From c4ce0f516dbb0a87e98671f9e19c390295286c50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 7 Jan 2026 10:26:57 +0100 Subject: [PATCH 1/7] try using local workflow edition --- .github/workflows/review-code.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/review-code.yml b/.github/workflows/review-code.yml index a48fdef..3be6c8b 100644 --- a/.github/workflows/review-code.yml +++ b/.github/workflows/review-code.yml @@ -10,7 +10,7 @@ permissions: {} jobs: review: name: Review - uses: bitwarden/gh-actions/.github/workflows/_review-code.yml@main + uses: ./.github/workflows/_copy-review-code.yml secrets: AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} From 84c859600b3d4f1c73aa0be7347b6ca07593b361 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 7 Jan 2026 11:02:35 +0100 Subject: [PATCH 2/7] local copy --- .github/workflows/_copy-review-code.yml | 124 ++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 .github/workflows/_copy-review-code.yml diff --git a/.github/workflows/_copy-review-code.yml b/.github/workflows/_copy-review-code.yml new file mode 100644 index 0000000..9b51711 --- /dev/null +++ b/.github/workflows/_copy-review-code.yml @@ -0,0 +1,124 @@ +name: Code Review + +on: + workflow_call: + secrets: + AZURE_SUBSCRIPTION_ID: + required: true + AZURE_TENANT_ID: + required: true + AZURE_CLIENT_ID: + required: true + +concurrency: + group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + check-permission: + name: Check permission + uses: bitwarden/gh-actions/.github/workflows/_check-permission.yml@main + with: + failure_mode: "skip" + require_permission: "write" + permissions: + contents: read + + validation: + name: Validation + needs: check-permission + if: needs.check-permission.outputs.should_proceed == 'true' + runs-on: ubuntu-24.04 + permissions: + contents: read + pull-requests: read + outputs: + should_review: ${{ steps.validate.outputs.should_review }} + + steps: + - name: Check for review label + id: check-label + env: + LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }} + run: | + if echo "$LABELS" | grep -q '"ai-review"'; then + echo "label_present=true" >> "$GITHUB_OUTPUT" + echo "✅ Validation: 'ai-review' label found" + else + echo "label_present=false" >> "$GITHUB_OUTPUT" + echo "⚠️ Validation: 'ai-review' label not found - skipping Claude review" + fi + + - name: Set validation result + id: validate + env: + LABEL_PRESENT: ${{ steps.check-label.outputs.label_present }} + run: | + if [ "$LABEL_PRESENT" == "true" ]; then + echo "should_review=true" >> "$GITHUB_OUTPUT" + echo "✅ Validation passed - code review will proceed" + else + echo "should_review=false" >> "$GITHUB_OUTPUT" + echo "⚠️ Validation failed - code review will be skipped" + fi + + review: + name: Review + runs-on: ubuntu-24.04 + needs: [check-permission, validation] + if: needs.check-permission.outputs.should_proceed == 'true' && needs.validation.outputs.should_review == 'true' + timeout-minutes: 15 + permissions: + actions: read + contents: read + id-token: write + pull-requests: write + + steps: + - name: Check out repo + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: true + + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "ANTHROPIC-CODE-REVIEW-API-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + + - name: Review with Claude Code + timeout-minutes: 10 + uses: anthropics/claude-code-action@0d1933529914177075d5bc3558ae3d047f188146 # v1.0.26 + env: + USE_AGENT_SDK: "true" + USE_SIMPLE_PROMPT: "true" + with: + anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-CODE-REVIEW-API-KEY }} + allowed_bots: "bw-ghapp" + track_progress: true + use_sticky_comment: true + plugin_marketplaces: "https://github.com/bitwarden/ai-plugins.git" + plugins: "bitwarden-code-review@bitwarden-marketplace" + prompt: | + Use bitwarden-code-reviewer agent to review the currently checked out pull request changes. + The agent handles ALL GitHub interactions including the final summary comment. + **DO NOT** call mcp__github_comment__update_claude_comment after the agent completes. + After the agent completes, output only: "REVIEW COMPLETE" + claude_args: | + --verbose + --allowedTools "Read,Grep,Glob,Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(gh pr checks:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr review:--comment*),Bash(gh pr comment:*),Bash(gh api graphql*reviewThreads*-f owner=*-f repo=*-F pr=*:*),Bash(./scripts/get-review-threads.sh:*),mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Skill" From d148dc314b7dc691152b789f81c36af76388a2d1 Mon Sep 17 00:00:00 2001 From: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com> Date: Wed, 7 Jan 2026 10:36:24 +0000 Subject: [PATCH 3/7] Claude Code review requested From 1ec5433271bad6acb8be09b61395ac8655bc199f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 7 Jan 2026 11:40:45 +0100 Subject: [PATCH 4/7] test using the users identity --- .github/workflows/trigger-ai-review.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/trigger-ai-review.yml b/.github/workflows/trigger-ai-review.yml index 5c94721..9e4bdbd 100644 --- a/.github/workflows/trigger-ai-review.yml +++ b/.github/workflows/trigger-ai-review.yml @@ -18,8 +18,8 @@ jobs: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-24.04 env: - _BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com - _BOT_NAME: bitwarden-devops-bot + _USER_EMAIL: ${{ github.event.sender.id }}+${{ github.event.sender.login }}@users.noreply.github.com + _USER_NAME: ${{ github.event.sender.login }} steps: - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main @@ -68,9 +68,9 @@ jobs: } trap cleanup EXIT - # Configure git user - git config --local user.email "${_BOT_EMAIL}" - git config --local user.name "${_BOT_NAME}" + # Configure git user (use the person who added the label) + git config --local user.email "${_USER_EMAIL}" + git config --local user.name "${_USER_NAME}" # Configure git credentials for push (needed because persist-credentials: false) # Use the same format as actions/checkout: Basic auth with base64-encoded x-access-token From b1eb8aeb33539b9b6c2a95993a9af899f24f2142 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 7 Jan 2026 11:44:11 +0100 Subject: [PATCH 5/7] Revert "test using the users identity" This reverts commit 1ec5433271bad6acb8be09b61395ac8655bc199f. --- .github/workflows/trigger-ai-review.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/trigger-ai-review.yml b/.github/workflows/trigger-ai-review.yml index 9e4bdbd..5c94721 100644 --- a/.github/workflows/trigger-ai-review.yml +++ b/.github/workflows/trigger-ai-review.yml @@ -18,8 +18,8 @@ jobs: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-24.04 env: - _USER_EMAIL: ${{ github.event.sender.id }}+${{ github.event.sender.login }}@users.noreply.github.com - _USER_NAME: ${{ github.event.sender.login }} + _BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com + _BOT_NAME: bitwarden-devops-bot steps: - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main @@ -68,9 +68,9 @@ jobs: } trap cleanup EXIT - # Configure git user (use the person who added the label) - git config --local user.email "${_USER_EMAIL}" - git config --local user.name "${_USER_NAME}" + # Configure git user + git config --local user.email "${_BOT_EMAIL}" + git config --local user.name "${_BOT_NAME}" # Configure git credentials for push (needed because persist-credentials: false) # Use the same format as actions/checkout: Basic auth with base64-encoded x-access-token From 2359ba7b32d4f678bb4b4027694ad665000324c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 7 Jan 2026 11:45:12 +0100 Subject: [PATCH 6/7] circumvent check permission for this user. --- .github/workflows/_copy-review-code.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_copy-review-code.yml b/.github/workflows/_copy-review-code.yml index 9b51711..0a30c95 100644 --- a/.github/workflows/_copy-review-code.yml +++ b/.github/workflows/_copy-review-code.yml @@ -29,7 +29,7 @@ jobs: validation: name: Validation needs: check-permission - if: needs.check-permission.outputs.should_proceed == 'true' + if: needs.check-permission.outputs.should_proceed == 'true' || github.actor == 'bw-ghapp[bot]' runs-on: ubuntu-24.04 permissions: contents: read @@ -68,7 +68,7 @@ jobs: name: Review runs-on: ubuntu-24.04 needs: [check-permission, validation] - if: needs.check-permission.outputs.should_proceed == 'true' && needs.validation.outputs.should_review == 'true' + if: (needs.check-permission.outputs.should_proceed == 'true' || github.actor == 'bw-ghapp[bot]') && needs.validation.outputs.should_review == 'true' timeout-minutes: 15 permissions: actions: read From 7e3f01870d14a658fca302661ea191fb3ccdb0fd Mon Sep 17 00:00:00 2001 From: bitwarden-devops-bot <106330231+bitwarden-devops-bot@users.noreply.github.com> Date: Wed, 7 Jan 2026 10:48:21 +0000 Subject: [PATCH 7/7] Claude Code review requested