From a0514e7a442be7903af428db46a92db0cb0666c8 Mon Sep 17 00:00:00 2001 From: Prasanna721 <106952318+Prasanna721@users.noreply.github.com> Date: Tue, 10 Mar 2026 07:20:45 +0000 Subject: [PATCH] add ci, auto-fix, and upgrade code review workflows (#776) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add CI and upgrade Claude workflows No CI existed — type errors and lint issues only caught by Cloudflare builds. Added type check + biome lint CI on PRs, auto-fix workflow when CI fails, and upgraded code review with supermemory MCP + inline comments. --- .github/workflows/ci.yml | 28 ++++++ .github/workflows/claude-auto-fix-ci.yml | 102 ++++++++++++++++++++ .github/workflows/claude-code-review.yml | 117 +++++++++++++++++++---- .github/workflows/claude.yml | 26 +++-- 4 files changed, 242 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/claude-auto-fix-ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..f02264400 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,28 @@ +name: CI - Type Check, Format & Lint + +on: + pull_request: + +jobs: + quality-checks: + name: Quality Checks + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Bun + uses: oven-sh/setup-bun@v2 + with: + bun-version: 1.3.4 + + - name: Install dependencies + run: bun install --frozen-lockfile + + - name: Run TypeScript type checking + run: bunx turbo run check-types --filter='@supermemory/ai-sdk' --filter='@supermemory/memory-graph' + + - name: Run Biome CI (format & lint on changed files) + run: bunx biome ci --changed --since=origin/main --no-errors-on-unmatched diff --git a/.github/workflows/claude-auto-fix-ci.yml b/.github/workflows/claude-auto-fix-ci.yml new file mode 100644 index 000000000..993545c6a --- /dev/null +++ b/.github/workflows/claude-auto-fix-ci.yml @@ -0,0 +1,102 @@ +name: Auto Fix CI Failures + +on: + workflow_run: + workflows: ["CI - Type Check, Format & Lint"] + types: + - completed + +permissions: + contents: write + pull-requests: write + actions: read + issues: write + id-token: write + +jobs: + auto-fix: + if: | + github.event.workflow_run.conclusion == 'failure' && + github.event.workflow_run.pull_requests[0] + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v5 + with: + ref: ${{ github.event.workflow_run.head_branch }} + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Setup Bun + uses: oven-sh/setup-bun@v2 + + - name: Install dependencies + run: bun install + + - name: Setup git identity + run: | + git config --global user.email "claude[bot]@users.noreply.github.com" + git config --global user.name "claude[bot]" + + - name: Get CI failure details + id: failure_details + uses: actions/github-script@v7 + with: + script: | + const run = await github.rest.actions.getWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }} + }); + + const jobs = await github.rest.actions.listJobsForWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{ github.event.workflow_run.id }} + }); + + const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure'); + + return { + runUrl: run.data.html_url, + failedJobs: failedJobs.map(j => ({ name: j.name, id: j.id })) + }; + + - name: Fix CI failures with Claude + uses: anthropics/claude-code-action@v1 + with: + prompt: | + Failed CI Run: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }} + Failed Jobs: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs.*.name, ', ') }} + PR Number: ${{ github.event.workflow_run.pull_requests[0].number }} + Branch: ${{ github.event.workflow_run.head_branch }} + Repository: ${{ github.repository }} + + Check supermemory for similar past CI failures and fixes. + + Fix the CI failures. Common fixes: + - Biome lint errors: Run `bun run format-lint` or `biome check --fix .` + - Type errors: Run `bun run check-types` and fix reported issues + - Test failures: Debug and fix the failing tests + + After fixing, commit the changes and push directly to the branch `${{ github.event.workflow_run.head_branch }}`. + Do NOT create a new PR — the fixes should be pushed to the existing PR branch. + + Save the fix pattern to supermemory for future reference. + + claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} + claude_args: | + --max-turns 20 + --model claude-opus-4-5-20251101 + --allowedTools "Read,Write,Edit,Glob,Grep,Bash(*),WebSearch,WebFetch,Task,mcp__supermemory,mcp__github" + --mcp-config '{ + "mcpServers": { + "supermemory": { + "type": "http", + "url": "https://mcp.supermemory.ai/mcp", + "headers": { + "Authorization": "Bearer ${{ secrets.SUPERMEMORY_API_KEY }}" + } + } + } + }' diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index b5e8cfd4d..46cf3d6ba 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -3,42 +3,117 @@ name: Claude Code Review on: pull_request: types: [opened, synchronize, ready_for_review, reopened] - # Optional: Only run on specific file changes - # paths: - # - "src/**/*.ts" - # - "src/**/*.tsx" - # - "src/**/*.js" - # - "src/**/*.jsx" jobs: claude-review: - # Optional: Filter by PR author - # if: | - # github.event.pull_request.user.login == 'external-contributor' || - # github.event.pull_request.user.login == 'new-developer' || - # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' + if: github.event.pull_request.draft == false runs-on: ubuntu-latest permissions: - contents: read - pull-requests: read - issues: read + contents: write + pull-requests: write + issues: write + actions: read id-token: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 1 - name: Run Claude Code Review - id: claude-review uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' - plugins: 'code-review@claude-code-plugins' - prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md - # or https://code.claude.com/docs/en/cli-reference for available options + # Enable progress tracking + track_progress: true + use_sticky_comment: true + include_fix_links: true + bot_name: Supermemory code review + + # Enable inline comments for specific issues + claude_args: | + --model claude-opus-4-5-20251101 + --allowedTools "Read,Write,Edit,Glob,Grep,Bash(*),WebSearch,WebFetch,Task,mcp__supermemory__*,mcp__github__*" + --mcp-config '{ + "mcpServers": { + "supermemory": { + "type": "http", + "url": "https://mcp.supermemory.ai/mcp", + "headers": { + "Authorization": "Bearer ${{ secrets.SUPERMEMORY_API_KEY }}" + } + } + } + }' + + prompt: | + You are a senior engineer reviewing a pull request. Your job is to catch real bugs, security issues, and logic errors that a human reviewer might miss. You are NOT a linter — do not comment on style, naming, formatting, or minor nitpicks. + + REPO: ${{ github.repository }} + PR NUMBER: ${{ github.event.pull_request.number }} + PR TITLE: ${{ github.event.pull_request.title }} + + **REVIEW PHILOSOPHY:** + + Think like a Staff Engineer doing a final review before a deploy to production. Ask yourself: + - "Could this cause a production incident?" + - "Is there a subtle bug hiding here that tests won't catch?" + - "Does this introduce a security vulnerability?" + - "Will this break existing functionality or other parts of the system?" + + If the answer to all of these is "no" for a given line, DO NOT comment on it. Silence is a perfectly good review. A PR with 0 inline comments and a clean summary is ideal when the code is solid. + + **WHAT TO COMMENT ON (only these):** + - Bugs: race conditions, off-by-one errors, null/undefined access, logic errors, wrong operator, missing await, incorrect error handling + - Security: SQL injection, XSS, auth bypass, secrets exposure, insecure defaults, CORS misconfiguration + - Data loss: missing transactions, incorrect cascade deletes, silent data corruption + - Breaking changes: API contract changes, removed fields that clients depend on, changed behavior without migration + - Dependency issues: known CVEs, incompatible version combinations, deprecated APIs that will break + + **WHAT TO NEVER COMMENT ON:** + - Code style, formatting, naming conventions (that's what linters are for) + - "Consider using X instead of Y" unless Y is actually broken + - Missing types/docs/tests (unless the missing test hides a specific bug you found) + - Suggestions that are purely preferential + - Praise or affirmation — no "LGTM" or "nice!" comments + + **WORKFLOW:** + + 1. Use `mcp__github__get_pull_request_diff` to get the full diff + 2. Read the diff carefully. For each changed file, understand the INTENT of the change, not just the syntax + 3. For non-trivial changes, use Read/Grep to look at surrounding code that ISN'T in the diff — bugs often hide at the boundary between changed and unchanged code + 4. Search Supermemory for any relevant past patterns, known issues, or architectural decisions related to the changed code + 5. Check for existing review comments with `mcp__github__get_pull_request_review_comments` to avoid duplicates + 6. Create a pending review with `mcp__github__create_pending_pull_request_review` (event: "COMMENT") + 7. Add inline comments ONLY for issues that meet the bar above. For each comment: + - Explain the actual bug/risk concisely + - Show what could go wrong (e.g., "If X happens, this will Y") + - Provide a concrete fix using a code suggestion block when possible + 8. Submit the review with `mcp__github__submit_pending_pull_request_review` + + **REVIEW SUMMARY FORMAT:** + + Keep the summary short and direct. Format: + + **Overview:** One sentence on what this PR does. + + **Issues found:** List only real issues, or "None — this looks good to ship." if clean. + + **Score: X/10** + + Scoring guide: + - 10/10: No bugs, no security issues, clean logic. This is the COMMON case for competent engineers — don't be stingy. + - 8-9/10: Minor issues that won't cause incidents but should be addressed + - 6-7/10: Real bugs or security concerns that need fixing before merge + - Below 6: Critical issues, data loss risk, or security vulnerabilities + + Most PRs from experienced engineers should score 8-10. Reserve low scores for genuinely problematic code. + + **CRITICAL RESTRICTIONS:** + - DO NOT use `gh pr comment` or `gh api` CLI commands — use MCP tools only + - DO NOT leave more than 5 inline comments. If you find more than 5 issues, pick the 5 most critical ones. + - DO NOT comment on things that are correct but could be "slightly better" + - If the PR is a simple config change, dependency bump, or typo fix, just submit a clean summary with no inline comments diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index d300267f1..17a26bc7d 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -23,7 +23,7 @@ jobs: pull-requests: read issues: read id-token: write - actions: read # Required for Claude to read CI results on PRs + actions: read steps: - name: Checkout repository uses: actions/checkout@v4 @@ -36,15 +36,21 @@ jobs: with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - # This is an optional setting that allows Claude to read CI results on PRs additional_permissions: | actions: read - # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. - # prompt: 'Update the pull request description to include a summary of changes.' - - # Optional: Add claude_args to customize behavior and configuration - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md - # or https://code.claude.com/docs/en/cli-reference for available options - # claude_args: '--allowed-tools Bash(gh pr:*)' - + claude_args: | + --max-turns 15 + --model claude-opus-4-5-20251101 + --allowedTools "Read,Write,Edit,Glob,Grep,Bash(*),WebSearch,WebFetch,Task,mcp__supermemory,mcp__github" + --mcp-config '{ + "mcpServers": { + "supermemory": { + "type": "http", + "url": "https://mcp.supermemory.ai/mcp", + "headers": { + "Authorization": "Bearer ${{ secrets.SUPERMEMORY_API_KEY }}" + } + } + } + }'