GitHub-Bitwarden
/
gh-actions
mirror of https://github.com/bitwarden/gh-actions.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
411 Commits
48 Branches
3 Tags
42 MiB
 
 
 
 
 
Branch: ai/execute-code-review-command
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ai/execute-code-review-command'
${ noResults }
gh-actions/.github/workflows/_review-code.yml

132 lines
4.5 KiB
Raw Permalink Blame History Escape

name: Code Review
on:
workflow_call:
secrets:
AZURE_SUBSCRIPTION_ID:
required: true
AZURE_TENANT_ID:
required: true
AZURE_CLIENT_ID:
required: true
concurrency:
group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
check-permission:
name: Check permission
uses: ./.github/workflows/_check-permission.yml
with:
failure_mode: "skip"
require_permission: "write"
permissions:
contents: read
validation:
name: Validation
needs: check-permission
if: needs.check-permission.outputs.should_proceed == 'true'
runs-on: ubuntu-24.04
permissions:
contents: read
pull-requests: read
outputs:
should_review: ${{ steps.validate.outputs.should_review }}
steps:
- name: Check for review label
id: check-label
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
set -euo pipefail
if [ -z "${PR_NUMBER:-}" ]; then
echo "label_present=false" >> "$GITHUB_OUTPUT"
echo "⚠ Validation: no pull_request context detected - skipping Claude review"
exit 0
fi
LABELS=$(gh pr view "$PR_NUMBER" --repo "$GH_REPO" --json labels -q '.labels[].name')
if printf '%s\n' "$LABELS" | grep -Fxq "ai-review"; then
echo "label_present=true" >> "$GITHUB_OUTPUT"
echo "✅ Validation: 'ai-review' label found"
else
echo "label_present=false" >> "$GITHUB_OUTPUT"
echo "⚠ Validation: 'ai-review' label not found - skipping Claude review"
fi
- name: Set validation result
id: validate
env:
LABEL_PRESENT: ${{ steps.check-label.outputs.label_present }}
run: |
if [ "$LABEL_PRESENT" == "true" ]; then
echo "should_review=true" >> "$GITHUB_OUTPUT"
echo "✅ Validation passed - code review will proceed"
else
echo "should_review=false" >> "$GITHUB_OUTPUT"
echo "⚠ Validation failed - code review will be skipped"
fi
review:
name: Review
runs-on: ubuntu-24.04
needs: [check-permission, validation]
if: needs.check-permission.outputs.should_proceed == 'true' && needs.validation.outputs.should_review == 'true'
timeout-minutes: 15
permissions:
actions: read
contents: read
id-token: write
pull-requests: write
steps:
- name: Check out repo
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: true
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Get Azure Key Vault secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-org-bitwarden
secrets: "ANTHROPIC-CODE-REVIEW-API-KEY"
- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Review with Claude Code
timeout-minutes: 10
uses: anthropics/claude-code-action@1b8ee3b94104046d71fde52ec3557651ad8c0d71 # v1.0.29
env:
USE_AGENT_SDK: "true"
USE_SIMPLE_PROMPT: "true"
with:
anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-CODE-REVIEW-API-KEY }}
track_progress: true
use_sticky_comment: true
plugin_marketplaces: "https://github.com/bitwarden/ai-plugins.git"
plugins: "bitwarden-code-review@bitwarden-marketplace"
prompt: |
/bitwarden-code-review:code-review
claude_args: |
--verbose
--model opus
--allowedTools "Read,Grep,Glob,Task,Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(gh pr checks:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr review:--comment*),Bash(gh pr comment:*),Bash(gh api graphql*reviewThreads*-f owner=*-f repo=*-F pr=*:*),Bash(./scripts/get-review-threads.sh:*),mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Skill"