diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml new file mode 100644 index 0000000..18382f5 --- /dev/null +++ b/.github/workflows/claude.yml @@ -0,0 +1,60 @@ +# Claude Code Assistant Workflow +# +# Responds to @claude mentions in issues, pull requests, and review comments. +# +# Documentation: +# - Setup and configuration: +# - Automation patterns: +# - Custom automations: +# - FAQ and troubleshooting: +# +# Examples of Claude in action: +# - +# - + +name: Claude Code + +on: + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + issues: + types: [opened, assigned] + pull_request_review: + types: [submitted] + +jobs: + claude: + if: | + (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + runs-on: ubuntu-latest + permissions: + contents: write # Needed for Claude to commit code changes and documentation updates + pull-requests: write # Needed for Claude to create and update pull requests + issues: write # Needed for Claude to create and update issues + id-token: write + actions: read # Required for Claude to read CI results on PRs + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Run Claude Code + id: claude + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + + # This is an optional setting that allows Claude to read CI results on PRs + additional_permissions: | + actions: read + + # Enable web research tools for documentation and best practices + # Go tooling allows Claude to run tests, build, format, and analyze Go code + # See https://docs.claude.com/en/docs/claude-code/cli-reference for available options + claude_args: | + --allowedTools "Bash(go:*)" + --allowedTools "WebSearch,WebFetch" diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index fd66959..dc8a8c4 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,19 +1,35 @@ # Dependabot Auto-merge Workflow # -# Patch updates auto-merge after CI passes. Minor and major updates -# require human review until LLM-assisted review is available (#5). +# Patch and minor updates enable auto-merge; major updates require human merge: +# - Patch: auto-approved (low-risk) +# - Minor: Claude reviews, approves if acceptable +# - Major: Claude advises, human must approve and merge # -# Squash commits default to using the PR description as body, but -# Dependabot PRs include lengthy changelogs and compatibility notes. -# The merge step overrides the body to keep commit messages clean. +# ┌────────────────────────────────────────────────────────────────────┐ +# │ Review & Merge │ +# ├────────────────────────────────────────────────────────────────────┤ +# │ 1. Fetch metadata │ +# │ 2. Auto-approve patch ──────────────────────> 5. Auto-merge patch │ +# │ 3. Claude review minor ─────────────────────> 6. Auto-merge minor │ +# │ 4. Claude review major ─────────────────────> (human merge) │ +# └────────────────────────────────────────────────────────────────────┘ +# +# Squash commits default to using the PR description as body, but Dependabot +# PRs include lengthy changelogs and compatibility notes. Each step overrides +# the body to keep commit messages clean. -name: "🤖 Dependabot" +name: "🤖 ClauDependabot" on: + # Using pull_request (not pull_request_target) because the OIDC approach for + # GitHub app impersonation does not appear to work with Dependabot PRs. + # See: https://github.com/anthropics/claude-code-action/issues/713 + # + # This means Claude jobs will fail if Dependabot updates this file itself, + # but we've minimized actions here to reduce that risk. pull_request: - branches: [main] - # Path filter avoids creating workflow runs for unrelated PRs while - # still catching all Dependabot updates (Go modules and Actions). + # Path filter avoids creating workflow runs for unrelated PRs while still + # catching all Dependabot updates (Go modules and GitHub Actions). paths: - "go.mod" - "go.sum" @@ -22,9 +38,10 @@ on: permissions: contents: write # Required by: gh pr merge --auto pull-requests: write # Required by: gh pr review --approve + id-token: write # Required for Claude to generate GitHub app tokens jobs: - automerge: + mergeview: name: Review & Merge runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' @@ -43,16 +60,75 @@ jobs: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # TODO(#5): Review minor updates with Claude before auto-merging. - # Once the Claude Code workflow lands, add a step here that uses - # claude-code-action to review the diff and approve if acceptable, - # followed by an auto-merge step gated on the same condition. + - name: Checkout for review + uses: actions/checkout@v6 + + - name: Review minor + if: steps.metadata.outputs.update-type == 'version-update:semver-minor' + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + allowed_bots: dependabot + prompt: | + This is a Dependabot PR for a minor version update. + + Package ecosystem: ${{ steps.metadata.outputs.package-ecosystem }} + Dependency: ${{ steps.metadata.outputs.dependency-names }} + Update: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }} + PR: ${{ github.event.pull_request.html_url }} + + Use `gh pr diff` and `gh pr view` to review the changes. + + Minor updates should be backwards-compatible. However, for v0.x + dependencies, minor bumps may contain breaking changes per semver. + Review those with extra caution. + + If the changes look reasonable, approve the PR with a message that + includes your model identifier (e.g. "Reviewed by claude-sonnet-4-20250514"). + + Use: gh pr review --approve --body "your message" + claude_args: | + --allowedTools "Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*)" + --allowedTools "Bash(gh issue:*),Bash(gh search:*),Bash(gh run:*),Bash(gh workflow:*),Bash(gh release:*)" + --allowedTools "Bash(go:*),WebFetch,WebSearch" + --max-turns 25 + + - name: Review major + if: steps.metadata.outputs.update-type == 'version-update:semver-major' + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + allowed_bots: dependabot + prompt: | + This is a Dependabot PR for a MAJOR version update. + + Package ecosystem: ${{ steps.metadata.outputs.package-ecosystem }} + Dependency: ${{ steps.metadata.outputs.dependency-names }} + Update: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }} + PR: ${{ github.event.pull_request.html_url }} + + Use `gh pr diff` and `gh pr view` to review the changes. - # TODO(#5): Analyze major updates with Claude, require human merge. - # Major updates may contain breaking changes. The planned step uses - # claude-code-action to post a review comment with migration notes - # and risk analysis, but does not approve or merge. A human reads - # the analysis and decides whether to proceed. + Major updates may have breaking changes. Please: + + 1. Fetch the dependency's release page and CHANGELOG to understand what changed + 2. Check the README for migration guides + 3. Review the codebase for usages of this dependency + 4. If changes are needed, comment on the PR with suggested fixes + + For github_actions ecosystem specifically: + - Review the workflow files in .github/workflows/ that use this action + - Check for deprecated inputs, outputs, or runner requirements + + Do NOT approve, merge, or push commits to this PR. + Use `gh pr review --comment` to post your analysis and any suggested code changes. + IMPORTANT: Place all parameters AFTER --comment (e.g., `gh pr review --comment --body "..." `). + claude_args: | + --allowedTools "Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review --comment:*),Bash(gh pr review -c:*)" + --allowedTools "Bash(gh issue:*),Bash(gh search:*),Bash(gh run:*),Bash(gh workflow:*),Bash(gh release:*)" + --allowedTools "Bash(go:*),WebFetch,WebSearch" + --disallowedTools "Bash(gh pr review --approve:*),Bash(gh pr review -a:*)" + --max-turns 50 - name: Auto-merge patch if: steps.metadata.outputs.update-type == 'version-update:semver-patch' @@ -65,3 +141,14 @@ jobs: changes carry minimal risk of breaking existing functionality. Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}% + + - name: Auto-merge minor + if: steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr merge --auto --squash "$PR_URL" --body "$BODY" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BODY: | + This minor update was reviewed by Claude before merging. + + Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}%