diff --git a/.github/workflows/claude-mentions.yml b/.github/workflows/claude-mentions.yml index 55a389782..912409c61 100644 --- a/.github/workflows/claude-mentions.yml +++ b/.github/workflows/claude-mentions.yml @@ -1,6 +1,6 @@ name: Claude Mentions -# Scenario 1: @claude mentions on issues and PR comments +# @claude mentions on issues and PR comments # See: https://github.com/anthropics/claude-code-action/pull/614 on: @@ -78,10 +78,37 @@ jobs: - name: Run Claude Code Action if: steps.check.outputs.is_member == 'true' timeout-minutes: 15 - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@v1.0.52 with: github_token: ${{ steps.app-token.outputs.token }} use_bedrock: "true" + prompt: | + REPO: ${{ github.repository }} + + Be precise and concise. No praise. Focus on actionable issues only. + Review ONLY the PR diff. Do not flag pre-existing issues. + If no significant issues are found, say so briefly and move on. + + When reviewing PRs, focus on these areas in priority order: + + 1. **Security** — vulnerabilities, unsafe code, input validation, auth logic + 2. **Correctness** — logic errors, race conditions, edge cases, off-by-one errors + 3. **Performance** — bottlenecks, unnecessary allocations, resource leaks + 4. **Error Handling** — missing error paths, unwrap/expect in non-test code, silent failures + 5. **Rust Idioms** — non-idiomatic patterns, unnecessary clones, misuse of ownership/borrowing + 6. **Design** — incorrect abstractions, module boundary violations, missing trait bounds + 7. **Testing** — missing coverage for new code paths, untested edge cases + + Do NOT comment on: + - Style or formatting (handled by rustfmt/clippy) + - Minor naming preferences + - TODOs, FIXMEs, or documentation formatting + - Code with lint suppression comments (already acknowledged) + - Pre-existing issues not introduced by this PR + - Suggestions that are nice-to-have but not required for correctness + + Use inline comments for specific issues with concrete suggestions. + Use a single top-level comment for summary only if there are findings. claude_args: | --max-turns 50 - --model us.anthropic.claude-sonnet-4-5-20250929-v1:0 + --model us.anthropic.claude-opus-4-6-v1 diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml index 7eaa658a1..eebd1ebc2 100644 --- a/.github/workflows/claude-pr-review.yml +++ b/.github/workflows/claude-pr-review.yml @@ -1,7 +1,7 @@ name: Claude PR Review -# Scenario 2: Automated reviews on PR open/update -# See: https://github.com/anthropics/claude-code-action/pull/614 +# Automated review on PR open, a silent watchdog that only comments when +# it finds actionable issues. On-demand help lives in claude-mentions.yml. on: pull_request_target: @@ -60,14 +60,12 @@ jobs: exit 0 fi - - name: Checkout repository - if: steps.check.outputs.is_member == 'true' - uses: actions/checkout@v4 - with: - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 0 - + # Generate the app token before checkout so it can be used for + # git operations. claude-code-action calls setupBranch() (which + # fetches PR refs via `git fetch origin pull/N/head:...`) before + # configureGitAuth(), so the token embedded in origin by + # actions/checkout must already have permission to fetch fork + # PR refs. - name: Generate GitHub App token if: steps.check.outputs.is_member == 'true' id: app-token @@ -76,6 +74,12 @@ jobs: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Checkout repository + if: steps.check.outputs.is_member == 'true' + uses: actions/checkout@v4 + with: + token: ${{ steps.app-token.outputs.token }} + - name: Configure AWS Credentials (OIDC) if: steps.check.outputs.is_member == 'true' uses: aws-actions/configure-aws-credentials@v4 @@ -88,50 +92,47 @@ jobs: timeout-minutes: 15 env: ACTIONS_STEP_DEBUG: true - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@v1.0.52 with: github_token: ${{ steps.app-token.outputs.token }} use_bedrock: "true" - track_progress: true prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} - Be precise and concise in your language. Avoid overly praising the PR. - Focus on actionable feedback and specific issues. - - Perform a comprehensive code review with the following focus areas: - - 1. **Code Quality** - - Clean code principles and best practices - - Proper error handling and edge cases - - Code readability and maintainability - - 2. **Security** - - Check for potential security vulnerabilities - - Validate input sanitization - - Review authentication/authorization logic - - 3. **Performance** - - Identify potential performance bottlenecks - - Review for efficiency issues - - Check for memory leaks or resource issues - - 4. **Testing** - - Verify adequate test coverage - - Review test quality and edge cases - - Check for missing test scenarios - - 5. **Documentation** - - Ensure code is properly documented - - Verify README updates for new features - - Check for clear comments on complex logic - - Provide detailed feedback using inline comments for specific issues. - Use top-level comments for general observations or praise. + You are an automated silent watchdog reviewer. Your job is to catch + real problems — NOT to provide a comprehensive review or commentary. + + CRITICAL RULE: If you find NO actionable issues, do NOT post any + PR comments or inline comments. Simply respond with: + "No actionable issues found." + and stop. Do not elaborate, summarize, or praise. + + Only comment on issues you are CONFIDENT are real problems: + + 1. **Security** — vulnerabilities, unsafe code, input validation, auth logic + 2. **Correctness** — logic errors, race conditions, edge cases, off-by-one errors + 3. **Performance** — bottlenecks, unnecessary allocations, resource leaks + 4. **Error Handling** — missing error paths, unwrap/expect in non-test code, silent failures + 5. **Rust Idioms** — non-idiomatic patterns, unnecessary clones, misuse of ownership/borrowing + 6. **Design** — incorrect abstractions, module boundary violations, missing trait bounds + 7. **Testing** — missing coverage for new code paths, untested edge cases + + Do NOT comment on: + - Style, formatting, naming (handled by rustfmt/clippy) + - Documentation, TODOs, FIXMEs + - Pre-existing issues not introduced by this PR + - Nice-to-have suggestions or minor improvements + - Rust idiom preferences that don't affect correctness + - Code with lint suppression comments (already acknowledged) + + When you DO find issues: + - Use inline comments with concrete fix suggestions + - Post a brief summary comment ONLY listing the issues found + - No preamble, no praise, no filler claude_args: | - --model us.anthropic.claude-sonnet-4-5-20250929-v1:0 --max-turns 50 + --model us.anthropic.claude-opus-4-6-v1 --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Read,Grep" - name: Remove claude-recheck label if present