feat: GitHub Actions for review, guardrails, and orchestration#33
Merged
feat: GitHub Actions for review, guardrails, and orchestration#33
Conversation
Add config.yaml with guardrail settings and re-review cycle cap, task.yml and review-finding.yml issue form templates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Five guardrail checks as independent GitHub Actions workflows: - Scope enforcement: flags files changed outside task scope - Test-to-code ratio: enforces configurable test line threshold - Dependency changes: detects unjustified new dependencies - API surface changes: language-aware export/route detection - Commit messages: conventional commit format validation Each uses Check Run API with approval override support. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Workflow triggers on PR review submission, parses comments, creates child issues with severity labels, links as sub-issues, and sets blocking dependencies for critical findings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Three parallel reviewer agents (correctness, tests, architecture) triggered on PR open/sync via claude -p. Shared context resolution job parses Fixes #N. Supports workflow_dispatch for re-triggering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Gates PR merges by evaluating blocking sub-issues, running claude-based re-review assessments with configurable cycle cap, and triggering pr-review.yml when re-review is warranted. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
163 tests covering all workflow files: - Python tests for test-ratio, human-review, and pr-review workflows - Shell tests for scope and commit-message guardrails - YAML syntax, structural, and logic validation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The scope enforcement guardrail was only extracting file paths from the parent issue body. In practice, file paths are listed in child task issues created during planning. Now queries all sub-issues via GraphQL and collects file paths from parent + children. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
actions/github-script@v7 does not include js-yaml, causing both the dependency-changes and test-ratio guardrails to crash with "Cannot find module 'js-yaml'". Replace with simple line-based config parsing matching the pattern used by the scope guardrail. Also fixes the dependency-changes config path which was reading from a top-level key instead of under the guardrails: section. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace manual `npm install && claude -p` with anthropics/claude-code-action@v1. Slim reviewer prompts to just pass context (base branch, parent issue) and point at skill files — the skills already contain the full review process, severity labels, and issue filing instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
claude-code-action with CLAUDE_CODE_OAUTH_TOKEN needs id-token:write to fetch an OIDC token for authentication. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements #37: Created 10 shared library modules in .github/agent-workflow/scripts/lib/ with comprehensive test suites. Each module exports pure functions for common workflow logic: - config.js: Parse guardrail YAML configuration - approval.js: Check for non-stale PR approvals - fixes-parser.js: Extract Fixes #N references - file-patterns.js: Test/code/dependency file detection - commit-validator.js: Conventional commit validation - scope-matcher.js: File path extraction and scope matching - api-patterns.js: API surface change detection - patch-parser.js: Unified diff line number parsing - severity.js: Review comment severity detection - pr-body.js: Idempotent PR body section replacement Implements #38: Extracted inline JavaScript from 8 workflow files into standalone scripts: - guardrail-scope.js, guardrail-test-ratio.js, guardrail-dependencies.js - guardrail-commits.js, guardrail-api-surface.js - orchestrator-check.js, human-review.js, pr-context.js Also added Node.js LTS to devcontainer for test execution. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated remaining 6 workflow YAML files to use extracted scripts: - guardrail-dependencies.yml → guardrail-dependencies.js - guardrail-commits.yml → guardrail-commits.js - guardrail-api-surface.yml → guardrail-api-surface.js - orchestrator-check.yml → orchestrator-check.js - human-review.yml → human-review.js - pr-review.yml → pr-context.js All 8 workflows now use thin YAML shells that require() standalone scripts, eliminating 1,800+ lines of duplicated inline JavaScript. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Created tests/validate-workflows.js with 11 tests for YAML structure validation - Moved lib module tests from .github/agent-workflow/scripts/lib/ to tests/lib/ with updated import paths (52 tests total for lib modules) - Deleted old Python and shell tests that only did keyword grep validation - Added package-lock.json from npm install - Updated .gitignore to exclude node_modules Test results: 51/53 passing (2 failing tests reveal pre-existing bugs in lib modules) Total test coverage: 53 tests - 11 workflow structure validation tests - 42 lib module unit tests Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Added .github/workflows/ci.yml that: - Runs on PRs and pushes to main - Sets up Node.js LTS with npm cache - Installs dependencies and runs npm test - Reports test results Note: This CI workflow is specific to the agent-workflow repo itself and should NOT be copied to target repos when install.sh is created. The installer should exclude: - .github/workflows/ci.yml - tests/ - root package.json and package-lock.json Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- file-patterns: Fix isTestFile to match paths starting with "tests/" Changed /(^|\/)tests?\// to match "tests/" at start of path or after slash - fixes-parser: Make regex truly case-insensitive using /i flag Changed /[Ff]ixes/ to /fixes/gi for proper case-insensitive matching Fixes the 2 failing tests in the CI (now 53/53 passing) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The resolve-context job was trying to require() the pr-context.js script without checking out the repository first, causing MODULE_NOT_FOUND errors. Added checkout step with sparse-checkout for .github/agent-workflow to the resolve-context job so the script file is available. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Enables issue scope definitions to use glob patterns (* and **): - Single wildcard (*) matches files in same directory - Double wildcard (**) matches files recursively - Examples: `lib/*.js`, `.github/**/*.yml` Implementation: - Updated extractFilePaths() to capture glob patterns - Added globToRegex() converter with placeholder approach to avoid regex conflicts during pattern replacement - Enhanced isInScope() to detect and match glob patterns - Added 7 comprehensive tests for glob functionality Also fixes guardrail-test-ratio to count test files in addition to code files for accurate line totals. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Both workflows were missing the initial checkout step, causing MODULE_NOT_FOUND errors when trying to require the script files. Added sparse-checkout for .github/agent-workflow to both workflows. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove the separate config.yaml configuration file and config.js parser. Configuration now lives directly in each workflow file's env: block (CONCLUSION, THRESHOLD, RE_REVIEW_CYCLE_CAP). To disable a guardrail, delete its workflow file. Also change approval-override conclusion from success to neutral so overridden checks remain visibly flagged in the checks tab. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace custom regex-based commit validation with industry-standard @commitlint/config-conventional. Reduces maintenance burden and provides better error messages. Changes: - Use commitlint CLI in workflow instead of custom JS - Add commitlint.config.js extending conventional preset - Remove guardrail-commits.js and commit-validator.js - Remove commit-validator.test.js Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove insecure keyword-matching bypass logic. Any dependency file modification now requires human review via PR approval. The previous implementation allowed bypassing the check by including words like "introduced" anywhere in the PR description, providing false security. This change makes the guardrail honest and effective. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Delete workflow that auto-converted PR comments to issues. This created issue spam and duplicate tracking. Human review comments should be addressed directly by /work, not converted to separate issues. Next: integrate PR comment handling into coordinator/implementer skills with auto-resolution when comments are addressed. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
Fixes #3
Fixes #16
Fixes #17
Fixes #18
Fixes #19
Fixes #20
Fixes #21
Fixes #22
Fixes #23
Fixes #30
Fixes #37
Fixes #38
Fixes #39