|
|
name: Code Review |
|
|
|
|
|
on: |
|
|
workflow_call: |
|
|
secrets: |
|
|
AZURE_SUBSCRIPTION_ID: |
|
|
required: true |
|
|
AZURE_TENANT_ID: |
|
|
required: true |
|
|
AZURE_CLIENT_ID: |
|
|
required: true |
|
|
|
|
|
concurrency: |
|
|
group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }} |
|
|
cancel-in-progress: true |
|
|
|
|
|
permissions: {} |
|
|
|
|
|
jobs: |
|
|
check-permission: |
|
|
name: Check permission |
|
|
uses: ./.github/workflows/_check-permission.yml |
|
|
with: |
|
|
failure_mode: "skip" |
|
|
require_permission: "write" |
|
|
permissions: |
|
|
contents: read |
|
|
|
|
|
validation: |
|
|
name: Validation |
|
|
needs: check-permission |
|
|
if: needs.check-permission.outputs.should_proceed == 'true' |
|
|
runs-on: ubuntu-24.04 |
|
|
permissions: |
|
|
contents: read |
|
|
outputs: |
|
|
should_review: ${{ steps.validate.outputs.should_review }} |
|
|
|
|
|
steps: |
|
|
- name: Check PR is not a draft |
|
|
id: check-pr |
|
|
env: |
|
|
IS_DRAFT: ${{ github.event.pull_request.draft }} |
|
|
run: | |
|
|
if [ "$IS_DRAFT" == "true" ]; then |
|
|
echo "⚠️ Validation: PR is a draft - skipping review" |
|
|
echo "pr_valid=false" >> "$GITHUB_OUTPUT" |
|
|
else |
|
|
echo "✅ Validation: PR is ready for review" |
|
|
echo "pr_valid=true" >> "$GITHUB_OUTPUT" |
|
|
fi |
|
|
|
|
|
- name: Check if prompt file exists using GitHub CLI |
|
|
id: check-prompt |
|
|
env: |
|
|
GH_TOKEN: ${{ github.token }} |
|
|
REPO: ${{ github.repository }} |
|
|
REF: ${{ github.event.pull_request.head.sha }} |
|
|
FILE_PATH: ".claude/prompts/review-code.md" |
|
|
run: | |
|
|
if gh api "repos/$REPO/contents/$FILE_PATH?ref=$REF" --silent 2>/dev/null; then |
|
|
echo "prompt_exists=true" >> "$GITHUB_OUTPUT" |
|
|
echo "✅ Found $FILE_PATH in $REPO" |
|
|
else |
|
|
echo "prompt_exists=false" >> "$GITHUB_OUTPUT" |
|
|
echo "⚠️ Validation: No $FILE_PATH found - skipping Claude review" |
|
|
fi |
|
|
|
|
|
- name: Set validation result |
|
|
id: validate |
|
|
env: |
|
|
PR_VALID: ${{ steps.check-pr.outputs.pr_valid }} |
|
|
PROMPT_EXISTS: ${{ steps.check-prompt.outputs.prompt_exists }} |
|
|
run: | |
|
|
if [ "$PR_VALID" == "true" ] && \ |
|
|
[ "$PROMPT_EXISTS" == "true" ]; then |
|
|
echo "should_review=true" >> "$GITHUB_OUTPUT" |
|
|
echo "✅ Validation passed - code review will proceed" |
|
|
else |
|
|
echo "should_review=false" >> "$GITHUB_OUTPUT" |
|
|
echo "⚠️ Validation failed - code review will be skipped" |
|
|
fi |
|
|
|
|
|
review: |
|
|
name: Review |
|
|
runs-on: ubuntu-24.04 |
|
|
needs: [check-permission, validation] |
|
|
if: needs.check-permission.outputs.should_proceed == 'true' && needs.validation.outputs.should_review == 'true' |
|
|
timeout-minutes: 15 |
|
|
permissions: |
|
|
actions: read |
|
|
contents: read |
|
|
id-token: write |
|
|
pull-requests: write |
|
|
|
|
|
steps: |
|
|
- name: Check out repo |
|
|
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 |
|
|
with: |
|
|
fetch-depth: 0 |
|
|
ref: ${{ github.event.pull_request.head.sha }} |
|
|
persist-credentials: true |
|
|
|
|
|
- name: Log in to Azure |
|
|
uses: bitwarden/gh-actions/azure-login@main |
|
|
with: |
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
|
|
- name: Get Azure Key Vault secrets |
|
|
id: get-kv-secrets |
|
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
|
with: |
|
|
keyvault: gh-org-bitwarden |
|
|
secrets: "ANTHROPIC-CODE-REVIEW-API-KEY,BW-GHAPP-ID,BW-GHAPP-KEY" |
|
|
|
|
|
- name: Log out from Azure |
|
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
|
|
- name: Generate GH App token |
|
|
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 |
|
|
id: app-token |
|
|
with: |
|
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} |
|
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} |
|
|
owner: ${{ github.repository_owner }} |
|
|
repositories: ai-plugins |
|
|
|
|
|
- name: Create temporary directory for marketplace |
|
|
id: mktemp |
|
|
run: | |
|
|
TEMP_DIR=$(mktemp -d -p .) |
|
|
echo "temp_dir=$TEMP_DIR" >> "$GITHUB_OUTPUT" |
|
|
echo "✅ Created temporary directory: $TEMP_DIR" |
|
|
|
|
|
- name: Check out AI plugins marketplace |
|
|
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 |
|
|
with: |
|
|
repository: bitwarden/ai-plugins |
|
|
path: ${{ steps.mktemp.outputs.temp_dir }} |
|
|
token: ${{ steps.app-token.outputs.token }} |
|
|
persist-credentials: false |
|
|
|
|
|
- name: Configure Claude Code with local marketplace |
|
|
id: configure-marketplace |
|
|
env: |
|
|
MARKETPLACE_DIR: ${{ steps.mktemp.outputs.temp_dir }} |
|
|
run: | |
|
|
# Verify marketplace directory exists |
|
|
if [ ! -d "$MARKETPLACE_DIR" ]; then |
|
|
echo "❌ Error: Marketplace directory $MARKETPLACE_DIR does not exist" |
|
|
exit 1 |
|
|
fi |
|
|
echo "✅ Found marketplace at: $MARKETPLACE_DIR" |
|
|
|
|
|
# Verify required plugin directories exist |
|
|
if [ ! -d "$MARKETPLACE_DIR/plugins/claude-config-validator" ]; then |
|
|
echo "❌ Error: Plugin 'claude-config-validator' not found" |
|
|
exit 1 |
|
|
fi |
|
|
echo "✅ Found plugin: claude-config-validator" |
|
|
|
|
|
if [ ! -d "$MARKETPLACE_DIR/plugins/bitwarden-code-review" ]; then |
|
|
echo "❌ Error: Plugin 'bitwarden-code-review' not found" |
|
|
exit 1 |
|
|
fi |
|
|
echo "✅ Found plugin: bitwarden-code-review" |
|
|
|
|
|
# Verify agent file exists |
|
|
if [ -f "$MARKETPLACE_DIR/plugins/bitwarden-code-review/.claude-plugin/plugin.json" ]; then |
|
|
echo "✅ Plugin metadata found in expected location." |
|
|
else |
|
|
echo "⚠️ Warning: Plugin metadata not found at expected location" |
|
|
fi |
|
|
|
|
|
mkdir -p ~/.claude |
|
|
echo "✅ Created Claude Code configuration directory" |
|
|
|
|
|
# Create Claude Code configuration JSON |
|
|
SETTINGS_JSON=$(jq -n \ |
|
|
--arg path "$(realpath "$MARKETPLACE_DIR")" \ |
|
|
'{ |
|
|
extraKnownMarketplaces: { |
|
|
"bitwarden-marketplace": { |
|
|
source: { |
|
|
source: "directory", |
|
|
path: $path |
|
|
} |
|
|
} |
|
|
}, |
|
|
enabledPlugins: { |
|
|
"claude-config-validator@bitwarden-marketplace": true, |
|
|
"bitwarden-code-review@bitwarden-marketplace": true |
|
|
} |
|
|
}') |
|
|
|
|
|
# Write to file for debugging |
|
|
echo "$SETTINGS_JSON" > ~/.claude/settings.json |
|
|
echo "✅ Created settings file at ~/.claude/settings.json" |
|
|
|
|
|
# Output JSON to GitHub Actions output for passing to action |
|
|
echo "settings_json<<EOF" >> "$GITHUB_OUTPUT" |
|
|
echo "$SETTINGS_JSON" >> "$GITHUB_OUTPUT" |
|
|
echo "EOF" >> "$GITHUB_OUTPUT" |
|
|
|
|
|
echo "✅ Claude Code configured with local marketplace" |
|
|
|
|
|
- name: Review with Claude Code |
|
|
timeout-minutes: 10 |
|
|
uses: anthropics/claude-code-action@6337623ebba10cf8c8214b507993f8062fd4ccfb # v1.0.22 |
|
|
with: |
|
|
anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-CODE-REVIEW-API-KEY }} |
|
|
track_progress: true |
|
|
use_sticky_comment: true |
|
|
settings: ${{ steps.configure-marketplace.outputs.settings_json }} |
|
|
plugins: | |
|
|
claude-config-validator@bitwarden-marketplace |
|
|
bitwarden-code-review@bitwarden-marketplace |
|
|
prompt: | |
|
|
Use bitwarden-code-reviewer agent to review the currently checked out pull request changes. |
|
|
claude_args: | |
|
|
--verbose |
|
|
--allowedTools "mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*)"
|
|
|
|
