Wire Shield modules to CLI with signing, LLM, and session support #22
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude PR Review | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] | |
| branches: [main] | |
| concurrency: | |
| group: pr-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| jobs: | |
| review: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get PR diff | |
| id: diff | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| DIFF=$(gh pr diff ${{ github.event.pull_request.number }} | head -c 122880) | |
| echo "$DIFF" > /tmp/pr-diff.txt | |
| - name: Claude review | |
| id: review | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: | | |
| if [ -z "$ANTHROPIC_API_KEY" ]; then | |
| echo "ANTHROPIC_API_KEY not set" | |
| echo "verdict=SKIP" >> "$GITHUB_OUTPUT" | |
| echo "Review skipped: ANTHROPIC_API_KEY not configured. Set the secret to enable automated reviews." > /tmp/review.txt | |
| exit 0 | |
| fi | |
| # Build JSON payload from file to avoid shell escaping issues | |
| jq -n --rawfile diff /tmp/pr-diff.txt '{ | |
| model: "claude-sonnet-4-5-20250929", | |
| max_tokens: 4096, | |
| system: "You are a security-focused code reviewer for the OpenA2A platform (TypeScript monorepo, npm workspaces, Turborepo). Review for: 1) Security vulnerabilities (OWASP Top 10, credential exposure, injection) 2) TypeScript best practices 3) Architecture consistency 4) Test coverage. End with VERDICT: APPROVE or REQUEST_CHANGES.", | |
| messages: [{role: "user", content: ("Review this PR diff:\n\n" + $diff)}] | |
| }' > /tmp/request.json | |
| HTTP_CODE=$(curl -s -o /tmp/response.json -w '%{http_code}' \ | |
| https://api.anthropic.com/v1/messages \ | |
| -H "x-api-key: $ANTHROPIC_API_KEY" \ | |
| -H "anthropic-version: 2023-06-01" \ | |
| -H "content-type: application/json" \ | |
| -d @/tmp/request.json) | |
| if [ "$HTTP_CODE" != "200" ]; then | |
| echo "API returned HTTP $HTTP_CODE" | |
| cat /tmp/response.json | |
| echo "verdict=SKIP" >> "$GITHUB_OUTPUT" | |
| echo "Review could not be completed: API error (HTTP $HTTP_CODE). A manual review is required." > /tmp/review.txt | |
| exit 0 | |
| fi | |
| REVIEW_TEXT=$(jq -r '.content[0].text // "Review failed"' /tmp/response.json) | |
| echo "$REVIEW_TEXT" > /tmp/review.txt | |
| if echo "$REVIEW_TEXT" | grep -q "VERDICT: APPROVE"; then | |
| echo "verdict=APPROVE" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "verdict=REQUEST_CHANGES" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Post review | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| REVIEW_BODY=$(cat /tmp/review.txt) | |
| VERDICT="${{ steps.review.outputs.verdict }}" | |
| if [ "$VERDICT" = "SKIP" ]; then | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY" | |
| elif [ "$VERDICT" = "APPROVE" ]; then | |
| gh pr review ${{ github.event.pull_request.number }} --approve --body "$REVIEW_BODY" || \ | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY" | |
| else | |
| gh pr review ${{ github.event.pull_request.number }} --request-changes --body "$REVIEW_BODY" || \ | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY" | |
| fi |