[PM-26935] Create a workflow for Claude code reviews (#456)

* Create an org workflow for Claude code reviews

.claude/CLAUDE.md

@@ -1,10 +1,11 @@
-# GitHub Copilot Instructions for Bitwarden GitHub Actions
+# Bitwarden GitHub Actions - Claude Code Configuration
 
 ## Repository Overview
 
 This repository contains a collection of custom GitHub Actions used by Bitwarden to simplify and standardize CI/CD pipelines across their projects. The repository follows a modular structure where each action is self-contained in its own directory with its own `action.yml` file.
 
 **Repository Details:**
+
 - **Type**: GitHub Actions collection
 - **Size**: Medium-sized repository with ~20 custom actions
 - **Languages**: TypeScript, Python, JavaScript, Shell scripts, YAML
@@ -13,14 +14,17 @@ This repository contains a collection of custom GitHub Actions used by Bitwarden
 ## Build and Validation Instructions
 
 ### Prerequisites
+
 - Node.js (version 22+ for TypeScript actions)
 - Python 3.13+ (for Python-based actions)
 - Docker (for containerized actions)
 
 ### Initial Setup
+
 1. **Always run `npm install` first** in the repository root to install development dependencies including Prettier, Husky, and lint-staged.
 
 ### Code Formatting and Linting
+
 - **Code formatting**: This repository uses Prettier for all file types
 - **Pre-commit hooks**: Husky is configured to run lint-staged on commit
 - **Command**: `npx prettier --cache --write --ignore-unknown .` (formats all files)
@@ -51,9 +55,11 @@ Refer to the [rules directory](https://github.com/bitwarden/workflow-linter/tree
 **Python requirement**: Python 3.13+ with `pip install bitwarden_workflow_linter`
 
 ### Testing Individual Actions
+
 Each action has its own test workflow in `.github/workflows/test-*.yml`:
+
 - `test-version-bump.yml` - Tests version bumping functionality
-- `test-get-secrets.yml` - Tests Azure Key Vault integration  
+- `test-get-secrets.yml` - Tests Azure Key Vault integration
 - `test-download-artifacts.yml` - Tests artifact downloading
 - `test-release-version-check.yml` - Tests release version validation
 - And others...
@@ -61,7 +67,9 @@ Each action has its own test workflow in `.github/workflows/test-*.yml`:
 **Test execution**: Tests run automatically on PRs affecting specific action directories.
 
 ### TypeScript Actions Build Process
+
 For TypeScript-based actions (e.g., `get-keyvault-secrets`):
+
 1. Source files are in `src/` directory
 2. **Always run `npm run build`** or `tsc` to compile TypeScript to JavaScript
 3. Compiled output goes to `lib/` directory
@@ -69,7 +77,9 @@ For TypeScript-based actions (e.g., `get-keyvault-secrets`):
 5. **Critical**: Always commit both source AND compiled files
 
 ### Docker-based Actions
+
 For containerized actions (e.g., `version-bump`, `get-checksum`):
+
 - Use `Dockerfile` in action directory
 - Python scripts use `main.py` as entry point
 - **No local build required** - Docker builds during action execution
@@ -77,6 +87,7 @@ For containerized actions (e.g., `version-bump`, `get-checksum`):
 ## Project Layout and Architecture
 
 ### Repository Structure
+
 ```
 /
 ├── package.json                    # Root dependencies (Prettier, Husky, lint-staged)
@@ -101,15 +112,18 @@ For containerized actions (e.g., `version-bump`, `get-checksum`):
 ### Key Actions by Type
 
 **TypeScript/Node.js Actions:**
+
 - `get-keyvault-secrets/` - Azure Key Vault integration
 - `download-artifacts/` - Artifact management
 
 **Python/Docker Actions:**
+
 - `version-bump/` - File version updating (JSON, XML, PLIST, YAML)
 - `get-checksum/` - SHA256 checksum generation
 - `crowdin/` - Translation management
 
 **Shell/YAML Actions:**
+
 - `azure-login/`, `azure-logout/` - Azure authentication
 - `setup-docker-trust/` - Docker configuration
 - Various reporting and utility actions
@@ -117,15 +131,18 @@ For containerized actions (e.g., `version-bump`, `get-checksum`):
 ### CI/CD Validation Pipeline
 
 **Pre-commit Checks:**
+
 1. Prettier formatting (automatic via Husky)
 2. Lint-staged validation
 
 **Pull Request Checks:**
+
 1. Workflow linting (if `.github/workflows/` changed)
 2. Action-specific tests (if action directory changed)
 3. Various security and quality scans
 
 **Critical Validation Steps:**
+
 - **Workflow files**: Must pass `bitwarden_workflow_linter` validation
 - **TypeScript actions**: Must have compiled `lib/` output committed
 - **All files**: Must pass Prettier formatting
@@ -134,32 +151,38 @@ For containerized actions (e.g., `version-bump`, `get-checksum`):
 ### Dependencies and Requirements
 
 **Development Dependencies (root):**
+
 - `prettier` - Code formatting
 - `husky` - Git hooks
 - `lint-staged` - Staged file processing
 
 **Action-specific Dependencies:**
+
 - TypeScript actions: `@actions/core`, `@actions/exec`, type definitions
 - Python actions: Standard library primarily, some use external packages
 
 ### File Patterns and Conventions
 
 **Action Definition Files:**
+
 - Every action directory MUST have an `action.yml` file
 - Branding should include `icon` and `color` properties
 - Input/output definitions follow GitHub Actions schema
 
 **TypeScript Actions:**
+
 - Source in `src/`, compiled output in `lib/`
 - Use `@actions/core` for GitHub Actions integration
 - `tsconfig.json` for TypeScript configuration
 
 **Python Actions:**
+
 - Main script typically named `main.py`
 - Use environment variables for input (`os.getenv("INPUT_*")`)
 - Docker-based execution via `Dockerfile`
 
 **Testing:**
+
 - Test workflows named `test-[action-name].yml`
 - Test fixtures in `tests/fixtures/` subdirectories
 - Tests validate action outputs and side effects
@@ -169,6 +192,7 @@ For containerized actions (e.g., `version-bump`, `get-checksum`):
 All code changes and action development must follow security best practices relevant to GitHub Actions and Bitwarden's standards:
 
 **GitHub Actions Security:**
+
 - **No hard-coded secrets or credentials** - Use secure parameter passing
 - **Validate all action inputs** - Sanitize and validate user-provided inputs to prevent injection attacks
 - **Use pinned action versions** - All external actions must be pinned to specific commit hashes (enforced by workflow linter)
@@ -176,16 +200,19 @@ All code changes and action development must follow security best practices rele
 - **Secure output handling** - Avoid exposing sensitive data in action outputs or logs
 
 **Secret and Credential Management:**
+
 - Use Azure Key Vault integration properly via `get-keyvault-secrets` action
 - Never log or expose secret values in action outputs
 - Use GitHub's secret masking capabilities (`core.setSecret()` in TypeScript actions)
 
 **Supply Chain Security:**
+
 - Only use approved actions listed in the workflow linter's approved actions list
 - Pin all dependencies to specific versions in `package.json` and `requirements.txt`
 - Validate Docker base images and use official, minimal images when possible
 
 **Input Validation:**
+
 - Validate file paths to prevent directory traversal attacks
 - Sanitize version strings and other user inputs
 - Use proper escaping when constructing shell commands
@@ -195,6 +222,7 @@ All code changes and action development must follow security best practices rele
 **Trust these instructions** and only perform additional searching if the information provided is incomplete or found to be incorrect. The repository follows consistent patterns, and the validation processes are well-established.
 
 **When making changes:**
+
 1. Always format code with Prettier before committing
 2. For TypeScript actions, always compile and commit the `lib/` output
 3. Test changes using the existing test workflows when possible
@@ -203,6 +231,7 @@ All code changes and action development must follow security best practices rele
 6. Apply security best practices and validate all inputs
 
 **Common pitfalls to avoid:**
+
 - Forgetting to compile TypeScript actions
 - Not running Prettier formatting
 - Missing required properties in `action.yml` files

.claude/README.md

@@ -0,0 +1,62 @@
+# Claude Code Configuration
+
+This directory contains Claude Code configuration files for the gh-actions repository.
+
+## Directory Structure
+
+```
+.claude/
+├── CLAUDE.md              # General project context and guidelines
+├── commands/              # Custom slash commands
+│   └── review-pr.md      # /review-pr command for PR reviews
+└── prompts/               # Workflow-specific prompts
+    └── review-code.md    # Used by review-code.yml workflow
+```
+
+## Custom Commands
+
+### `/review-pr` - Pull Request Review
+
+Triggers a comprehensive PR code review in your current Claude Code session.
+
+**Usage:**
+
+1. Open Claude Code in this repository
+2. Check out the PR branch you want to review
+3. Tag @claude and type `/review-pr`
+
+**What it does:**
+
+- Analyzes code quality and best practices
+- Checks for security vulnerabilities
+- Validates workflow linter compliance
+- Reviews performance and efficiency
+- Provides structured feedback with action items
+
+**Example:**
+
+```
+@claude /review-pr
+```
+
+## Automated Workflow Reviews
+
+The `review-code.yml` workflow uses the `.claude/prompts/review-code.md` to automatically review PRs via GitHub Actions in each Bitwarden repo. The `review-code.md` is used as a gate to execute the `review-code.yml` workflow. Repos without this file will not see Claude code reviews performed on each pull request.
+
+**How it works:**
+
+1. Workflow triggers on non-draft PRs
+2. Reads `.claude/prompts/review-code.md` from the PR's branch
+3. Posts review as a sticky comment
+4. Updates comment on new commits
+
+**To enable in our repos:**
+
+1. Create `.claude/prompts/review-code.md` with review criteria
+2. Workflow runs automatically on subsequent pull requests
+
+## Best Practices
+
+- **Commands** (`.claude/commands/`): For interactive Claude Code sessions
+- **Prompts** (`.claude/prompts/`): For automated GitHub Actions workflows
+- **CLAUDE.md**: General project context available in all Claude interactions

.claude/commands/review-pr.md

@@ -0,0 +1,78 @@
+---
+description: Review the current pull request with comprehensive code analysis
+---
+
+You are conducting a thorough pull request code review for the Bitwarden gh-actions repository.
+
+## Current Context
+- Repository: bitwarden/gh-actions
+- This is a collection of reusable GitHub Actions workflows and custom actions
+- The code must follow Bitwarden's workflow linter rules
+- Security and reliability are paramount
+
+## Review Instructions
+
+Perform a comprehensive review of the current PR with focus on:
+
+### 1. **Code Quality & Best Practices**
+- Adherence to GitHub Actions best practices
+- Proper error handling and validation
+- Code maintainability and clarity
+- Appropriate use of GitHub Actions syntax
+
+### 2. **Security Implications**
+- No hardcoded secrets or credentials
+- Proper permission scoping
+- Input validation and sanitization
+- Protection against command injection
+- Safe handling of user-provided data
+
+### 3. **Workflow Linter Compliance**
+Verify compliance with Bitwarden workflow linter rules:
+- Actions pinned to commit SHA with version comment
+- Permissions explicitly defined
+- Runner versions pinned (e.g., ubuntu-24.04)
+- Proper naming conventions (capitalized)
+- Only approved actions are used
+
+### 4. **Performance & Efficiency**
+- Appropriate caching strategies
+- Parallel job execution where possible
+- Minimal redundant operations
+- Efficient use of GitHub Actions resources
+
+### 5. **Testing & Validation**
+- Adequate test coverage for new features
+- Test workflows follow established patterns
+- Integration with existing test infrastructure
+
+## Output Format
+
+Provide a structured review with:
+
+1. **Summary of Changes**
+   - High-level overview of what this PR accomplishes
+   - Key files modified and their impact
+
+2. **Critical Issues** (if any)
+   - Security vulnerabilities
+   - Breaking changes
+   - Non-compliant code that must be fixed
+
+3. **Suggested Improvements**
+   - Optimization opportunities
+   - Better patterns or approaches
+   - Documentation enhancements
+
+4. **Good Practices Observed**
+   - Notable positive aspects (be concise)
+   - Correct security implementations
+   - Well-structured code
+
+5. **Action Items**
+   - Specific tasks for the author
+   - Priority level (Critical/High/Medium/Low)
+
+Use collapsible `<details>` sections for lengthy explanations to keep the review readable.
+
+**Important**: Focus on being thorough about issues and improvements. For good practices, be brief and just note what was done well.

.claude/prompts/review-code.md

@@ -0,0 +1,22 @@
+Please review this pull request with a focus on:
+- Code quality and best practices
+- Potential bugs or issues
+- Security implications
+- Performance considerations
+
+Note: The PR branch is already checked out in the current working directory.
+
+Provide a comprehensive review including:
+- Summary of changes since last review
+- Critical issues found (be thorough)
+- Suggested improvements (be thorough)
+- Good practices observed (be concise - list only the most notable items without elaboration)
+- Action items for the author
+- Leverage collapsible <details> sections where appropriate for lengthy explanations or code snippets to enhance human readability
+
+When reviewing subsequent commits:
+- Track status of previously identified issues (fixed/unfixed/reopened)
+- Identify NEW problems introduced since last review
+- Note if fixes introduced new issues
+
+IMPORTANT: Be comprehensive about issues and improvements. For good practices, be brief - just note what was done well without explaining why or praising excessively.

.github/workflows/review-code.yml

@@ -0,0 +1,155 @@
+name: Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validation:
+    name: Validation
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    outputs:
+      should_review: ${{ steps.validate.outputs.should_review }}
+
+    steps:
+      - name: Check PR requirements
+        id: check-pr
+        run: |
+          if [ "${{ github.event.pull_request.draft }}" == "true" ]; then
+            echo "⚠️  Validation: PR is a draft - skipping review"
+            echo "pr_valid=false" >> $GITHUB_OUTPUT
+          else
+            echo "✅ Validation: PR is ready for review"
+            echo "pr_valid=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for Azure credentials
+        id: check-azure-secret
+        env:
+          _AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          _AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          _AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        run: |
+          if [ -n "$_AZURE_SUBSCRIPTION_ID" ] && [ -n "$_AZURE_TENANT_ID" ] && [ -n "$_AZURE_CLIENT_ID" ]; then
+            echo "credentials_valid=true" >> $GITHUB_OUTPUT
+            echo "✅ Validation: Azure credentials available"
+          else
+            echo "credentials_valid=false" >> $GITHUB_OUTPUT
+            echo "⚠️  Validation: Azure credentials not available"
+            echo "This is expected for external contributors or forks"
+          fi
+
+      - name: Check if prompt file exists
+        id: check-prompt
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Use GitHub API to check file existence WITHOUT checkout
+          FILE_PATH=".claude/prompts/review-code.md"
+          REPO="${{ github.repository }}"
+          REF="${{ github.event.pull_request.head.sha }}"
+
+          # Check if file exists via API
+          if gh api "repos/$REPO/contents/$FILE_PATH?ref=$REF" --silent 2>/dev/null; then
+            echo "prompt_exists=true" >> $GITHUB_OUTPUT
+            echo "✅ Found $FILE_PATH in $REPO"
+          else
+            echo "prompt_exists=false" >> $GITHUB_OUTPUT
+            echo "⚠️  Validation: No $FILE_PATH found - skipping Claude review"
+          fi
+
+      - name: Set validation result
+        id: validate
+        run: |
+          if [ "${{ steps.check-pr.outputs.pr_valid }}" == "true" ] && \
+             [ "${{ steps.check-azure-secret.outputs.credentials_valid }}" == "true" ] && \
+             [ "${{ steps.check-prompt.outputs.prompt_exists }}" == "true" ]; then
+            echo "should_review=true" >> $GITHUB_OUTPUT
+            echo "✅ Validation passed - code review will proceed"
+          else
+            echo "should_review=false" >> $GITHUB_OUTPUT
+            echo "⚠️  Validation failed - code review will be skipped"
+          fi
+
+  review:
+    name: Review
+    runs-on: ubuntu-24.04
+    needs: validation
+    if: needs.validation.outputs.should_review == 'true'
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "ANTHROPIC-API-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Build review prompt
+        id: build-prompt
+        env:
+          PR_REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_COMMIT: ${{ github.event.pull_request.head.sha }}
+        run: |
+          PROMPT_FILE=".claude/prompts/review-code.md"
+
+          # Build the full prompt with GitHub context + repo's prompt
+          {
+            printf "REPO: %s\n" "$PR_REPO"
+            printf "PR NUMBER: %s\n" "$PR_NUMBER"
+            printf "TITLE: %s\n" "$PR_TITLE"
+            printf "BODY: %s\n" "$PR_BODY"
+            printf "AUTHOR: %s\n" "$PR_AUTHOR"
+            printf "COMMIT: %s\n" "$PR_COMMIT"
+            printf "\n"
+            printf "Note: The PR branch is already checked out in the current working directory.\n"
+            printf "\n---\n\n"
+            cat "$PROMPT_FILE"
+          } > /tmp/review-prompt.md
+
+          # Output the prompt
+          {
+            echo 'FINAL_PROMPT<<EOF'
+            cat /tmp/review-prompt.md
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Review with Claude Code
+        uses: anthropics/claude-code-action@e8bad572273ce919ba15fec95aef0ce974464753 # v1.0.13
+        with:
+          anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-API-KEY }}
+          track_progress: true
+          use_sticky_comment: true
+          prompt: ${{ steps.build-prompt.outputs.FINAL_PROMPT }}
+          claude_args: |
+            --allowedTools "mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*)"