Anders/workflow

.github/workflows/_copy-review-code.yml

@@ -0,0 +1,124 @@
+name: Code Review
+
+on:
+  workflow_call:
+    secrets:
+      AZURE_SUBSCRIPTION_ID:
+        required: true
+      AZURE_TENANT_ID:
+        required: true
+      AZURE_CLIENT_ID:
+        required: true
+
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  check-permission:
+    name: Check permission
+    uses: bitwarden/gh-actions/.github/workflows/_check-permission.yml@main
+    with:
+      failure_mode: "skip"
+      require_permission: "write"
+    permissions:
+      contents: read
+
+  validation:
+    name: Validation
+    needs: check-permission
+    if: needs.check-permission.outputs.should_proceed == 'true' || github.actor == 'bw-ghapp[bot]'
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      should_review: ${{ steps.validate.outputs.should_review }}
+
+    steps:
+      - name: Check for review label
+        id: check-label
+        env:
+          LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
+        run: |
+          if echo "$LABELS" | grep -q '"ai-review"'; then
+            echo "label_present=true" >> "$GITHUB_OUTPUT"
+            echo "✅ Validation: 'ai-review' label found"
+          else
+            echo "label_present=false" >> "$GITHUB_OUTPUT"
+            echo "⚠️ Validation: 'ai-review' label not found - skipping Claude review"
+          fi
+
+      - name: Set validation result
+        id: validate
+        env:
+          LABEL_PRESENT: ${{ steps.check-label.outputs.label_present }}
+        run: |
+          if [ "$LABEL_PRESENT" == "true" ]; then
+            echo "should_review=true" >> "$GITHUB_OUTPUT"
+            echo "✅ Validation passed - code review will proceed"
+          else
+            echo "should_review=false" >> "$GITHUB_OUTPUT"
+            echo "⚠️ Validation failed - code review will be skipped"
+          fi
+
+  review:
+    name: Review
+    runs-on: ubuntu-24.04
+    needs: [check-permission, validation]
+    if: (needs.check-permission.outputs.should_proceed == 'true' || github.actor == 'bw-ghapp[bot]') && needs.validation.outputs.should_review == 'true'
+    timeout-minutes: 15
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: true
+
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "ANTHROPIC-CODE-REVIEW-API-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Review with Claude Code
+        timeout-minutes: 10
+        uses: anthropics/claude-code-action@0d1933529914177075d5bc3558ae3d047f188146 # v1.0.26
+        env:
+          USE_AGENT_SDK: "true"
+          USE_SIMPLE_PROMPT: "true"
+        with:
+          anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-CODE-REVIEW-API-KEY }}
+          allowed_bots: "bw-ghapp"
+          track_progress: true
+          use_sticky_comment: true
+          plugin_marketplaces: "https://github.com/bitwarden/ai-plugins.git"
+          plugins: "bitwarden-code-review@bitwarden-marketplace"
+          prompt: |
+            Use bitwarden-code-reviewer agent to review the currently checked out pull request changes.
+            The agent handles ALL GitHub interactions including the final summary comment.
+            **DO NOT** call mcp__github_comment__update_claude_comment after the agent completes.
+            After the agent completes, output only: "REVIEW COMPLETE"
+          claude_args: |
+            --verbose
+            --allowedTools "Read,Grep,Glob,Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(gh pr checks:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr review:--comment*),Bash(gh pr comment:*),Bash(gh api graphql*reviewThreads*-f owner=*-f repo=*-F pr=*:*),Bash(./scripts/get-review-threads.sh:*),mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Skill"

.github/workflows/review-code.yml

@@ -10,7 +10,7 @@ permissions: {}
 jobs:
   review:
     name: Review
-    uses: bitwarden/gh-actions/.github/workflows/_review-code.yml@main
+    uses: ./.github/workflows/_copy-review-code.yml
     secrets:
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}