Gracefully handle ForeignUIDRange on systemd < 259 #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Integrates Claude Code as an AI assistant for reviewing pull requests. | |
| # Mention @claude in any PR comment to request a review. Claude authenticates | |
| # via AWS Bedrock using OIDC β no long-lived API keys required. | |
| # | |
| # Architecture: The workflow is split into two jobs for least-privilege: | |
| # 1. "review" β runs Claude with read-only permissions, produces structured JSON | |
| # 2. "post" β reads the JSON and posts comments to the PR with write permissions | |
| name: Claude Review | |
| on: | |
| # Strangely enough you have to use issue_comment to react to regular comments on PRs. | |
| # See https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_comment-use-issue_comment. | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| pull_request_review: | |
| types: [submitted] | |
| concurrency: | |
| group: claude-review-${{ github.event.pull_request.number || github.event.issue.number }} | |
| jobs: | |
| review: | |
| runs-on: ubuntu-latest | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} | |
| if: | | |
| github.repository_owner == 'systemd' && | |
| ((github.event_name == 'issue_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review_comment' && | |
| contains(github.event.comment.body, '@claude') && | |
| contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.comment.author_association)) || | |
| (github.event_name == 'pull_request_review' && | |
| contains(github.event.review.body, '@claude') && | |
| contains(fromJSON('["MEMBER","OWNER","COLLABORATOR"]'), github.event.review.author_association))) | |
| permissions: | |
| contents: read | |
| id-token: write # Authenticate with AWS via OIDC | |
| actions: read | |
| outputs: | |
| structured_output: ${{ steps.claude.outputs.structured_output }} | |
| pr_number: ${{ steps.pr.outputs.number }} | |
| head_sha: ${{ steps.pr.outputs.head_sha }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| - name: Resolve PR metadata | |
| id: pr | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT" | |
| gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid' | \ | |
| xargs -I{} echo "head_sha={}" >> "$GITHUB_OUTPUT" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }} | |
| role-session-name: GitHubActions-Claude-${{ github.run_id }} | |
| aws-region: us-east-1 | |
| - name: Run Claude Code | |
| id: claude | |
| uses: anthropics/claude-code-action@26ec041249acb0a944c0a47b6c0c13f05dbc5b44 | |
| env: | |
| REVIEW_SCHEMA: >- | |
| { | |
| "type": "object", | |
| "required": ["comments", "summary"], | |
| "properties": { | |
| "summary": { | |
| "type": "string", | |
| "description": "A markdown summary of the review to post as a top-level tracking comment" | |
| }, | |
| "comments": { | |
| "type": "array", | |
| "items": { | |
| "type": "object", | |
| "required": ["file", "line", "severity", "body"], | |
| "properties": { | |
| "file": { | |
| "type": "string", | |
| "description": "Path to the file relative to the repo root" | |
| }, | |
| "line": { | |
| "type": "integer", | |
| "description": "Line number in the diff (new file side) to attach the comment to" | |
| }, | |
| "severity": { | |
| "type": "string", | |
| "enum": ["must-fix", "suggestion", "nit"] | |
| }, | |
| "body": { | |
| "type": "string", | |
| "description": "The review comment body in markdown" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| with: | |
| use_bedrock: "true" | |
| # We still have to pass GITHUB_TOKEN here because claude-code-action | |
| # requires it, but we restrict Claude's tools to read-only operations | |
| # so it cannot post comments or modify the PR. | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| track_progress: false | |
| additional_permissions: | | |
| actions: read | |
| claude_args: | | |
| --model us.anthropic.claude-opus-4-6-v1 | |
| --max-turns 100 | |
| --allowedTools " | |
| Read,LS,Grep,Glob,Task, | |
| Bash(cat:*),Bash(test:*),Bash(printf:*),Bash(jq:*),Bash(head:*),Bash(tail:*), | |
| Bash(git:*),Bash(grep:*),Bash(find:*),Bash(ls:*),Bash(wc:*), | |
| Bash(diff:*),Bash(sed:*),Bash(awk:*),Bash(sort:*),Bash(uniq:*), | |
| mcp__github__get_pull_request, | |
| mcp__github__get_pull_request_diff, | |
| mcp__github__get_pull_request_files, | |
| mcp__github__get_pull_request_reviews, | |
| mcp__github__get_pull_request_comments, | |
| mcp__github__get_pull_request_status, | |
| mcp__github__get_issue_comments, | |
| mcp__github_ci__get_ci_status, | |
| mcp__github_ci__get_workflow_run_details, | |
| mcp__github_ci__download_job_log, | |
| " | |
| --json-schema '${{ env.REVIEW_SCHEMA }}' | |
| prompt: | | |
| REPO: ${{ github.repository }} | |
| PR NUMBER: ${{ steps.pr.outputs.number }} | |
| HEAD SHA: ${{ steps.pr.outputs.head_sha }} | |
| You are a code reviewer for the ${{ github.repository }} project. Review this pull request and | |
| produce a structured JSON result containing your review comments. Do NOT attempt | |
| to post comments yourself β just return the JSON. You are in the upstream repo | |
| without the patch applied. Do not apply it. | |
| ## Phase 1: Gather context | |
| Use the GitHub MCP server tools to fetch PR data. For all tools, pass | |
| owner `${{ github.repository_owner }}`, repo `${{ github.event.repository.name }}`, | |
| and pullNumber/issue_number ${{ steps.pr.outputs.number }}: | |
| - `mcp__github__get_pull_request_diff` to get the PR diff | |
| - `mcp__github__get_pull_request` to get the PR title, body, and metadata | |
| - `mcp__github__get_pull_request_comments` to get top-level PR comments | |
| - `mcp__github__get_pull_request_reviews` to get PR reviews | |
| Also fetch issue comments using `mcp__github__get_issue_comments` with | |
| issue_number ${{ steps.pr.outputs.number }}. | |
| Look for an existing tracking comment (containing `<!-- claude-pr-review -->`) | |
| in the issue comments. If one exists, you will use it as the basis for | |
| your `summary` in Phase 3. | |
| Check CI status for the PR head commit using `mcp__github_ci__get_ci_status`. | |
| If any workflow runs have failed, use `mcp__github_ci__get_workflow_run_details` | |
| and `mcp__github_ci__download_job_log` to fetch the failure logs. Pass these | |
| logs to the review subagents in Phase 2 so they can identify whether the PR | |
| changes caused the failures. | |
| ## Phase 2: Parallel review subagents | |
| Review: | |
| - Code quality, style, and best practices | |
| - Potential bugs, issues, incorrect logic | |
| - Security implications | |
| - CLAUDE.md compliance | |
| - CI failures (if any logs were fetched in Phase 1) | |
| For every category, launch subagents to review them in parallel. Group related sections | |
| as needed β use 2-4 subagents based on PR size and scope. | |
| Give each subagent the PR title, description, full patch, and the list of changed files. | |
| Each subagent must return a JSON array of issues: | |
| `[{"file": "path", "line": <number>, "severity": "must-fix|suggestion|nit", "body": "..."}]` | |
| `line` must be a line number from the NEW side of the diff (i.e. where the comment | |
| should appear in the changed file after the patch is applied). | |
| Each subagent MUST verify its findings before returning them: | |
| - For style/convention claims, check at least 3 existing examples in the codebase to confirm | |
| the pattern actually exists before flagging a violation. | |
| - For "use X instead of Y" suggestions, confirm X actually exists and works for this case. | |
| - If unsure, don't include the issue. | |
| ## Phase 3: Collect, deduplicate, and summarize | |
| After ALL subagents complete: | |
| 1. Collect all issues. Merge duplicates (same file, lines within 3 of each other, same problem). | |
| 2. Drop low-confidence findings. | |
| 3. Check the existing inline review comments fetched in Phase 1. Do NOT include a | |
| comment if one already exists on the same file and line about the same problem. | |
| Also check for author replies that dismiss or reject a previous comment β do NOT | |
| re-raise an issue the PR author has already responded to disagreeing with. | |
| 4. Prefix ALL comment bodies with a severity tag: `**must-fix**: `, `**suggestion**: `, | |
| or `**nit**: `. | |
| 5. Write a `summary` field in markdown for a top-level tracking comment. | |
| **If no existing tracking comment was found (first run):** | |
| Use this format: | |
| ``` | |
| ## Claude review of PR #<number> (<HEAD SHA>) | |
| <!-- claude-pr-review --> | |
| ### Must fix | |
| - [ ] **short title** β `file:line` β brief explanation | |
| ### Suggestions | |
| - [ ] **short title** β `file:line` β brief explanation | |
| ### Nits | |
| - [ ] **short title** β `file:line` β brief explanation | |
| ``` | |
| Omit empty sections. Each checkbox item must correspond to an entry in `comments`. | |
| If there are no issues at all, write a short message saying the PR looks good. | |
| **If an existing tracking comment was found (subsequent run):** | |
| Use the existing comment as the starting point. Preserve the order and wording | |
| of all existing items. Then apply these updates: | |
| - Update the HEAD SHA in the header line. | |
| - For each existing item, re-check whether the issue is still present in the | |
| current diff. If it has been fixed, mark it checked: `- [x]`. | |
| - If the PR author replied dismissing an item, mark it: | |
| `- [x] ~~short title~~ (dismissed)`. | |
| - Preserve checkbox state that was already set by previous runs or by hand. | |
| - Append any NEW issues found in this run that aren't already listed, | |
| in the appropriate severity section, after the existing items. | |
| - Do NOT reorder, reword, or remove existing items. | |
| Return the final JSON object with your `comments` array and `summary` string. | |
| Do NOT attempt to post comments or use any MCP tools to modify the PR. | |
| post: | |
| runs-on: ubuntu-latest | |
| needs: review | |
| if: always() && needs.review.result == 'success' | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Post review comments | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | |
| env: | |
| STRUCTURED_OUTPUT: ${{ needs.review.outputs.structured_output }} | |
| PR_NUMBER: ${{ needs.review.outputs.pr_number }} | |
| HEAD_SHA: ${{ needs.review.outputs.head_sha }} | |
| with: | |
| script: | | |
| const owner = context.repo.owner; | |
| const repo = context.repo.repo; | |
| const prNumber = parseInt(process.env.PR_NUMBER, 10); | |
| const headSha = process.env.HEAD_SHA; | |
| /* Parse Claude's structured output. */ | |
| const raw = process.env.STRUCTURED_OUTPUT; | |
| console.log("Structured output from Claude:"); | |
| console.log(raw || "(empty)"); | |
| let comments = []; | |
| let summary = ""; | |
| if (raw) { | |
| try { | |
| const review = JSON.parse(raw); | |
| if (Array.isArray(review.comments)) | |
| comments = review.comments; | |
| if (typeof review.summary === "string") | |
| summary = review.summary; | |
| } catch (e) { | |
| console.log(`Failed to parse structured output: ${e.message}`); | |
| } | |
| } | |
| console.log(`Claude produced ${comments.length} review comment(s).`); | |
| /* Post each inline comment individually. Deduplication against existing | |
| * comments is handled by Claude in the prompt, so we just post whatever | |
| * it returns. Using individual comments (rather than a review) means | |
| * re-runs only add new comments instead of creating a whole new review. */ | |
| for (const c of comments) { | |
| console.log(` Posting comment on ${c.file}:${c.line}`); | |
| await github.rest.pulls.createReviewComment({ | |
| owner, | |
| repo, | |
| pull_number: prNumber, | |
| commit_id: headSha, | |
| path: c.file, | |
| line: c.line, | |
| body: `Claude: ${c.body}`, | |
| }); | |
| } | |
| if (comments.length > 0) | |
| console.log(`Posted ${comments.length} inline comment(s).`); | |
| else | |
| console.log("No inline comments to post."); | |
| /* Create or update the tracking comment. */ | |
| const MARKER = "<!-- claude-pr-review -->"; | |
| if (!summary) | |
| summary = "Claude review: no issues found :tada:\n\n" + MARKER; | |
| else if (!summary.includes(MARKER)) | |
| summary = summary.replace(/\n/, `\n${MARKER}\n`); | |
| /* Find an existing tracking comment. */ | |
| const {data: issueComments} = await github.rest.issues.listComments({ | |
| owner, | |
| repo, | |
| issue_number: prNumber, | |
| per_page: 100, | |
| }); | |
| const existing = issueComments.find((c) => c.body && c.body.includes(MARKER)); | |
| if (existing) { | |
| const commentUrl = existing.html_url; | |
| if (existing.body === summary) { | |
| console.log(`Tracking comment ${existing.id} is unchanged.`); | |
| await github.rest.issues.createComment({ | |
| owner, | |
| repo, | |
| issue_number: prNumber, | |
| body: `Claude re-reviewed this PR β no changes to the [tracking comment](${commentUrl}).`, | |
| }); | |
| } else { | |
| console.log(`Updating existing tracking comment ${existing.id}.`); | |
| await github.rest.issues.updateComment({ | |
| owner, | |
| repo, | |
| comment_id: existing.id, | |
| body: summary, | |
| }); | |
| } | |
| } else { | |
| console.log("Creating new tracking comment."); | |
| await github.rest.issues.createComment({ | |
| owner, | |
| repo, | |
| issue_number: prNumber, | |
| body: summary, | |
| }); | |
| } | |
| console.log("Tracking comment posted successfully."); |