Skip to content

Wire Shield modules to CLI with signing, LLM, and session support #22

Wire Shield modules to CLI with signing, LLM, and session support

Wire Shield modules to CLI with signing, LLM, and session support #22

Workflow file for this run

name: Claude PR Review
on:
pull_request:
types: [opened, synchronize]
branches: [main]
concurrency:
group: pr-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
pull-requests: write
contents: read
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get PR diff
id: diff
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
DIFF=$(gh pr diff ${{ github.event.pull_request.number }} | head -c 122880)
echo "$DIFF" > /tmp/pr-diff.txt
- name: Claude review
id: review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
if [ -z "$ANTHROPIC_API_KEY" ]; then
echo "ANTHROPIC_API_KEY not set"
echo "verdict=SKIP" >> "$GITHUB_OUTPUT"
echo "Review skipped: ANTHROPIC_API_KEY not configured. Set the secret to enable automated reviews." > /tmp/review.txt
exit 0
fi
# Build JSON payload from file to avoid shell escaping issues
jq -n --rawfile diff /tmp/pr-diff.txt '{
model: "claude-sonnet-4-5-20250929",
max_tokens: 4096,
system: "You are a security-focused code reviewer for the OpenA2A platform (TypeScript monorepo, npm workspaces, Turborepo). Review for: 1) Security vulnerabilities (OWASP Top 10, credential exposure, injection) 2) TypeScript best practices 3) Architecture consistency 4) Test coverage. End with VERDICT: APPROVE or REQUEST_CHANGES.",
messages: [{role: "user", content: ("Review this PR diff:\n\n" + $diff)}]
}' > /tmp/request.json
HTTP_CODE=$(curl -s -o /tmp/response.json -w '%{http_code}' \
https://api.anthropic.com/v1/messages \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "content-type: application/json" \
-d @/tmp/request.json)
if [ "$HTTP_CODE" != "200" ]; then
echo "API returned HTTP $HTTP_CODE"
cat /tmp/response.json
echo "verdict=SKIP" >> "$GITHUB_OUTPUT"
echo "Review could not be completed: API error (HTTP $HTTP_CODE). A manual review is required." > /tmp/review.txt
exit 0
fi
REVIEW_TEXT=$(jq -r '.content[0].text // "Review failed"' /tmp/response.json)
echo "$REVIEW_TEXT" > /tmp/review.txt
if echo "$REVIEW_TEXT" | grep -q "VERDICT: APPROVE"; then
echo "verdict=APPROVE" >> "$GITHUB_OUTPUT"
else
echo "verdict=REQUEST_CHANGES" >> "$GITHUB_OUTPUT"
fi
- name: Post review
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
REVIEW_BODY=$(cat /tmp/review.txt)
VERDICT="${{ steps.review.outputs.verdict }}"
if [ "$VERDICT" = "SKIP" ]; then
gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY"
elif [ "$VERDICT" = "APPROVE" ]; then
gh pr review ${{ github.event.pull_request.number }} --approve --body "$REVIEW_BODY" || \
gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY"
else
gh pr review ${{ github.event.pull_request.number }} --request-changes --body "$REVIEW_BODY" || \
gh pr comment ${{ github.event.pull_request.number }} --body "$REVIEW_BODY"
fi