Conversation
- CI workflow calling reusable workflow from agent-sh/.github - Claude Code automated PR review (owner/member/collaborator only, max 3 runs) - Claude Code @mentions support - Pre-push hook running tests before push
There was a problem hiding this comment.
Pull request overview
This PR introduces shared CI infrastructure for agent-sh repositories, including reusable CI workflows, Claude Code integration for automated PR reviews and @mentions, and git pre-push hooks. The changes centralize CI logic by delegating to a shared workflow in agent-sh/.github, and add AI-assisted code review capabilities with usage limits.
Changes:
- Adds git hook installation script supporting Rust and Node.js projects with corresponding pre-push hooks
- Refactors CI workflow to use a reusable workflow from agent-sh/.github organization repository
- Introduces Claude Code workflows for automated PR reviews (limited to 3 runs per PR) and
@mentionresponses
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/setup-hooks.sh | New script that detects project type and installs appropriate pre-push hooks for Rust or Node.js projects |
| scripts/pre-push-rust | New pre-push hook for Rust projects that runs clippy with warnings-as-errors and tests |
| .github/workflows/claude.yml | Updated Claude Code workflow for @mention triggers with new permissions, checkout version, action SHA, and restricted to OWNER/MEMBER/COLLABORATOR roles |
| .github/workflows/claude-code-review.yml | Updated automated PR review workflow with run-count limiting (max 3 per PR), new permissions, and updated action versions |
| .github/workflows/ci.yml | Replaced extensive CI job definitions with single call to reusable workflow at agent-sh/.github |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
| issues: read | ||
| id-token: write | ||
| contents: write | ||
| pull-requests: write | ||
| issues: write | ||
| actions: read |
There was a problem hiding this comment.
The workflow grants contents: write permission, which allows modifying repository contents. If the Claude Code action only needs to read code and post review comments, this may be excessive. According to security best practices (workflow memory), workflows should declare minimum required permissions. Verify whether contents: write is actually needed, or if contents: read would be sufficient. The use_commit_signing: true parameter suggests commits may be made, which would justify write access.
| if [ "$SIZE" -gt 10485760 ]; then | ||
| echo "::warning::Binary size exceeds 10MB threshold" | ||
| fi | ||
| ci: |
There was a problem hiding this comment.
The massive CI workflow has been replaced with a single reusable workflow call. However, the .github/workflows/README.md file at lines 84-94 still documents the old ci.yml workflow structure with details like "Lint, test, coverage, build". This documentation should be updated to reflect that ci.yml now calls a reusable workflow from agent-sh/.github, or document what checks the reusable workflow performs.
| ci: | |
| ci: | |
| name: Reusable Rust CI (lint, test, coverage, build) |
| permissions: {} | ||
|
|
||
| jobs: | ||
| claude-review: |
There was a problem hiding this comment.
The condition checks if the author_association is in the list ["OWNER","MEMBER","COLLABORATOR"], but this doesn't account for repository administrators who may have different association values. GitHub's author_association can include values like "OWNER", "MEMBER", "COLLABORATOR", "CONTRIBUTOR", "FIRST_TIME_CONTRIBUTOR", "FIRST_TIMER", and "NONE". Consider whether other roles should be allowed, or document why only these three roles are permitted to trigger automated PR reviews.
| claude-review: | |
| claude-review: | |
| # Only run for trusted repository roles. Possible author_association values include | |
| # OWNER, MEMBER, COLLABORATOR, CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR, FIRST_TIMER, and NONE. | |
| # We intentionally restrict this workflow to OWNER, MEMBER, and COLLABORATOR to ensure | |
| # that automated reviews only run for users with trusted access to the repository. | |
| # Note: repository administrators appear as OWNER or MEMBER, so they are covered here. |
| @@ -6,211 +6,7 @@ on: | |||
| pull_request: | |||
| branches: [main] | |||
|
|
|||
There was a problem hiding this comment.
The workflow lacks an explicit top-level permissions declaration. According to the security hardening guidelines in .github/workflows/README.md lines 9-15, every workflow should declare minimum required permissions at the workflow level. When calling a reusable workflow, consider adding permissions: {} or appropriate read permissions at the top level.
| permissions: {} |
| contents: write | ||
| pull-requests: write | ||
| issues: write | ||
| actions: read |
There was a problem hiding this comment.
The workflow grants contents: write permission, which allows modifying repository contents. If the Claude Code action only needs to read code and post comments, this may be excessive. According to security best practices (workflow memory), workflows should declare minimum required permissions. Verify whether contents: write is actually needed, or if contents: read would be sufficient. The use_commit_signing: true parameter suggests commits may be made, which would justify write access.
| actions: read |
| "repos/${REPO}/actions/workflows/${WORKFLOW_FILE}/runs?head_sha=${HEAD_SHA}&status=completed" \ | ||
| --jq '[.workflow_runs[] | select(.event == "pull_request")] | length' || echo "") |
There was a problem hiding this comment.
The run count logic only counts completed runs with status=completed, but doesn't account for currently running workflows. If the PR is synchronized while a review is already running, this could allow more than 3 reviews to execute. Consider adding logic to check for in_progress runs as well, or use a different mechanism like GitHub's concurrency groups to prevent overlapping runs.
| "repos/${REPO}/actions/workflows/${WORKFLOW_FILE}/runs?head_sha=${HEAD_SHA}&status=completed" \ | |
| --jq '[.workflow_runs[] | select(.event == "pull_request")] | length' || echo "") | |
| "repos/${REPO}/actions/workflows/${WORKFLOW_FILE}/runs?head_sha=${HEAD_SHA}" \ | |
| --jq '[.workflow_runs[] | select(.event == "pull_request" and (.status == "completed" or .status == "in_progress"))] | length' || echo "") |
| echo "::warning::Binary size exceeds 10MB threshold" | ||
| fi | ||
| ci: | ||
| uses: agent-sh/.github/.github/workflows/ci-rust.yml@main |
There was a problem hiding this comment.
The workflow references a reusable workflow at agent-sh/.github/.github/workflows/ci-rust.yml@main. Using @main as the ref means the workflow will always use the latest version from the main branch, which could introduce breaking changes without notice. According to security best practices for SHA-pinned actions in this repository, consider pinning to a specific commit SHA or stable tag instead of using a branch reference.
| uses: agent-sh/.github/.github/workflows/ci-rust.yml@main | |
| uses: agent-sh/.github/.github/workflows/ci-rust.yml@v1 |
| - name: Run Claude Code | ||
| id: claude | ||
| uses: anthropics/claude-code-action@edd85d61533cbba7b57ed0ca4af1750b1fdfd3c4 # v1 | ||
| uses: anthropics/claude-code-action@f64219702d7454cf29fe32a74104be6ed43dc637 # v1 |
There was a problem hiding this comment.
The SHA pin for anthropics/claude-code-action (f64219702d7454cf29fe32a74104be6ed43dc637) differs from the documented SHA in .github/workflows/README.md line 64 (6867bb3ab0b2c0a10629b6823e457347e74ad6d2). According to the workflow security practices memory, all third-party actions must be pinned to documented SHAs. Either update the README.md SHA Pin Reference with the new SHA and document which version this corresponds to, or use the documented SHA.
| uses: anthropics/claude-code-action@f64219702d7454cf29fe32a74104be6ed43dc637 # v1 | |
| uses: anthropics/claude-code-action@6867bb3ab0b2c0a10629b6823e457347e74ad6d2 # v1 |
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
The SHA pin for actions/checkout has been downgraded from v6.0.2 (SHA: de0fac2e4500dabe0009e67214ff5f5447ce83dd) to v4 (SHA: 34e114876b0b11c390a56381ad16ebd13914f8d5), which deviates from the existing convention in this repository. According to .github/workflows/README.md line 35, the project uses v6.0.2 for actions/checkout. This inconsistency should be resolved - either update all workflows to v4 or use v6.0.2 here for consistency.
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| RUN_COUNT=${RUN_COUNT:-0} | ||
| if ! echo "$RUN_COUNT" | grep -qE '^[0-9]+$'; then |
There was a problem hiding this comment.
The validation uses grep -qE '^[0-9]+$' which requires at least one digit, but line 44 has already set RUN_COUNT=${RUN_COUNT:-0} which ensures it's at least "0". However, the validation could fail if the API returns non-numeric output that wasn't caught by the error handling. Consider adding validation before the default assignment or handling the case where grep fails to avoid obscure errors.
| RUN_COUNT=${RUN_COUNT:-0} | |
| if ! echo "$RUN_COUNT" | grep -qE '^[0-9]+$'; then | |
| if [ -z "$RUN_COUNT" ]; then | |
| RUN_COUNT=0 | |
| elif ! echo "$RUN_COUNT" | grep -qE '^[0-9]+$'; then |
Addressing Copilot review comments
Checkout SHA downgrade (v6 -> v4): The org-wide templates standardize on actions/checkout v4 (SHA Missing top-level permissions: Permissions are declared at job level in these workflows, which is valid and more granular than top-level. This follows the same pattern as the agentsys CI workflows. SHA mismatch with README.md: These workflows use the org-standard SHAs from agent-sh/.github. The agnix README.md documents older, repo-specific SHAs. The README should be updated separately to reflect the new org-wide workflow setup.
Run count logic: The count queries completed runs, which is the same pattern used in agentsys. Race conditions with concurrent runs are acceptable since the 3-run limit is a soft guard, not a security boundary. |
Adds CI workflow (reusable from agent-sh/.github), Claude Code PR review, @claude mentions, and pre-push git hooks. Run
sh scripts/setup-hooks.shto install hooks locally. Requires org-level CLAUDE_CODE_OAUTH_TOKEN secret.