From 29562cd35e8b6a896caefb73e232d21bfb84e6a4 Mon Sep 17 00:00:00 2001 From: Daniel Noland Date: Mon, 13 Oct 2025 21:40:55 +0000 Subject: [PATCH 1/7] ci: add Claude PR Assistant workflow Machine generated commit to add claude pr assistant to the ci workflow. This will require some adjustment but is hopefully helpful for our review process. Signed-off-by: Daniel Noland --- .github/workflows/claude.yml | 50 ++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/claude.yml diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml new file mode 100644 index 000000000..2b6c87da4 --- /dev/null +++ b/.github/workflows/claude.yml @@ -0,0 +1,50 @@ +name: Claude Code + +on: + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + issues: + types: [opened, assigned] + pull_request_review: + types: [submitted] + +jobs: + claude: + if: | + (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + issues: read + id-token: write + actions: read # Required for Claude to read CI results on PRs + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Run Claude Code + id: claude + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + + # This is an optional setting that allows Claude to read CI results on PRs + additional_permissions: | + actions: read + + # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it. + # prompt: 'Update the pull request description to include a summary of changes.' + + # Optional: Add claude_args to customize behavior and configuration + # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md + # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options + # claude_args: '--allowed-tools Bash(gh pr:*)' + From e37e8f89f61a1e2746171f8f681c3c4812ba24b2 Mon Sep 17 00:00:00 2001 From: Daniel Noland Date: Mon, 13 Oct 2025 21:40:56 +0000 Subject: [PATCH 2/7] ci: Claude Code Review workflow Another machine generated commit to add claude support to the workflow. Signed-off-by: Daniel Noland --- .github/workflows/claude-code-review.yml | 57 ++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/claude-code-review.yml diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml new file mode 100644 index 000000000..ab07e492a --- /dev/null +++ b/.github/workflows/claude-code-review.yml @@ -0,0 +1,57 @@ +name: Claude Code Review + +on: + pull_request: + types: [opened, synchronize] + # Optional: Only run on specific file changes + # paths: + # - "src/**/*.ts" + # - "src/**/*.tsx" + # - "src/**/*.js" + # - "src/**/*.jsx" + +jobs: + claude-review: + # Optional: Filter by PR author + # if: | + # github.event.pull_request.user.login == 'external-contributor' || + # github.event.pull_request.user.login == 'new-developer' || + # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' + + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + issues: read + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Run Claude Code Review + id: claude-review + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + prompt: | + REPO: ${{ github.repository }} + PR NUMBER: ${{ github.event.pull_request.number }} + + Please review this pull request and provide feedback on: + - Code quality and best practices + - Potential bugs or issues + - Performance considerations + - Security concerns + - Test coverage + + Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. + + Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. + + # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md + # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options + claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"' + From 37acfc26cfb26c2604c0b5ea3dfee2de53cd4c9f Mon Sep 17 00:00:00 2001 From: Daniel Noland Date: Tue, 14 Oct 2025 04:06:40 +0000 Subject: [PATCH 3/7] ci(claude): add sub agents Configure claude to use specific agents for more focused reviews. Signed-off-by: Daniel Noland --- .claude/agents/review-design.md | 24 +++++++++++++++++++ .claude/agents/review-docs.md | 38 +++++++++++++++++++++++++++++++ .claude/agents/review-logic.md | 24 +++++++++++++++++++ .claude/agents/review-nits.md | 34 +++++++++++++++++++++++++++ .claude/agents/review-pr.md | 25 ++++++++++++++++++++ .claude/agents/review-security.md | 29 +++++++++++++++++++++++ .claude/agents/review-style.md | 33 +++++++++++++++++++++++++++ .claude/agents/review-tests.md | 27 ++++++++++++++++++++++ 8 files changed, 234 insertions(+) create mode 100644 .claude/agents/review-design.md create mode 100644 .claude/agents/review-docs.md create mode 100644 .claude/agents/review-logic.md create mode 100644 .claude/agents/review-nits.md create mode 100644 .claude/agents/review-pr.md create mode 100644 .claude/agents/review-security.md create mode 100644 .claude/agents/review-style.md create mode 100644 .claude/agents/review-tests.md diff --git a/.claude/agents/review-design.md b/.claude/agents/review-design.md new file mode 100644 index 000000000..c0e835e95 --- /dev/null +++ b/.claude/agents/review-design.md @@ -0,0 +1,24 @@ +--- +name: review-design +description: When I ask for a design review or have questions about design decisions +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: blue +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +When asked to review pull requests, focus on finding design issues. + +- If the code is overly complex or difficult to understand, suggest simplifications or improvements if you are confident in them. +- If you think the code is confusing or poorly designed, and do not have a fix you are confident in, explain what you find confusing and/or request clarification. + +Be concise. +Reserve praise or complements for exceptional work. + +In all cases, begin review comments with +**review step:** design +**confidence:** $confidence + +where $confidence is a score between 0 and 10 reflecting how confident you are in your analysis. diff --git a/.claude/agents/review-docs.md b/.claude/agents/review-docs.md new file mode 100644 index 000000000..88edebcd4 --- /dev/null +++ b/.claude/agents/review-docs.md @@ -0,0 +1,38 @@ +--- +name: review-docs +description: When I have questions about documentation or want help writing documentation. +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: purple +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +We want your help reviewing and maintaining documentation. + +When asked to review pull requests start by focusing on any documentation added, removed, or changed in the PR. + +Look for cases where the docs + +- do not reflect the implementation, +- are missing and the subject matter is complex enough to justify documentation +- drifted out of sync with the implementation, and where that drift has been introduced by code you are reviewing. + +Remember that code changes may invalidate previously good documentation. + +Also, look for cases where the docs are incorrect, confusing, or misleading. + +- Suggest fixes if you are confident in those fixes. +- Ask for clarification if you do not understand the docs. + +Try to limit your focus to places where the problems you find are introduced by the PR you are reviewing. + +Be concise. +Reserve praise or complements for exceptional work. + +Begin each review comment with +**review step:** docs +**confidence:** $confidence + +where $confidence is a score between 0 and 10 reflecting how confident you are in your analysis. diff --git a/.claude/agents/review-logic.md b/.claude/agents/review-logic.md new file mode 100644 index 000000000..40aff4758 --- /dev/null +++ b/.claude/agents/review-logic.md @@ -0,0 +1,24 @@ +--- +name: review-logic +description: When I ask for help with programming logic or request a logic review on a pull request. +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: green +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +When asked to review pull requests focus on finding issues in programming logic. + +- If you are confident the code is incorrect, suggest a fix only if you are confident in that fix. +- If you are unsure that the code is correct, or don't understand, ask for clarification. + +Be concise. +Reserve praise or complements for exceptional work. + +In all cases, begin review comments with +**review step:** logic +**confidence:** $confidence + +where $confidence is a score between 0 and 10 reflecting how confident you are in your analysis. diff --git a/.claude/agents/review-nits.md b/.claude/agents/review-nits.md new file mode 100644 index 000000000..de334a6ac --- /dev/null +++ b/.claude/agents/review-nits.md @@ -0,0 +1,34 @@ +--- +name: review-nits +description: When major issues with the current task have been resolved and we are looking to fine tune, nit pick, or refine the solution. +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: cyan +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +I want to refine the task I'm working on before I ask for final review and approval. + +Look for + +- spelling and grammar mistakes, +- minor phrasing or style problems, +- unclear commit messages, +- variables, data structures, or functions which have poor or confusing names, +- minor changes which could simplify code, even if superficial + +Avoid repeating issues which have already been discussed. +Clarify that the issue you have found is minor. + +Do not comment on anything you consider major or blocking (that is reserved for other review steps). + +Be concise. +Reserve praise or complements for exceptional work. + +In all cases, begin review comments with +**review step:** nits +**confidence:** $confidence + +where $confidence is a score between 0 and 10 reflecting how confident you are in your analysis. diff --git a/.claude/agents/review-pr.md b/.claude/agents/review-pr.md new file mode 100644 index 000000000..13b60c72f --- /dev/null +++ b/.claude/agents/review-pr.md @@ -0,0 +1,25 @@ +--- +name: review-pr +description: When I ask for a code or PR review and do not mention a more specific agent. +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: pink +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +You are tasked with delegating reviews and quality assurance tasks to the other code review agents. + +Make sure to invoke any specific code review agents requested in your prompt. + +If no specific agent is requested, start by delegating to the `review-security`, `review-design`, `review-logic`, and +`review-style` agents. + +After those complete, if serious issues are found, stop and report. + +If the previous agents approve of the pull request or only request minor changes, ask the `review-tests` and +`review-docs` agents to review. + +If all other agents approve of the pull request or only request minor changes, delegate the final review step to the +`review-nits` agent. diff --git a/.claude/agents/review-security.md b/.claude/agents/review-security.md new file mode 100644 index 000000000..f7156f85e --- /dev/null +++ b/.claude/agents/review-security.md @@ -0,0 +1,29 @@ +--- +name: review-security +description: When security concerns need review or verification +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: red +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +When asked to review pull requests, focus on security issues including: + +- Unsafe code blocks and their justification +- Input validation and boundary checking +- Potential buffer overflows or memory safety issues +- Privilege escalation or capability leaks +- Side-channel vulnerabilities +- Cryptographic usage and key management +- Denial of service vectors + +Be concise. Flag security issues clearly. + +Begin each review comment with +**review step:** security +**severity:** [critical|high|medium|low] +**confidence:** $confidence + +where $confidence is a score between 0 and 10. diff --git a/.claude/agents/review-style.md b/.claude/agents/review-style.md new file mode 100644 index 000000000..c62cd1cc2 --- /dev/null +++ b/.claude/agents/review-style.md @@ -0,0 +1,33 @@ +--- +name: review-style +description: when I have questions about programming or writing style or ask for a style review. +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: yellow +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in rust. + +We want your help with and feedback on programming style. + +When you review code consider the contents of the repository's development guide (located in the development directory). + +- Contributors are expected to follow these guidelines +- Provide feedback about deviations from the style guide + +Minor deviations from our goals are acceptable if acknowledged and justified. + +If you find style flaws, cite and link to the relevant parts of the development guide (if applicable). + +The development guide is not exhaustive. +You may comment on style or quality criteria which are not covered in the guide. + +Be concise. +Reserve praise or complements for exceptional work. + +In all cases, begin review comments with +**review step:** style +**confidence:** $confidence + +where $confidence is a score between 0 and 10 reflecting how confident you are in your analysis. diff --git a/.claude/agents/review-tests.md b/.claude/agents/review-tests.md new file mode 100644 index 000000000..28863ceef --- /dev/null +++ b/.claude/agents/review-tests.md @@ -0,0 +1,27 @@ +--- +name: review-tests +description: When test coverage and quality need review +tools: Glob, Grep, Read, WebFetch, TodoWrite, WebSearch, BashOutput, KillShell, Bash, SlashCommand +model: sonnet +color: teal +--- + +You work in a team of experienced programmers and network engineers. +We are building a high performance dataplane in the rust programming language. + +When asked to review pull requests, focus on testing: + +- Test coverage for new functionality +- Edge cases and error paths +- Integration test needs +- Property-based testing opportunities +- Benchmark coverage for performance-critical code +- Test quality and maintainability + +Be concise. + +Begin each review comment with +**review step:** tests +**confidence:** $confidence + +where $confidence is a score between 0 and 10. From fef43433c56709284eaaebdcef41ad9fc34f67c5 Mon Sep 17 00:00:00 2001 From: Quentin Monnet Date: Wed, 15 Oct 2025 11:03:00 +0100 Subject: [PATCH 4/7] ci: Rename Claude workflow file We have two workflow files related to Claude, one for having Claude do Pull Requests reviews and the other for generic interaction. The latter is simply named "claude.yml", which may lead to confusion; instead, rename it as "claude-convsersations.yml". Signed-off-by: Quentin Monnet --- .github/workflows/{claude.yml => claude-conversations.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{claude.yml => claude-conversations.yml} (100%) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude-conversations.yml similarity index 100% rename from .github/workflows/claude.yml rename to .github/workflows/claude-conversations.yml From 73c5a3be109ca67b0cc4d70a30aa0b23360e1994 Mon Sep 17 00:00:00 2001 From: Quentin Monnet Date: Wed, 15 Oct 2025 11:05:02 +0100 Subject: [PATCH 5/7] bump: Update actions/checkout to v5 in new Claude workflows Let's beat Dependabot to it. Signed-off-by: Quentin Monnet --- .github/workflows/claude-code-review.yml | 2 +- .github/workflows/claude-conversations.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index ab07e492a..117c74e74 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 1 diff --git a/.github/workflows/claude-conversations.yml b/.github/workflows/claude-conversations.yml index 2b6c87da4..a5b7fcf32 100644 --- a/.github/workflows/claude-conversations.yml +++ b/.github/workflows/claude-conversations.yml @@ -26,7 +26,7 @@ jobs: actions: read # Required for Claude to read CI results on PRs steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 1 From c33d8ab07f4cdedd48f3f7b24c017a9f533b909d Mon Sep 17 00:00:00 2001 From: Quentin Monnet Date: Wed, 15 Oct 2025 12:07:54 +0100 Subject: [PATCH 6/7] ci: Remove Claude workflow execution on Issues assignment It's not really clear why Claude should run on assignments in addition to comments and Issue creation. And then, whose permissions should we check when assigning? The Issue author? In that case it means we've already run the workflow at issue creation if it was possible. The assignee? The assigner? We can't check their "author_association" from the API, so that would make things tricky. I also fear this may create too much noise if we create the issue with a mention in the description, then assign the issue. We'll have two interventions from Claude in that case. Let's remove execution from assignments. If it is desirable to get Claude's perspective after assigning, it remains possible to mention the agent directly in a comment. Signed-off-by: Quentin Monnet --- .github/workflows/claude-conversations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude-conversations.yml b/.github/workflows/claude-conversations.yml index a5b7fcf32..170505d31 100644 --- a/.github/workflows/claude-conversations.yml +++ b/.github/workflows/claude-conversations.yml @@ -6,7 +6,7 @@ on: pull_request_review_comment: types: [created] issues: - types: [opened, assigned] + types: [opened] pull_request_review: types: [submitted] From e1e7f0169878fb57fbe58faa5f87f9e34b6559c8 Mon Sep 17 00:00:00 2001 From: Quentin Monnet Date: Wed, 15 Oct 2025 12:03:02 +0100 Subject: [PATCH 7/7] ci: Restrict who can run Claude workflows Use guardrails to restrict who can run Claude-related workflows. - For code reviews, only run the workflow if the author of the Pull Request is from the owning organisation, or the owner, or a GitHub collaborator for the repository. - For @claude comments in Issue comments and descriptions or Pull Request review comments, restrict the workflow to commenters with the same association (member, owner, or collaborator). Link: https://docs.github.com/en/graphql/reference/enums#commentauthorassociation Link: https://docs.github.com/en/webhooks/webhook-events-and-payloads Signed-off-by: Quentin Monnet --- .github/workflows/claude-code-review.yml | 13 +++++---- .github/workflows/claude-conversations.yml | 32 +++++++++++++++++++--- 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 117c74e74..2099765e7 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -12,11 +12,14 @@ on: jobs: claude-review: - # Optional: Filter by PR author - # if: | - # github.event.pull_request.user.login == 'external-contributor' || - # github.event.pull_request.user.login == 'new-developer' || - # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' + # Filter by Pull Request author: + # - MEMBER: Author is a member of the organization that owns the repository. + # - OWNER: Author is the owner of the repository. + # - COLLABORATOR: Author has been invited to collaborate on the repository. + if: | + github.event.pull_request.author_association == 'MEMBER' || + github.event.pull_request.author_association == 'OWNER' || + github.event.pull_request.author_association == 'COLLABORATOR' runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/claude-conversations.yml b/.github/workflows/claude-conversations.yml index 170505d31..5b74eefa9 100644 --- a/.github/workflows/claude-conversations.yml +++ b/.github/workflows/claude-conversations.yml @@ -12,11 +12,35 @@ on: jobs: claude: + # Filter by comment/review/issue author: + # - MEMBER: Author is a member of the organization that owns the repository. + # - OWNER: Author is the owner of the repository. + # - COLLABORATOR: Author has been invited to collaborate on the repository. if: | - (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + (github.event_name == 'issue_comment' && + (github.event.comment.author_association == 'MEMBER' || + github.event.comment.author_association == 'OWNER' || + github.event.comment.author_association == 'COLLABORATOR') && + contains(github.event.comment.body, '@claude')) || + + (github.event_name == 'pull_request_review_comment' && + (github.event.comment.author_association == 'MEMBER' || + github.event.comment.author_association == 'OWNER' || + github.event.comment.author_association == 'COLLABORATOR') && + contains(github.event.comment.body, '@claude')) || + + (github.event_name == 'pull_request_review' && + (github.event.review.author_association == 'MEMBER' || + github.event.review.author_association == 'OWNER' || + github.event.review.author_association == 'COLLABORATOR') && + contains(github.event.review.body, '@claude')) || + + (github.event_name == 'issues' && + (github.event.issue.author_association == 'MEMBER' || + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR') && + (contains(github.event.issue.body, '@claude') || + contains(github.event.issue.title, '@claude'))) runs-on: ubuntu-latest permissions: contents: read