pulumi-command/.github/workflows/claude.yml at e7e16a98aa75137a9269bc569a2561148f7c34b6 · pulumi/pulumi-command · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Claude Code

on:
  # Responds to @claude mentions in comments.
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened]
  pull_request_review:
    types: [submitted]

jobs:
  claude:
    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
    if: |
      (github.event_name == 'issue_comment' &&
        contains(github.event.comment.body, '@claude') &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
      (github.event_name == 'pull_request_review_comment' &&
        contains(github.event.comment.body, '@claude') &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
      (github.event_name == 'pull_request_review' &&
        contains(github.event.review.body, '@claude') &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
      (github.event_name == 'issues' &&
        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: write
      id-token: write
      actions: read
    steps:
      - env:
          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
          ESC_ACTION_OIDC_AUTH: "true"
          ESC_ACTION_OIDC_ORGANIZATION: pulumi
          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
        id: esc-secrets
        name: Fetch secrets from ESC
        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0
      - name: Checkout PR head (if applicable)
        if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
        run: gh pr checkout "$PR_NUMBER"
      - name: Setup mise
        uses: jdx/mise-action@c1a019b8d2586943b4dbebc456323b516910e310
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
          version: 2026.3.7
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # only saving the cache in the prerequisites job
          cache_save: false
      - name: Set git identity
        run: |-
          git config --global user.name "claude[bot]"
          git config --global user.email "bot@pulumi.com"
        shell: bash
      - name: Prepare local workspace
        # this runs install_plugins and upstream
        run: make prepare_local_workspace
      - name: Run Claude Code Review
        # Comment must contain '@claude review'
        if: |
          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
        id: claude-review
        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
        with:
          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}

            Review this pull request using the provider-code-review skill for guidelines.
            The PR branch is already checked out in the current working directory.

            Use `gh pr comment` for top-level feedback.
            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
            Only post GitHub comments - don't submit review text as messages.
          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
          claude_args: |
            --allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
      - name: Run Claude Code
        # Comment must contain '@claude', but not '@claude review'
        if: |
          !contains(github.event.comment.body, '@claude review') &&
          !contains(github.event.review.body, '@claude review')
        id: claude-action
        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
        with:
          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
          # This allows claude to read github action logs
          additional_permissions: |
            actions: read
          # Sandbox settings: --allowedTools controls which tools Claude can invoke,
          # but the sandbox also enforces OS-level filesystem restrictions. Edit()
          # rules in permissions.allow control all bash filesystem writes (mkdir,
          # output redirection, etc.), not just the Edit tool. Without these, commands
          # like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
          settings: |
            {
              "permissions": {
                "allow": ["Edit(./**)", "Edit(/tmp/**)"]
              }
            }
          claude_args: |
            --max-turns 50
            --allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go mod tidy *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
        # If the claude action fails you don't get any logs on what claude was doing
        # Uploading the artifact allows you to download the artifact from the UI
      - name: Upload Claude review output on failure
        if: failure() && steps.claude-review.outputs.execution_file
        uses: actions/upload-artifact@v4
        with:
          name: claude-review-execution-log
          path: ${{ steps.claude-review.outputs.execution_file }}
          retention-days: 7
      - name: Upload Claude output on failure
        if: failure() && steps.claude-action.outputs.execution_file
        uses: actions/upload-artifact@v4
        with:
          name: claude-execution-log
          path: ${{ steps.claude-action.outputs.execution_file }}
          retention-days: 7