: `Review by Claude Code`
+
+### If local mode: output the review as text
+
+Do NOT post anything to GitHub. Instead, output the review directly as text.
+
+For each issue found, output:
+
+```
+**<file_path>:<line_number>** — <what's wrong and how to fix it>
+```
+
+When the fix is a concrete line change, include a fenced code block showing the suggested replacement.
+
+At the end, output a summary section listing all issues. If no issues: just say "LGTM".
+
+End with: `Review by Claude Code`
+
+## What NOT to do
+
+- Do not comment on markdown formatting preferences
+- Do not suggest refactors unrelated to the PR's purpose
+- Do not praise code — only flag problems or stay silent
+- If no issues are found, post only a summary saying "LGTM"
+- Do not flag style issues already covered by the project's linter (eslint, biome, pylint, golangci-lint)
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -0,0 +1,51 @@
+name: Claude Code Review
+
+on:
+  workflow_call:
+    secrets:
+      GCP_WORKLOAD_IDENTITY_PROVIDER:
+        required: true
+        description: GCP Workload Identity Provider for Vertex AI
+      GCP_SERVICE_ACCOUNT:
+        required: true
+        description: GCP Service Account for Vertex AI
+      ANTHROPIC_VERTEX_PROJECT_ID:
+        required: true
+        description: GCP project ID for Vertex AI
+      CLOUD_ML_REGION:
+        required: true
+        description: GCP region for Vertex AI
+
+jobs:
+  claude-review:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15  # adds cost protection
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write  # claude-code-action needs this to authenticate with GitHub
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Run Claude Code Review
+        id: claude-review
+        continue-on-error: true
+        uses: anthropics/claude-code-action@v1
+        with:
+          use_vertex: "true"
+          prompt: "/review-pr REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}"
+          claude_args: |
+            --allowedTools "Bash(git diff *)" "Bash(git log *)" "Bash(git show *)" "Bash(gh repo view *)" "Bash(gh pr view *)" "Bash(gh pr diff *)" "Bash(gh pr comment *)" "Bash(gh api *)"
+            --model "claude-opus-4-6"
+        env:
+          ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
+          CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -0,0 +1,14 @@
+name: Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  review:
+    uses: ./.github/workflows/claude-code-review.yml
+    secrets:
+      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+      ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
+      CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,42 @@
+# CLAUDE.md
+
+## Project overview
+
+This is **scality/workflows**, a repository of reusable GitHub Actions workflows shared across the Scality organization. Downstream repos call these workflows via `workflow_call`.
+
+## Repository structure
+
+- `.github/workflows/` — Reusable workflow definitions (the core asset)
+- `docs/` — MkDocs Material documentation for each workflow
+- `tests/` — Dockerfiles used as fixtures to validate workflows on PR
+- `mkdocs.yml` — Documentation site configuration
+- `requirements.txt` — Python dependency for docs (`mkdocs-material`)
+
+## Workflows
+
+| File | Purpose |
+|------|---------|
+| `docker-build.yaml` | Build and push Docker images with Buildx, caching, multi-platform support |
+| `trivy.yaml` | Container vulnerability scanning, uploads SARIF to GitHub Security tab |
+| `lfs-warning.yaml` | Validates file sizes in PRs, warns about files not tracked by Git LFS |
+| `claude-code-review.yml` | AI-powered PR review via Vertex AI |
+
+## Conventions
+
+- Workflow files use `.yaml` extension (except `claude-code-review.yml`)
+- All workflows use `workflow_call` trigger with typed `inputs` and `secrets`
+- Secrets have sensible defaults where possible (e.g., `GITHUB_TOKEN` for registry auth)
+- Actions are pinned to major version tags (e.g., `@v6`, `@v3`)
+- `tests.yaml` calls all workflows locally (`./.github/workflows/...`) to validate on PR
+
+## Testing
+
+There is no test framework. Workflows are tested by `tests.yaml` which calls each reusable workflow with test fixtures from `tests/docker/`.
+
+## Documentation
+
+Documentation is built with MkDocs Material (`mkdocs build --strict`). When adding or modifying a workflow, update the corresponding page in `docs/`.
+
+## Downstream impact
+
+Changes to workflow `inputs`, `secrets`, or `outputs` can break consuming repos. Treat these as public API surfaces — avoid removing or renaming parameters without a migration path.
