Skip to content

ci: wire Claude + Gemini AI review (ai-review-prompts callers)#701

Open
heskew wants to merge 1 commit into
mainfrom
ci/ai-review-wiring
Open

ci: wire Claude + Gemini AI review (ai-review-prompts callers)#701
heskew wants to merge 1 commit into
mainfrom
ci/ai-review-wiring

Conversation

@heskew

@heskew heskew commented Jul 10, 2026

Copy link
Copy Markdown
Member

What

Wires @harperfast/rocksdb-js into the AI review pipeline — the Phase-1 expansion target from the 07-02 retro (52 PRs/30d, highest risk-per-line of the candidate repos). Three thin callers of the ai-review-prompts reusables, pinned to main 1255f2e (#72 — the repo-type/native-addon layer written for this repo):

  • claude-review.yml — layers: universal + repo-type/native-addon; repo-specific checks for the pnpm/oxlint/oxfmt toolchain, vendored-RocksDB bumps, the three-runtime-deps bar, and the harper-core consumer coupling (MaybePromise / key-encoding changes need a core reference).
  • gemini-review.yml — mirrors the Claude caller; opt-in via gemini-review label unless GEMINI_ALWAYS_ON=true.
  • validate-caller-workflows.yml — SHA-pin + shadow-job guard.

Already done outside this PR: repo:rocksdb-js label in ai-review-log; claude-review / gemini-review labels here.

Setup needed on merge (repo settings — can't be done from a PR)

  1. Secrets: add ANTHROPIC_API_KEY (required); GEMINI_API_KEY + AI_REVIEW_LOG_TOKEN (optional — missing keys skip cleanly; the log token reuses the existing fine-grained PAT). Add this repo to the visibility list of the org-level HARPERFAST_AI_CLIENT_ID / HARPERFAST_AI_APP_PRIVATE_KEY secrets.
  2. Variable: set CLAUDE_ALWAYS_ON=true to auto-review trusted-author PRs (or leave unset for label-only opt-in while calibrating).
  3. Required check: make validate / validate a required status check on main.
  4. ai-review-log README "Reviewed repos" table — follow-up PR there once this lands.

Note: the Claude review check on this PR will fail with the expected "workflow file must match default branch" guard (it always does on PRs that introduce the caller workflows — claude-code-action's anti-tamper). Ignore it; it clears after merge.


🤖 Generated with Claude Code

Adds the three thin caller workflows from the HarperFast/ai-review-prompts
reusable set, pinned to main 1255f2e (#72, which added the
repo-type/native-addon layer written for this repo):

- claude-review.yml — layers: universal + repo-type/native-addon, plus
  repo-specific checks (pnpm/oxlint/oxfmt toolchain, no build tolerance,
  vendored-RocksDB bump handling, three-runtime-deps bar, harper-core
  consumer coupling).
- gemini-review.yml — mirrors the Claude caller (opt-in via label unless
  GEMINI_ALWAYS_ON).
- validate-caller-workflows.yml — SHA-pin + shadow-job guard; make the
  `validate` job a required check on main.

Reviews post on the PR and log to HarperFast/ai-review-log (label
repo:rocksdb-js, already created) once AI_REVIEW_LOG_TOKEN is set.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@heskew heskew requested review from cb1kenobi and kriszyp as code owners July 10, 2026 22:36
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@github-actions

Copy link
Copy Markdown
Contributor

📊 Benchmark Results

get-sync.bench.ts

getSync() > random keys - small key size (100 records)

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 lmdb 1 23.71K ops/sec 42.18 40.40 2,133.098 0.144 118,526
🥈 rocksdb 2 11.94K ops/sec 83.74 81.97 4,736.87 0.189 59,711

getSync() > sequential keys - small key size (100 records)

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 lmdb 1 28.02K ops/sec 35.69 34.47 583.718 0.107 140,100
🥈 rocksdb 2 11.47K ops/sec 87.17 84.69 714.686 0.051 57,358

ranges.bench.ts

getRange() > small range (100 records, 50 range)

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 lmdb 1 25.59K ops/sec 39.07 35.86 2,290.442 0.280 127,960
🥈 rocksdb 2 17.08K ops/sec 58.54 50.69 2,096.416 0.146 85,409

realistic-load.bench.ts

Realistic write load with workers > write variable records with transaction log

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 rocksdb 1 450.23 ops/sec 2,221.109 107.597 58,018.025 11.03 901
🥈 lmdb 2 26.21 ops/sec 38,153.324 392.619 1,209,554.997 136.403 64.00

transaction-log.bench.ts

Transaction log > read 100 iterators while write log with 100 byte records

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 rocksdb 1 35.61K ops/sec 28.08 13.60 13,481.69 0.557 178,052
🥈 lmdb 2 440.93 ops/sec 2,267.919 77.16 24,617.156 1.47 2,205

Transaction log > read one entry from random position from log with 1000 100 byte records

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 rocksdb 1 714.82K ops/sec 1.40 1.22 487.715 0.066 3,574,123
🥈 lmdb 2 470.95K ops/sec 2.12 1.07 7,649.912 0.454 2,354,769

worker-put-sync.bench.ts

putSync() > random keys - small key size (100 records, 10 workers)

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 rocksdb 1 848.86 ops/sec 1,178.049 1,003.936 2,054.794 0.290 1,698
🥈 lmdb 2 1.15 ops/sec 872,231.751 803,985.895 933,826.821 2.97 10.00

worker-transaction-log.bench.ts

Transaction log with workers > write log with 100 byte records

Implementation Rank Operations/sec Mean (ms) Min (ms) Max (ms) RME (%) Samples
🥇 rocksdb 1 20.80K ops/sec 48.08 30.59 983.912 0.519 41,601
🥈 lmdb 2 807.22 ops/sec 1,238.822 248.315 13,981.544 5.51 1,616

Results from commit ccab293

# Note: the `claude-review` label name is matched there too —
# `_claude-review.yml`'s authorize `if:`, not in this caller.
if: ${{ vars.CLAUDE_ALWAYS_ON == 'true' || github.event.action == 'labeled' }}
uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@1255f2e155e2202992508034d21b421fa99d14be # main 2026-07-10 (#72 native-addon layer; on 9cf49d2 = #70 calibration + #71 prompt-ref tracking)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High: review job grants the reusable no permissions; id-token: write will be missing and claude-code-action will fail

This job delegates to _claude-review.yml, whose review job declares contents: read + pull-requests: write + id-token: write (the last commented "required by claude-code-action even with API-key auth"). A reusable workflow's per-job permissions are capped by the caller's grant, and with no permissions: block here the ceiling is the repo default GITHUB_TOKEN. id-token: write is never included in the default token — regardless of the org's read vs read/write default — so the OIDC token can't be minted and claude-code-action fails at startup. gemini-review.yml in this same PR declares this block (lines 62-65); this caller is missing it. Add the union to the review job:

  review:
    if: ${{ vars.CLAUDE_ALWAYS_ON == 'true' || github.event.action == 'labeled' }}
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@1255f2e155e2202992508034d21b421fa99d14be


Generated by Barber AI

# write` + `id-token: write`) jobs declare.
permissions:
contents: read
pull-requests: write

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium: this caller is outside the validator's scope — the shadow-job / mutable-ref guard does not cover it

validate-caller-workflow.sh (ai-review-prompts@1255f2e) globs only .github/workflows/claude-*.yml (files=(.github/workflows/claude-*.yml) and bails with "No claude-*.yml caller workflows found" otherwise). This new caller grants pull-requests: write and delegates to a reusable, but it will never be checked by the fail-closed shadow-job / SHA-pin validator that validate-caller-workflows.yml runs as the required validate check. A later edit that adds a non-uses: shadow job (running with this pull-requests: write grant, bypassing the reusable's auth gate) or downgrades the @<sha> pin to a mutable ref would still pass validate green — exactly the escalation the validator exists to stop. Extend the validator glob upstream to cover the gemini caller (e.g. {claude,gemini}-*.yml), or track a follow-up before making validate the required guard.


Generated by Barber AI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants