feat(workflows): centralize Claude Code PR review via reusable workflow#1
Merged
brodkin merged 2 commits intoMay 8, 2026
Conversation
Adds project-scope opt-in for the spice-statusline@spice-labs plugin from the SpiceLabsHQ internal marketplace. The plugin's SessionStart hook deploys .claude/spice-statusline.js (gitignored — auto-regenerated per machine).
Adds a reusable workflow that each SpiceLabsHQ repo can opt into with a ~15-line caller. Maintains one prompt, one action invocation, and one set of design decisions for the whole org; each repo layers in its own review standards via .claude/pr-review-standards.md. Two modes: - Auto-review (pull_request opened / ready_for_review): read-only, picks one of approve / request-changes / comment+assign-reviewer. - On-demand (@claude mention in PR comment): full read/write, scoped to the comment's request. Approvals use a GitHub App installation token because GITHUB_TOKEN cannot approve PRs. Linear verification via curl/GraphQL when LINEAR_API_KEY is set. DEV-210
6 tasks
brodkin
added a commit
that referenced
this pull request
May 9, 2026
…lts repo (#35) Adds release-please self-management to SpiceLabsHQ/.github so this repo gets versioned point releases (v0.1.0, v0.1.1, etc.) instead of the current rolling-v1-tag manual moves. What this adds -------------- - .github/workflows/release-please-self.yml — caller workflow on push:main invoking SpiceLabsHQ/.github/.github/workflows/release-please.yml@v1 with the Rosemary Releaser App secrets. The App identity ensures the release PR is authored by rosemary-releaser[bot] AND that tag pushes from the release PR merge can fire downstream workflows. - .github/workflows/release-cascade-check.yml — no-op smoke test that fires on tag push and emits a notice with the actor identity. Lets us confirm end-to-end that tag-cascade auth chain is healthy. - release-please-config.json — release-type: simple, single package at repo root, bootstrap-sha pinned to bce3abd so the first release window starts after PR #34 (the secret-rename) instead of scanning all history. - .release-please-manifest.json — initial state {".": "0.0.0"}. - version.txt — initial 0.0.0 placeholder that release-please will bump on each release (release-type: simple convention). Smoke-test sequence after merge ------------------------------- 1. push:main fires release-please-self.yml 2. release-please scans commits since bootstrap-sha → finds this feat: commit → proposes a release PR for v0.1.0 3. The release PR is authored by rosemary-releaser[bot] (proof point #1) 4. Merging the release PR creates tag v0.1.0 5. The tag push fires release-cascade-check.yml (proof point #2) 6. Cascade check's notice should show actor=rosemary-releaser[bot] Refs: DEV-225
This was referenced Jun 6, 2026
brodkin
added a commit
that referenced
this pull request
Jun 6, 2026
… [DEV-404] (#47) The reusable workflow declared `security-events: write` at the top level. A reusable workflow that requests a permission scope the caller did not grant fails at startup (zero jobs, before any step runs), so every existing caller granting only `contents: read` + `pull-requests: write` got a startup_failure on the new v1 — including KG-Power-BI PR #1. The `continue-on-error` on the SARIF upload can't help because the run never starts. Drop the top-level permissions block so the reusable workflow inherits the calling job's permissions instead: - contents: read — every caller grants it (checkout). - security-events: write — optional; only opted-in callers get the SARIF upload (public repos), others no-op gracefully. Backward compatible with all existing callers; no caller changes required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/claude-pr-review.yml(workflow_call) so every SpiceLabsHQ repo can opt into Claude PR review with a ~15-line caller. One prompt + one action invocation maintained centrally.@claudecomment mention (full read/write, scoped to the comment's request)..claude/pr-review-standards.mdis substituted into the prompt's<project_specific_guidelines>block at workflow build time and overrides org defaults on conflict.LINEAR_API_KEYis set.What's included
prompts/pr-review-default.md— XML-tagged prompt; audited by ai-prompt-engineer.examples/caller-claude-pr-review.yml— drop-in template for callers.scripts/rollout-claude-review.sh— gh-CLI rollout script (dry-run by default,--applyto open PRs).README.md— full inputs / secrets / mode documentation.Required org-level secrets (set before merging callers)
BEDROCK_ROLE_ARNCLAUDE_REVIEW_APP_IDCLAUDE_REVIEW_APP_PRIVATE_KEYLINEAR_API_KEY(optional — enables Linear verification when present)Tracking: DEV-210
Test plan
.githuband the test repov1after merge so callers can pin@v1@claude do somethingon the test PR and verify on-demand mode fires with edit/push capability[A-Z]+-\d+scripts/rollout-claude-review.shand review the proposed targets before--apply