Skip to content

feat(workflows): centralize Claude Code PR review via reusable workflow#1

Merged
brodkin merged 2 commits into
mainfrom
ryan/dev-210-centralize-claude-code-pr-review-action-via-github-reusable
May 8, 2026
Merged

feat(workflows): centralize Claude Code PR review via reusable workflow#1
brodkin merged 2 commits into
mainfrom
ryan/dev-210-centralize-claude-code-pr-review-action-via-github-reusable

Conversation

@brodkin

@brodkin brodkin commented May 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds reusable workflow at .github/workflows/claude-pr-review.yml (workflow_call) so every SpiceLabsHQ repo can opt into Claude PR review with a ~15-line caller. One prompt + one action invocation maintained centrally.
  • Two operating modes: auto-review on PR open / ready_for_review (read-only, picks one of approve / request-changes / comment+assign-reviewer) and on-demand via @claude comment mention (full read/write, scoped to the comment's request).
  • Per-repo .claude/pr-review-standards.md is substituted into the prompt's <project_specific_guidelines> block at workflow build time and overrides org defaults on conflict.
  • Approvals work because the workflow mints a GitHub App installation token (GITHUB_TOKEN cannot approve PRs). Linear issue verification via curl/GraphQL when LINEAR_API_KEY is set.

What's included

  • prompts/pr-review-default.md — XML-tagged prompt; audited by ai-prompt-engineer.
  • examples/caller-claude-pr-review.yml — drop-in template for callers.
  • scripts/rollout-claude-review.sh — gh-CLI rollout script (dry-run by default, --apply to open PRs).
  • README.md — full inputs / secrets / mode documentation.

Required org-level secrets (set before merging callers)

  • BEDROCK_ROLE_ARN
  • CLAUDE_REVIEW_APP_ID
  • CLAUDE_REVIEW_APP_PRIVATE_KEY
  • LINEAR_API_KEY (optional — enables Linear verification when present)

Tracking: DEV-210

Test plan

  • Provision GitHub App for org (scopes: contents:read, pull-requests:write, issues:read, actions:read), install on .github and the test repo
  • Set the four org-level secrets above
  • Tag this repo v1 after merge so callers can pin @v1
  • Replace the existing test repo's bespoke workflow with the caller skeleton; open a test PR and verify auto-review fires, picks an outcome, and applies a label
  • Comment @claude do something on the test PR and verify on-demand mode fires with edit/push capability
  • Verify Linear issue verification surfaces in the review for a PR whose branch matches [A-Z]+-\d+
  • Dry-run scripts/rollout-claude-review.sh and review the proposed targets before --apply

brodkin and others added 2 commits May 4, 2026 13:50
Adds project-scope opt-in for the spice-statusline@spice-labs plugin
from the SpiceLabsHQ internal marketplace. The plugin's SessionStart
hook deploys .claude/spice-statusline.js (gitignored — auto-regenerated
per machine).
Adds a reusable workflow that each SpiceLabsHQ repo can opt into with a
~15-line caller. Maintains one prompt, one action invocation, and one
set of design decisions for the whole org; each repo layers in its own
review standards via .claude/pr-review-standards.md.

Two modes:
- Auto-review (pull_request opened / ready_for_review): read-only,
  picks one of approve / request-changes / comment+assign-reviewer.
- On-demand (@claude mention in PR comment): full read/write,
  scoped to the comment's request.

Approvals use a GitHub App installation token because GITHUB_TOKEN
cannot approve PRs. Linear verification via curl/GraphQL when
LINEAR_API_KEY is set.

DEV-210
@brodkin brodkin merged commit bd2b023 into main May 8, 2026
brodkin added a commit that referenced this pull request May 9, 2026
…lts repo (#35)

Adds release-please self-management to SpiceLabsHQ/.github so this repo
gets versioned point releases (v0.1.0, v0.1.1, etc.) instead of the
current rolling-v1-tag manual moves.

What this adds
--------------
- .github/workflows/release-please-self.yml — caller workflow on push:main
  invoking SpiceLabsHQ/.github/.github/workflows/release-please.yml@v1 with
  the Rosemary Releaser App secrets. The App identity ensures the release
  PR is authored by rosemary-releaser[bot] AND that tag pushes from the
  release PR merge can fire downstream workflows.
- .github/workflows/release-cascade-check.yml — no-op smoke test that fires
  on tag push and emits a notice with the actor identity. Lets us confirm
  end-to-end that tag-cascade auth chain is healthy.
- release-please-config.json — release-type: simple, single package at
  repo root, bootstrap-sha pinned to bce3abd so the first release window
  starts after PR #34 (the secret-rename) instead of scanning all history.
- .release-please-manifest.json — initial state {".": "0.0.0"}.
- version.txt — initial 0.0.0 placeholder that release-please will bump
  on each release (release-type: simple convention).

Smoke-test sequence after merge
-------------------------------
1. push:main fires release-please-self.yml
2. release-please scans commits since bootstrap-sha → finds this feat:
   commit → proposes a release PR for v0.1.0
3. The release PR is authored by rosemary-releaser[bot] (proof point #1)
4. Merging the release PR creates tag v0.1.0
5. The tag push fires release-cascade-check.yml (proof point #2)
6. Cascade check's notice should show actor=rosemary-releaser[bot]

Refs: DEV-225
brodkin added a commit that referenced this pull request Jun 6, 2026
… [DEV-404] (#47)

The reusable workflow declared `security-events: write` at the top level. A
reusable workflow that requests a permission scope the caller did not grant
fails at startup (zero jobs, before any step runs), so every existing caller
granting only `contents: read` + `pull-requests: write` got a startup_failure
on the new v1 — including KG-Power-BI PR #1. The `continue-on-error` on the
SARIF upload can't help because the run never starts.

Drop the top-level permissions block so the reusable workflow inherits the
calling job's permissions instead:
- contents: read — every caller grants it (checkout).
- security-events: write — optional; only opted-in callers get the SARIF
  upload (public repos), others no-op gracefully.

Backward compatible with all existing callers; no caller changes required.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant