ci: wire Claude + Gemini AI review (ai-review-prompts callers)#701
ci: wire Claude + Gemini AI review (ai-review-prompts callers)#701heskew wants to merge 1 commit into
Conversation
Adds the three thin caller workflows from the HarperFast/ai-review-prompts reusable set, pinned to main 1255f2e (#72, which added the repo-type/native-addon layer written for this repo): - claude-review.yml — layers: universal + repo-type/native-addon, plus repo-specific checks (pnpm/oxlint/oxfmt toolchain, no build tolerance, vendored-RocksDB bump handling, three-runtime-deps bar, harper-core consumer coupling). - gemini-review.yml — mirrors the Claude caller (opt-in via label unless GEMINI_ALWAYS_ON). - validate-caller-workflows.yml — SHA-pin + shadow-job guard; make the `validate` job a required check on main. Reviews post on the PR and log to HarperFast/ai-review-log (label repo:rocksdb-js, already created) once AI_REVIEW_LOG_TOKEN is set. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📊 Benchmark Resultsget-sync.bench.tsgetSync() > random keys - small key size (100 records)
getSync() > sequential keys - small key size (100 records)
ranges.bench.tsgetRange() > small range (100 records, 50 range)
realistic-load.bench.tsRealistic write load with workers > write variable records with transaction log
transaction-log.bench.tsTransaction log > read 100 iterators while write log with 100 byte records
Transaction log > read one entry from random position from log with 1000 100 byte records
worker-put-sync.bench.tsputSync() > random keys - small key size (100 records, 10 workers)
worker-transaction-log.bench.tsTransaction log with workers > write log with 100 byte records
Results from commit ccab293 |
| # Note: the `claude-review` label name is matched there too — | ||
| # `_claude-review.yml`'s authorize `if:`, not in this caller. | ||
| if: ${{ vars.CLAUDE_ALWAYS_ON == 'true' || github.event.action == 'labeled' }} | ||
| uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@1255f2e155e2202992508034d21b421fa99d14be # main 2026-07-10 (#72 native-addon layer; on 9cf49d2 = #70 calibration + #71 prompt-ref tracking) |
There was a problem hiding this comment.
High: review job grants the reusable no permissions; id-token: write will be missing and claude-code-action will fail
This job delegates to _claude-review.yml, whose review job declares contents: read + pull-requests: write + id-token: write (the last commented "required by claude-code-action even with API-key auth"). A reusable workflow's per-job permissions are capped by the caller's grant, and with no permissions: block here the ceiling is the repo default GITHUB_TOKEN. id-token: write is never included in the default token — regardless of the org's read vs read/write default — so the OIDC token can't be minted and claude-code-action fails at startup. gemini-review.yml in this same PR declares this block (lines 62-65); this caller is missing it. Add the union to the review job:
review:
if: ${{ vars.CLAUDE_ALWAYS_ON == 'true' || github.event.action == 'labeled' }}
permissions:
contents: read
pull-requests: write
id-token: write
uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@1255f2e155e2202992508034d21b421fa99d14be—
Generated by Barber AI
| # write` + `id-token: write`) jobs declare. | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
Medium: this caller is outside the validator's scope — the shadow-job / mutable-ref guard does not cover it
validate-caller-workflow.sh (ai-review-prompts@1255f2e) globs only .github/workflows/claude-*.yml (files=(.github/workflows/claude-*.yml) and bails with "No claude-*.yml caller workflows found" otherwise). This new caller grants pull-requests: write and delegates to a reusable, but it will never be checked by the fail-closed shadow-job / SHA-pin validator that validate-caller-workflows.yml runs as the required validate check. A later edit that adds a non-uses: shadow job (running with this pull-requests: write grant, bypassing the reusable's auth gate) or downgrades the @<sha> pin to a mutable ref would still pass validate green — exactly the escalation the validator exists to stop. Extend the validator glob upstream to cover the gemini caller (e.g. {claude,gemini}-*.yml), or track a follow-up before making validate the required guard.
—
Generated by Barber AI
What
Wires @harperfast/rocksdb-js into the AI review pipeline — the Phase-1 expansion target from the 07-02 retro (52 PRs/30d, highest risk-per-line of the candidate repos). Three thin callers of the ai-review-prompts reusables, pinned to main
1255f2e(#72 — therepo-type/native-addonlayer written for this repo):universal+repo-type/native-addon; repo-specific checks for the pnpm/oxlint/oxfmt toolchain, vendored-RocksDB bumps, the three-runtime-deps bar, and the harper-core consumer coupling (MaybePromise / key-encoding changes need a core reference).gemini-reviewlabel unlessGEMINI_ALWAYS_ON=true.Already done outside this PR:
repo:rocksdb-jslabel in ai-review-log;claude-review/gemini-reviewlabels here.Setup needed on merge (repo settings — can't be done from a PR)
ANTHROPIC_API_KEY(required);GEMINI_API_KEY+AI_REVIEW_LOG_TOKEN(optional — missing keys skip cleanly; the log token reuses the existing fine-grained PAT). Add this repo to the visibility list of the org-levelHARPERFAST_AI_CLIENT_ID/HARPERFAST_AI_APP_PRIVATE_KEYsecrets.CLAUDE_ALWAYS_ON=trueto auto-review trusted-author PRs (or leave unset for label-only opt-in while calibrating).validate / validatea required status check onmain.Note: the Claude review check on this PR will fail with the expected "workflow file must match default branch" guard (it always does on PRs that introduce the caller workflows — claude-code-action's anti-tamper). Ignore it; it clears after merge.
🤖 Generated with Claude Code