Conversation
dvasilas
force-pushed
the
feat/add-dependency-review-workflow
branch
from
4613362 to
a3b5ced
Compare
dvasilas
force-pushed
the
feat/add-dependency-review-workflow
branch
from
c801785 to
b431ecc
Compare
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
There was a problem hiding this comment.
should perform yarn install after checkout (if there is a yarn.lock), to allow analyzing the node_modules folder (as discussed in the PR in agent-hub)
There was a problem hiding this comment.
should be removed, now that we install the plugin from agent-hub
There was a problem hiding this comment.
Removed and squashed commits.
dvasilas
force-pushed
the
feat/add-dependency-review-workflow
branch
from
b53b5f2 to
08e49d9
Compare
francoisferrand
left a comment
francoisferrand
left a comment
There was a problem hiding this comment.
this gets me thinking: could we use the same approach to "factorize" the (generic) code review workflow, instead of duplicating everywhere?
(that one may require some extra prompt to allow injecting additional review instructions from the repo, though)
|
|
||
| - name: Install dependencies | ||
| if: hashFiles('yarn.lock') != '' | ||
| run: yarn install --frozen-lockfile |
There was a problem hiding this comment.
just thinking now this may fail if auth is required to pull modules... should we add an extra GITHUB_TOKEN parameter, possibly set to github_token by default?
not sure how to get around this - and probably ok if we don't for a first version ; but maybe we should just have a continue-on-failure here and post GitHub warning if that happens?
There was a problem hiding this comment.
Added continue-on-failure and writing a warning if this step fails.
Yes, why not, it would remove some friction for adoption. |
Adds claude-code-dependency-review.yml, a reusable workflow that runs the /review-dependency-bump skill to evaluate dependabot PRs. The workflow loads the /review-dependency-bump skill from scality/agent-hub instead of requiring it locally in each downstream repo. The workflow also includes a conditional step to run yarn install before dependency review, allowing analysis of node_modules contents.
dvasilas
force-pushed
the
feat/add-dependency-review-workflow
branch
from
ec84670 to
1ead741
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| plugins: scality-skills@scality-agent-hub | ||
| prompt: "/review-dependency-bump REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }}" | ||
| claude_args: | | ||
| --allowedTools "Read" "Grep" "WebFetch" "Bash(gh repo view *)" "Bash(gh pr view *)" "Bash(gh pr comment *)" "Bash(gh pr review *)" "Bash(gh api *)" |
There was a problem hiding this comment.
The Bash(gh pr review *) permission allows the Claude agent to approve or request changes on PRs. For dependency bumps from Dependabot, this means Claude could auto-approve PRs without human review. Consider whether this is intentional — if the goal is only to comment with analysis, removing this permission would be safer.
— Claude Code
| @@ -0,0 +1,64 @@ | |||
| name: Claude Code Dependency Review | |||
There was a problem hiding this comment.
No corresponding documentation page was added for this new workflow. The project convention is to update docs/ and mkdocs.yml when adding or modifying workflows.
— Claude Code
| GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | ||
| GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }} | ||
| ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }} | ||
| CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }} |
There was a problem hiding this comment.
Missing trailing newline at end of file.
— Claude Code
|
Review summary: (1) gh-pr-review permission allows agent to approve/reject PRs - consider removing if only commenting is intended. (2) No docs added for new workflow - add page in docs/ and update mkdocs.yml. (3) Missing trailing newline in review.yml. -- Review by Claude Code |
4 participants
Add
claude-code-dependency-review.yml, a reusable workflow that runs the/review-dependency-bumpskill to evaluate dependency bump PRs. See https://github.com/scality/agent-hub/pull/18