claude.yml

name: Claude Code

on:
  workflow_dispatch:
  pull_request:
    types: [opened, synchronize, ready_for_review, reopened]
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

jobs:
  # Automatic PR review (can fix linting issues and push)
  # Blocked for fork PRs to prevent malicious code execution
  pr-review:
    concurrency:
      group: pr-review-${{ github.head_ref || github.run_id }}
      cancel-in-progress: true
    if: |
      (
        github.event_name == 'pull_request' &&
        github.actor != 'claude[bot]' &&
        github.event.pull_request.head.repo.full_name == github.repository
      ) ||
      github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: read
      id-token: write
      actions: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.ref || github.ref }}

      - name: Install uv
        uses: astral-sh/setup-uv@v6

      - name: Install dependencies
        run: |
          uv venv --seed
          uv sync

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@v1
        with:
          use_bedrock: "true"
          use_sticky_comment: true
          track_progress: true
          allowed_bots: "claude[bot],codeflash-ai[bot]"
          exclude_comments_by_actor: "*[bot]"
          prompt: |
            <context>
            repo: ${{ github.repository }}
            pr_number: ${{ github.event.pull_request.number }}
            event: ${{ github.event.action }}
            is_re_review: ${{ github.event.action == 'synchronize' }}
            </context>

            <commitment>
            Execute these steps in order. If a step has no work, state that and continue to the next step.
            Post all review findings in a single summary comment only — never as inline PR review comments.
            </commitment>

            <step name="lint_and_typecheck">
            Run checks on files changed in this PR and auto-fix what you can.

            1. Run `uv run prek run --from-ref origin/main` to check linting/formatting.
               If there are auto-fixable issues, run it again to fix them.
               Report any issues prek cannot auto-fix in your summary.

            2. Run `uv run mypy <changed_files>` to check types.
               Fix type annotation issues (missing return types, Optional unions, import errors).
               Always fix the root cause instead of adding `type: ignore` comments.
               Leave alone: type errors requiring logic changes, complex generics, anything changing runtime behavior.

            3. After fixes: stage with `git add`, commit ("style: auto-fix linting issues" or "fix: resolve mypy type errors"), push.

            4. Verify by running `uv run prek run --from-ref origin/main` one more time. Report honestly if issues remain.
            </step>

            <step name="resolve_stale_threads">
            Before reviewing, resolve any stale review threads from previous runs.

            1. Fetch unresolved threads you created:
               `gh api graphql -f query='{ repository(owner: "${{ github.repository_owner }}", name: "${{ github.event.repository.name }}") { pullRequest(number: ${{ github.event.pull_request.number }}) { reviewThreads(first: 100) { nodes { id isResolved path comments(first: 1) { nodes { body author { login } } } } } } } }' --jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false) | select(.comments.nodes[0].author.login == "claude") | {id: .id, path: .path, body: .comments.nodes[0].body}'`

            2. For each unresolved thread:
               a. Read the file at that path to check if the issue still exists
               b. If fixed → resolve it: `gh api graphql -f query='mutation { resolveReviewThread(input: {threadId: "<THREAD_ID>"}) { thread { isResolved } } }'`
               c. If still present → leave it

            Read the actual code before deciding. If there are no unresolved threads, skip to the next step.
            </step>

            <step name="review">
            Review the diff (`gh pr diff ${{ github.event.pull_request.number }}`) for:
            1. Bugs that will crash at runtime
            2. Security vulnerabilities
            3. Breaking API changes

            Ignore style issues, type hints, and log message wording.
            Record findings for the summary comment. Refer to CLAUDE.md for project conventions.
            </step>

            <step name="duplicate_detection">
            Check whether this PR introduces code that duplicates logic already present elsewhere in the repository — including across languages. Focus on finding true duplicates, not just similar-looking code.

            1. Get changed source files (excluding tests and config):
               `git diff --name-only origin/main...HEAD -- '*.py' '*.js' '*.ts' '*.java' | grep -v -E '(test_|_test\.(py|js|ts)|\.test\.(js|ts)|\.spec\.(js|ts)|conftest\.py|/tests/|/test/|/__tests__/)' | grep -v -E '^(\.github/|code_to_optimize/|\.tessl/|node_modules/)'`

            2. For each changed file, read it and identify functions/methods added or substantially modified (longer than 5 lines).

            3. Search for duplicates using Grep:
               - Same function name defined elsewhere
               - 2-3 distinctive operations from the body (specific API calls, algorithm patterns, string literals)

            4. Cross-module check: this codebase has parallel modules under `languages/python/`, `languages/javascript/`, and `languages/java/` plus runtimes under `packages/codeflash/runtime/` and `codeflash-java-runtime/`. When a changed file is under one of these areas, search the others for equivalent logic. Only flag cases where the logic is genuinely shared or one module could import from the other.

            5. When a Grep hit looks promising, read the full function and compare semantics. Flag only:
               - Same function with same/very similar body in another module
               - Same helper logic repeated in sibling files
               - Same logic implemented inline across multiple classes
               - Same algorithm reimplemented across language modules (Python code, not target-language differences)

            Report at most 5 findings with confidence (HIGH/MEDIUM), locations, what's duplicated, and suggestion.

            DO NOT report: boilerplate, functions under 5 lines, config/setup, intentional polymorphism, test files, imports, code that must differ due to target-language semantics.

            If no duplicates found, include "No duplicates detected" in the summary.
            </step>

            <step name="coverage">
            Analyze test coverage for changed files:

            1. Get changed Python files (excluding tests): `git diff --name-only origin/main...HEAD -- '*.py' | grep -v test`
            2. Run coverage on PR branch: `uv run coverage run -m pytest tests/ -q --tb=no` then `uv run coverage json -o coverage-pr.json`
            3. Get per-file coverage: `uv run coverage report --include="<changed_files>"`
            4. Compare with main: checkout main, run coverage, checkout back
            5. Flag: new files below 75%, decreased coverage, untested changed lines
            </step>

            <step name="summary_comment">
            Post exactly one summary comment containing all results from previous steps using this format:

            ## PR Review Summary
            ### Prek Checks
            ### Code Review
            ### Duplicate Detection
            ### Test Coverage
            ---
            *Last updated: <timestamp>*
            </step>

            <step name="simplify">
            Run /simplify to review recently changed code for reuse, quality, and efficiency opportunities.
            If improvements are found, commit with "refactor: simplify <description>" and push.
            Only make behavior-preserving changes.
            </step>

            <step name="merge_optimization_prs">
            Check for open PRs from codeflash-ai[bot]:
            `gh pr list --author "codeflash-ai[bot]" --state open --json number,title,headRefName,createdAt,mergeable`

            For each PR:
            - If CI passes and the PR is mergeable → merge with `--squash --delete-branch`
            - Close the PR as stale if ANY of these apply:
              - Older than 7 days
              - Has merge conflicts (mergeable state is "CONFLICTING")
              - CI is failing
              - The optimized function no longer exists in the target file (check the diff)
              Close with: `gh pr close <number> --comment "Closing stale optimization PR." --delete-branch`
            </step>

            <verification>
            Before finishing, confirm:
            - All steps were attempted (even if some had no work)
            - Stale review threads were checked and resolved where appropriate
            - All findings are in a single summary comment (no inline review comments were created)
            - If fixes were made, they were verified with prek
            </verification>
          claude_args: '--model us.anthropic.claude-sonnet-4-6 --max-turns 25 --allowedTools "Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*),Bash(gh pr checks:*),Bash(gh pr merge:*),Bash(gh issue view:*),Bash(gh issue list:*),Bash(gh api:*),Bash(uv run prek *),Bash(uv run mypy *),Bash(uv run coverage *),Bash(uv run pytest *),Bash(git status*),Bash(git add *),Bash(git commit *),Bash(git push*),Bash(git diff *),Bash(git checkout *),Read,Glob,Grep,Edit,Skill"'
          additional_permissions: |
            actions: read

  # @claude mentions (can edit and push) - restricted to maintainers only
  claude-mention:
    concurrency:
      group: claude-mention-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
      cancel-in-progress: false
    if: |
      (
        github.event_name == 'issue_comment' &&
        contains(github.event.comment.body, '@claude') &&
        (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR')
      ) ||
      (
        github.event_name == 'pull_request_review_comment' &&
        contains(github.event.comment.body, '@claude') &&
        (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'COLLABORATOR') &&
        github.event.pull_request.head.repo.full_name == github.repository
      ) ||
      (
        github.event_name == 'pull_request_review' &&
        contains(github.event.review.body, '@claude') &&
        (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR') &&
        github.event.pull_request.head.repo.full_name == github.repository
      ) ||
      (
        github.event_name == 'issues' &&
        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
        (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR')
      )
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: read
      id-token: write
      actions: read
    steps:
      - name: Get PR head ref
        id: pr-ref
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          # For issue_comment events, we need to fetch the PR info
          if [ "${{ github.event_name }}" = "issue_comment" ]; then
            PR_REF=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} --jq '.head.ref')
            echo "ref=$PR_REF" >> $GITHUB_OUTPUT
          else
            echo "ref=${{ github.event.pull_request.head.ref || github.head_ref }}" >> $GITHUB_OUTPUT
          fi

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ steps.pr-ref.outputs.ref }}

      - name: Install uv
        uses: astral-sh/setup-uv@v6

      - name: Install dependencies
        run: |
          uv venv --seed
          uv sync

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@v1
        with:
          use_bedrock: "true"
          claude_args: '--model us.anthropic.claude-sonnet-4-6 --allowedTools "Read,Edit,Write,Glob,Grep,Bash(git status*),Bash(git diff*),Bash(git add *),Bash(git commit *),Bash(git push*),Bash(git log*),Bash(git merge*),Bash(git fetch*),Bash(git checkout*),Bash(git branch*),Bash(uv run prek *),Bash(prek *),Bash(uv run ruff *),Bash(uv run pytest *),Bash(uv run mypy *),Bash(uv run coverage *),Bash(gh pr comment*),Bash(gh pr view*),Bash(gh pr diff*),Bash(gh pr merge*),Bash(gh pr close*)"'
          additional_permissions: |
            actions: read