Clean up GitHub Actions workflows #355
Conversation
Implements complete GitHub Actions workflow for automated development tasks triggered by issue labels. Features: - Auto-fix workflow (amber:auto-fix) - formatting, linting, trivial fixes - Refactoring workflow (amber:refactor) - break large files, extract patterns - Test coverage workflow (amber:test-coverage) - add missing tests Components: - GitHub Actions workflow with security best practices - Structured issue templates for guided UX - Comprehensive documentation (quickstart + full guide) - Configuration file with risk-based automation policies - Workflow diagrams and architecture documentation Security: - No command injection (env var injection prevention) - Minimal permissions (contents:write, issues:write, pull-requests:write) - Token redaction in logs - Branch protection (never pushes to main) Documentation: - docs/amber-quickstart.md - 5-minute setup guide - docs/amber-automation.md - Complete 4,000+ word guide - docs/diagrams/amber-workflow.md - Mermaid diagrams - AMBER_SETUP.md - Setup checklist and testing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add pre-commit hook to prevent commits to main/master/production - Add pre-push hook to prevent pushes to protected branches - Add installation script with symlink support - Auto-install hooks on 'make dev-start' - Add comprehensive documentation - Update CONTRIBUTING.md with hook setup instructions
This commit streamlines the GitHub Actions workflows by removing stale/broken workflows and adding the Amber issue handler automation. Changes: - Added amber-issue-handler.yml with security fixes - Uses anthropics/claude-code-action@v1 instead of non-existent CLI - Fixed command injection vulnerabilities with proper env vars - Removed hardcoded absolute paths - Removed 4 stale/broken workflows: - ai-assessment-comment-labeler.yml (broken - missing Prompts directory) - auto-assign-todo.yml (duplicate functionality) - project-automation.yml (external org project dependency) - outcome-metrics.yml (outdated project structure) - Updated .github/workflows/README.md with current workflow inventory - Updated CLAUDE.md GitHub Actions section with reorganized workflow list Final state: 12 active, well-maintained workflows - 5 Core CI/CD workflows - 4 Automation workflows (Claude + Amber) - 2 Code quality workflows - 3 Utility workflows 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Check if changes were made | ||
| if git diff --quiet HEAD; then | ||
| echo "No changes made by Amber" | ||
| echo "has_changes=false" >> $GITHUB_OUTPUT | ||
| exit 0 |
There was a problem hiding this comment.
The PR-creation step treats the run as having no changes because it checks git diff --quiet HEAD, which only compares the working tree to the current commit. After the Amber agent runs with auto_commit: true, any fixes are already committed, leaving the working tree clean and making this diff always empty even when new commits exist. As a result, successful Amber runs will exit here without creating a branch or PR, so the automated fixes never surface. Compare against the previous commit or remote (e.g., origin/main..HEAD) instead of HEAD to detect newly created commits.
Useful? React with 👍 / 👎.
This comment has been minimized.
This comment has been minimized.
Claude Code ReviewSummaryThis PR introduces the Amber background agent automation system and adds git hooks for branch protection while cleaning up legacy GitHub Actions workflows. The implementation is well-documented and follows security best practices for preventing command injection vulnerabilities. However, there are several critical issues that must be addressed before merging. Overall Assessment: Requires Changes - The concept and documentation are excellent, but the workflow implementation has fundamental issues that will prevent it from working correctly. Issues by SeverityBlocker Issues1. Non-Existent GitHub Action Referenced The workflow references anthropics/claude-code-action@v1 which does not exist in the Anthropic GitHub organization. The workflow will fail immediately when triggered. Impact: The entire Amber automation system is non-functional. Required Fix: Replace with an actual implementation using the official anthropics/anthropic-sdk-python package directly or a Docker container with Claude Code CLI. 2. Critical Logic Error in Workflow Trigger When triggered by issue_comment.created, github.event.label.name will be null. When triggered by issues.labeled, github.event.comment.body will be null. Required Fix: Use github.event_name to distinguish between event types and check the appropriate fields for each. 3. Environment Variable Substitution Not Working The heredoc uses single quotes which prevents bash variable expansion. The prompt will contain literal strings like ISSUE_NUMBER instead of actual values. Required Fix: Use double quotes for heredoc OR properly configure envsubst with exported variables. Critical Issues4. Missing Error Handling for No Changes This exits successfully, but the subsequent gh pr create command will still execute and fail. Required Fix: Split into separate step with conditional execution. 5. Race Condition in PR Number Retrieval The PR may not be immediately available due to API propagation delays. Required Fix: Capture PR number directly from gh pr create output. Major Issues6. Git Hooks Use Python Without Validation Recommendation: Add Python 3 availability check to scripts/install-git-hooks.sh. 7. Amber Config File is Documentation Only Recommendation: Add comment clarifying this is documentation-only. 8. Missing ANTHROPIC_API_KEY Validation Recommendation: Add validation step before Claude Code execution. Positive Highlights✅ Excellent Security Practices: Command injection prevention using environment variables throughout RecommendationsPriority 1 (Must Fix Before Merge)
Priority 2 (Should Fix Before Merge)
ConclusionThis PR represents significant value - the Amber automation concept is innovative, the documentation is thorough, and the security practices are exemplary. However, the workflow implementation has fundamental issues that prevent it from functioning. Recommendation: Request Changes - Fix the blocker issues before merging. The git hooks portion could be split into a separate PR and merged immediately. Estimated Time to Fix: 4-6 hours for Priority 1 items |
This PR streamlines the GitHub Actions workflows by removing
stale/broken workflows and adding the Amber issue handler automation.
**Added Workflows (1)**
- `amber-issue-handler.yml` - Amber background agent for automated fixes
via issue labels
- Fixed security vulnerabilities (command injection prevention)
- Uses official `anthropics/claude-code-action@v1`
- Removed hardcoded paths
- Full documentation in `.github/workflows/README.md`
**Removed Workflows (4)**
- `ai-assessment-comment-labeler.yml` - Broken (missing Prompts
directory)
- `auto-assign-todo.yml` - Duplicate functionality
- `project-automation.yml` - External org project dependency
- `outcome-metrics.yml` - Outdated project structure
**Documentation Updates**
- Updated `.github/workflows/README.md` with complete workflow inventory
- Updated `CLAUDE.md` GitHub Actions section with categorized workflow
list
**12 Active Workflows** (down from 16):
- 4 Automation workflows: Amber (2) + Claude (2)
- 5 Core CI/CD workflows: Build, deploy, test, lint
- 3 Utility workflows: Docs, dependabot, local dev
- [x] All remaining workflows have valid YAML syntax
- [x] Documentation updated and accurate
- [x] amber-issue-handler.yml follows security best practices
- [x] No command injection vulnerabilities (all user input via env vars)
- [x] Secrets properly documented in README
**Command Injection Prevention**: All workflows using user-provided
input (issue titles, bodies, comments) now use environment variables
instead of direct string interpolation.
**Before (vulnerable)**:
```yaml
run: echo "${{ github.event.issue.title }}"
```
**After (secure)**:
```yaml
env:
ISSUE_TITLE: ${{ github.event.issue.title }}
run: echo "$ISSUE_TITLE"
```
---
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude <noreply@anthropic.com>
1 participant
Summary
This PR streamlines the GitHub Actions workflows by removing stale/broken workflows and adding the Amber issue handler automation.
Changes Made
Added Workflows (1)
amber-issue-handler.yml- Amber background agent for automated fixes via issue labelsanthropics/claude-code-action@v1.github/workflows/README.mdRemoved Workflows (4)
ai-assessment-comment-labeler.yml- Broken (missing Prompts directory)auto-assign-todo.yml- Duplicate functionalityproject-automation.yml- External org project dependencyoutcome-metrics.yml- Outdated project structureDocumentation Updates
.github/workflows/README.mdwith complete workflow inventoryCLAUDE.mdGitHub Actions section with categorized workflow listFinal State
12 Active Workflows (down from 16):
Test Plan
Security Review
Command Injection Prevention: All workflows using user-provided input (issue titles, bodies, comments) now use environment variables instead of direct string interpolation.
Before (vulnerable):
After (secure):
🤖 Generated with Claude Code