From b527c7660a46d24e0c1ebc58c65f78785ad4d759 Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Mon, 13 Apr 2026 15:23:59 +0200 Subject: [PATCH] chore(ci): remove remaining claude automation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Following on from #135, the rest of the Claude footprint goes too. The mention-gated claude.yaml worked in principle but I am not getting enough value out of it to justify the surface area, especially given the recent rate-limit pressure on the underlying subscription. The client-side dry-run script and its triage.md prompt have no consumer once the workflow is gone, so they go in the same commit. Coderabbit stays for PR review. The Claude GitHub App can be uninstalled from the repo at leisure — nothing in the tree depends on it any more. --- .github/prompts/triage.md | 82 -------------------------------- .github/workflows/claude.yaml | 68 -------------------------- scripts/claude-triage-dry-run.sh | 75 ----------------------------- 3 files changed, 225 deletions(-) delete mode 100644 .github/prompts/triage.md delete mode 100644 .github/workflows/claude.yaml delete mode 100755 scripts/claude-triage-dry-run.sh diff --git a/.github/prompts/triage.md b/.github/prompts/triage.md deleted file mode 100644 index 5035d6c..0000000 --- a/.github/prompts/triage.md +++ /dev/null @@ -1,82 +0,0 @@ -You are triaging an issue on the `Oddly/elasticstack` repository — an Ansible -collection that deploys Elasticsearch, Kibana, Logstash, Beats, and Fleet Server -onto Linux hosts via molecule-tested roles. The project is maintained by one -developer. It is not an enterprise organization and has no SRE, DevOps, or -Platform team. - -Read the issue carefully. Then use the tools available to you (Read, Grep, -Glob, git, gh) to ground-truth anything the issue claims about the codebase — -role directories under `roles/`, molecule scenarios under `molecule/`, CI -workflows under `.github/workflows/` or `.gitea/workflows/`, and module plugins -under `plugins/modules/`. If the issue references a file, variable, or task -name, confirm it exists before quoting it. - -Produce a single comment in Markdown with exactly these four sections, in this -order, and nothing else: - -## Severity - -Start this section with exactly one of these four tokens, wrapped in -backticks, with no bold, italics, quotes, period, or any other punctuation -attached to the token itself: - -```text -`critical` `high` `medium` `low` -``` - -After the backticked token, on the same line, an em-dash and a one-sentence -justification grounded in concrete user-visible impact to people running -this collection (deployment breakage, silent misconfiguration, security -exposure, upgrade risk, test reliability, maintenance drag). Do not -reference business continuity, SLAs, or compliance. - -Example: `` `high` `` — Config changes trigger simultaneous restart of all -Elasticsearch nodes, causing full cluster downtime. - -## Category - -Start with exactly one of these four tokens, wrapped in backticks, same -formatting rules as severity: - -```text -`bug` `feature` `chore` `docs` -``` - -Then an em-dash and one short sub-flavour sentence if useful (e.g. -"bug — molecule coverage gap", "chore — CI tuning"). No more. - -## Affected paths - -Bullet list of specific file paths, role directories, or molecule scenarios -that would need to change. Verify each path exists. If the fix touches -variables, name them. If you cannot locate the relevant code from the issue -description, say "Code location not determined — needs investigation" and -stop — do not guess. - -## Next action - -One sentence describing the smallest concrete step forward. Examples: "Add a -`kibana_tls`-aware URL template in `roles/kibana/tasks/main.yml:152` and extend -the `kibana_tls` molecule scenario's verify.yml to assert health-check success -over HTTPS." Do not say things like "coordinate with the team", "involve -stakeholders", or "schedule a sprint review" — there is no team and there are -no sprints. - -## Hard rules - -- Do NOT invent personas like "DevOps Engineers", "Site Reliability Engineers", - "Platform Engineers", "Release Managers", "Operations Teams", or "Security - Team". One developer maintains this. Any section of a comment that lists - affected "roles" in the personnel sense is wrong. -- Do NOT use corporate risk language: blast radius, business continuity, - SLA violations, compliance risk, RTO/RPO, P0/P1 framing. -- Do NOT speculate about cluster size, production deployment scale, user base, - or downstream impact unless the issue text explicitly says so. -- Do NOT pad the comment with summary/rationale boilerplate. If the issue - body already analyzes the problem well, acknowledge that and skip straight - to the next action. -- Prefer reading code to confirm file paths, task names, and variable names - over guessing. When in doubt, grep. - -If the issue is obviously a duplicate, stale, or already fixed on main, say so -in the `Next action` section instead of producing a full triage. diff --git a/.github/workflows/claude.yaml b/.github/workflows/claude.yaml deleted file mode 100644 index 090ce0d..0000000 --- a/.github/workflows/claude.yaml +++ /dev/null @@ -1,68 +0,0 @@ -name: 'Claude Code' - -# Mention-gated interactive workflow: @claude in an issue body, an issue -# comment, a PR review comment, or a PR review fires Claude in free-form -# mode. Pattern ported from norrietaylor/distillery .github/workflows/claude.yml -# — kept deliberately close to the upstream shape so we get the benefit of -# whatever Norrie tunes there over time. -# -# Paired with `claude-triage.yaml` which auto-triages issues the maintainer -# opens, without requiring an explicit @claude mention. See that workflow's -# `if:` gate for the author check. - -on: - issue_comment: - types: [created] - pull_request_review_comment: - types: [created] - issues: - types: [opened, assigned] - pull_request_review: - types: [submitted] - -# Suppress duplicate runs when @claude is mentioned multiple times in rapid -# succession on the same issue/PR/comment thread. Cancels in-flight runs so -# only the most recent invocation completes — keeps token spend bounded if -# you accidentally double-ping. -concurrency: - group: claude-code-${{ github.event.issue.number || github.event.pull_request.number || github.event.comment.id || github.run_id }} - cancel-in-progress: true - -jobs: - claude: - # Only Oddly can invoke Claude. The @claude mention is still required — - # someone (only Oddly) has to explicitly ask — but on top of that the - # actor check means anyone else dropping @claude in a comment, issue, or - # review gets silently ignored. No LLM spend from drive-by mentions. - if: | - github.actor == 'Oddly' && ( - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) - ) - # Self-hosted runners (incus-ci LXC 305) so @claude has access to the - # internal lab network — gitea, distillery (LXC 800), and any other - # 172.30.0.0/16 service. Distillery isn't auto-registered here because - # the interactive workflow doesn't load a triage prompt; if you want - # KB access in a free-form @claude session, mention it explicitly. - runs-on: self-hosted - permissions: - contents: read - pull-requests: read - issues: read - actions: read # Required for Claude to read CI results on PRs - id-token: write # Required by anthropics/claude-code-action for OIDC auth - steps: - - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - fetch-depth: 1 - - - name: Run Claude Code - id: claude - uses: anthropics/claude-code-action@b47fd721da662d48c5680e154ad16a73ed74d2e0 # v1 - with: - claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - additional_permissions: | - actions: read diff --git a/scripts/claude-triage-dry-run.sh b/scripts/claude-triage-dry-run.sh deleted file mode 100755 index 635a594..0000000 --- a/scripts/claude-triage-dry-run.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env bash -# claude-triage-dry-run.sh — preview what the Claude: Triage workflow would -# post on an issue, without touching it. -# -# Usage: -# scripts/claude-triage-dry-run.sh -# REPO=Oddly/elasticstack scripts/claude-triage-dry-run.sh 121 -# -# Runs claude-code locally in print mode (-p) against the SAME prompt the -# production workflow uses (.github/prompts/triage.md), seeded with the issue -# metadata pulled from gh. Claude has read-only access to the repo and to gh -# issue/search/api. It writes its proposed comment to stdout and exits. -# -# Nothing is posted to the issue. This is strictly a client-side preview. -# -# Requirements: -# - claude CLI on PATH, authenticated (subscription or CLAUDE_CODE_OAUTH_TOKEN) -# - gh CLI on PATH, authenticated for the target repo -# - Run from inside a checkout of the repo (so Claude can grep/read files) - -set -euo pipefail - -issue_number="${1:?usage: $0 }" -repo="${REPO:-Oddly/elasticstack}" - -script_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" -repo_root="$(cd -- "$script_dir/.." && pwd)" -prompt_file="$repo_root/.github/prompts/triage.md" - -if [[ ! -f "$prompt_file" ]]; then - echo "error: prompt file not found at $prompt_file" >&2 - exit 1 -fi - -# Claude needs to read/grep the repo from its root for the triage to be -# code-grounded. Anchor cwd here regardless of where the user invoked us. -cd "$repo_root" - -command -v claude >/dev/null || { echo "error: claude CLI not on PATH" >&2; exit 1; } -command -v gh >/dev/null || { echo "error: gh CLI not on PATH" >&2; exit 1; } - -issue_json=$(gh issue view "$issue_number" --repo "$repo" \ - --json number,title,body,labels,author,createdAt,state) \ - || { echo "error: could not fetch issue #$issue_number from $repo" >&2; exit 1; } - -# Build the same prompt the workflow builds, plus an explicit "dry run, do not -# try to post" directive so claude doesn't attempt gh issue comment. -prompt=$(mktemp) -trap 'rm -f "$prompt"' EXIT -{ - cat "$prompt_file" - echo - echo "Issue to triage: #$issue_number" - echo - echo "--- dry-run mode ---" - echo "This is a client-side preview. Write the triage comment to stdout" - echo "as plain Markdown. Do NOT invoke 'gh issue comment' or any other" - echo "tool that would post to GitHub." - echo - echo "Issue metadata (from gh issue view --json):" - echo '```json' - echo "$issue_json" - echo '```' -} > "$prompt" - -echo "==> Dry-running triage for $repo#$issue_number" >&2 -echo "==> Prompt: $prompt_file" >&2 -echo "==> Claude will have read access to the repo and read-only gh/git tools." >&2 -echo "==> Nothing will be posted." >&2 -echo >&2 - -claude -p \ - --model claude-sonnet-4-20250514 \ - --allowedTools 'Read,Grep,Glob,Bash(git:*),Bash(gh issue view:*),Bash(gh search:*),Bash(gh api repos/'"${repo}"'/contents/*)' \ - < "$prompt"