[PM-29098] Integrate plugins marketplace into code review workflow (#487)

.claude/README.md

@@ -10,35 +10,32 @@ This directory contains Claude Code configuration files for the gh-actions repos
 ├── commands/              # Custom slash commands
 │   └── review-pr.md
 └── prompts/               # Workflow-specific prompts
-    └── bitwarden-review-code.md
-    └── review-code.md
+    └── review-code.md     # Repo specific review guidelines
 ```
 
 ## Automated Workflow Reviews
 
-The `review-code.yml` workflow uses TWO prompt files:
+The `review-code.yml` workflow uses custom plugins from Bitwarden's AI plugin marketplace:
 
-1. **Bitwarden company-wide prompt** (`.claude/prompts/bitwarden-review-code.md`)
-   - Stored in `bitwarden/gh-actions` repository
-   - Contains common review criteria for all Bitwarden repos
+1. **Bitwarden code review agent**
+   - Plugin hosted in `bitwarden/ai-plugins` repository
+   - Contains specialized review agent, with common review criteria for all Bitwarden repos
    - Intended to be focused on Claude's behavior when reviewing code
-   - Automatically fetched during workflow execution
+   - Automatically installed during workflow execution
 
-2. **Repository-specific gate** (`.claude/prompts/review-code.md`)
-   - Must exist in each repo that wants Claude reviews
-   - Contains repo-specific review instructions
-   - Acts as an "opt-in" gate for the review process
+2. **Repository-specific review guidelines** (`.claude/prompts/review-code.md`)
+   - Optional repo-specific review instructions
 
 **How it works:**
 
-1. Workflow triggers on a PR
-2. PR is validated as viable for a Claude Code review
-3. Workflow pulls the `.claude/prompts/bitwarden-review-code.md` file from the `gh-actions` repo.
-4. Workflow pulls the `.claude/prompts/review-code.md` file from the caller's repo (e.g. `server`, `clients`, `sdk-internal`, etc.)
-5. Workflow combines information from Steps 3 and 4 to create a Claude Code Action PR review prompt
-6. Claude executes the GitHub Action and appends feedback in the form of a summary comment with findings and inline comments (if necessary).
+1. Workflow triggers on a PR.
+2. PR is validated as viable for a Claude Code review.
+3. Workflow adds the `bitwarden/ai-plugins` marketplace and installs necessary plugins.
+4. Workflow invokes the `bitwarden-code-reviewer` agent to perform a review of the pull request.
+5. `bitwarden-code-reviewer` agent identifies and ingests the local repo's `.claude/prompts/review-code.md` file.
+6. `bitwarden-code-reviewer` agent reviews the changes and appends feedback in the form of a brief summary comment with findings and inline comments (if necessary).
 
-**To enable in our repos:**
+**To customize review guidelines in our repos:**
 
 1. Create `.claude/prompts/review-code.md` with review criteria
 2. Workflow runs automatically on subsequent pull requests

.claude/prompts/bitwarden-review-code.md

@@ -1,69 +0,0 @@
-# Bitwarden Code Review Prompt
-
-## Before You Review
-
-1. **ALWAYS** evaluate PR title and description quality. If deficient, create a finding (💭) suggesting improvements:
-   - **Title**: Must be clear, specific, and describe the change (not vague like "fixed bug 1234" or "update models to be better")
-   - **Objective**: Must explain what changed and why it changed
-   - **Screenshots or Screen Recordings**: Expected for UI changes, helpful for behavior changes
-   - **Jira Reference**: Expected in the `## 🎟️ Tracking` section
-   - **Test Plan**: Expected to describe how changes were verified, or reference test plan in linked Jira task
-
-   Provide rewrite suggestions in a collapsible `<details>` section.
-
-2. **ALWAYS** read all existing PR comments before reviewing. Create exactly ONE summary comment only if none exists.
-
-3. **ALWAYS** check for existing comment threads before posting. Never create duplicate comments on the same finding.
-
-4. **ALWAYS** read resolved threads and human responses before reopening or responding. Respect human decisions: do not reopen threads for improvements (🎨) or inquiries (💭). Consider human explanations before taking further action.
-
-## Finding Requirements
-
-1. **ALWAYS** focus on actionable findings requiring developer attention or response.
-
-2. **CRITICAL: Never use # followed by numbers** - GitHub will autolink it to unrelated issues/PRs.
-
-   **WHY THIS MATTERS:**
-   - Writing "#1" creates a clickable link to issue/PR #1 (not your finding)
-   - "Issue" is also wrong terminology (use "Finding")
-
-   **CORRECT FORMAT:**
-   - Finding 1: Memory leak detected
-   - Finding 2: Missing error handling
-
-   **WRONG (DO NOT USE):**
-   - ❌ Issue #1 (wrong term + autolink)
-   - ❌ #1 (autolink only)
-   - ❌ Issue 1 (wrong term only)
-
-   **REQUIREMENTS:**
-   - Use "Finding" + space + number (no # symbol)
-   - Present as numbered list
-   - Each finding summary: one sentence, under 30 words
-
-3. **ALWAYS** classify each finding with one emoji (if multiple apply, use the most severe: ❌ > ⚠️ > ♻️ > 🎨 > 💭)
-   - ❌ (`:x:`) Major finding requiring changes
-   - ⚠️ (`:warning:`) Minor finding requiring human attention
-   - ♻️ (`:recycle:`) Code introduces technical debt
-   - 🎨 (`:art:`) Improves maintainability, reduces complexity, or enhances security (not style nitpicks)
-   - 💭 (`:thought_balloon:`) Open inquiry or question
-
-## Comment Guidelines
-
-1. **ALWAYS** maintain brevity in all PR comments:
-   - Summary comments must NOT include detailed change requests - keep them high-level
-   - All specific code changes MUST be inline comments on the precise line requiring action
-   - Never write multiple long paragraphs - use single sentences when possible
-   - For required context: use fenced code blocks
-   - For lengthy explanations: use collapsible `<details>` sections
-
-2. **NEVER** include these in summary comments:
-   - List of files changed
-   - Summary of recent changes or changes since last review
-   - Lists of good practices observed, previous review items, or arbitrary ideas outside findings
-
-3. **FOR CLEAN PRs** (zero major/minor findings, zero refactoring requests, zero significant improvements):
-   - Limit praise to ONE sentence (≤25 words)
-   - Never create sections, checklists, detailed analysis, or positive-only inline comments
-
-4. **MAINTAIN** professional tone. Review code, not developers. Frame findings as improvement opportunities.

.claude/prompts/review-code.md

@@ -15,3 +15,5 @@ You are reviewing code in the `gh-actions` repository from the perspective of an
 **Documentation Quality**: Markdown files must be grammatically correct, properly formatted with consistent styling, and follow established patterns. README files must clearly document action inputs, outputs, and provide practical usage examples.
 
 **Code Formatting**: All code must pass Prettier formatting validation. Formatting violations indicate the pre-commit hook was bypassed and must be corrected.
+
+**Review Claude Changes**: If any Claude related files are modified use the `claude-code-validator` Skill to review them.

.github/workflows/_review-code.yml

@@ -157,6 +157,11 @@ jobs:
           anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-CODE-REVIEW-API-KEY }}
           track_progress: true
           use_sticky_comment: true
-          prompt: ${{ steps.build-prompt.outputs.FINAL_PROMPT }}
+          plugin_marketplaces: |
+            https://github.com/bitwarden/ai-plugins.git
+          plugins: |
+            claude-config-validator@bitwarden-marketplace
+            bitwarden-code-review@bitwarden-marketplace
+          prompt: "Use @agent-bitwarden-code-review:bitwarden-code-reviewer to review the currently checked out pull request changes."
           claude_args: |
             --allowedTools "mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*)"