Skip to content

ci: add Claude Code PR review and @claude responder workflows#176

Open
tejasamx-aws wants to merge 1 commit into
mainfrom
add-claude-code-review
Open

ci: add Claude Code PR review and @claude responder workflows#176
tejasamx-aws wants to merge 1 commit into
mainfrom
add-claude-code-review

Conversation

@tejasamx-aws

Copy link
Copy Markdown

What

Adds automated code review by Claude Code to this repository via two GitHub Actions workflows:

Workflow File Trigger
Claude Code Review .github/workflows/claude-code-review.yml Every PR (opened, synchronize) — posts inline + summary review comments
Claude Code (interactive) .github/workflows/claude-code.yml @claude mention in an issue, PR comment, or review

The review prompt is tuned for this repo: alongside general correctness/security/performance, it asks Claude to watch for numerical/accuracy regressions and Neuron/Trainium-specific concerns (tensor/expert parallelism, dtype handling, compilation constraints, sharding).

Authentication

Uses Amazon Bedrock via GitHub OIDC — no long-lived Anthropic API key is stored in the repo. Model, region, and role ARN are configurable through repo secrets/variables with sensible defaults (us.anthropic.claude-sonnet-4-5-20250929-v1:0, us-west-2).

Required admin setup (before it works)

The workflows no-op until a repo admin completes the one-time setup in docs/claude-code-review.md:

  1. GitHub OIDC identity provider in the AWS account.
  2. IAM role trusted for repo:aws-neuron/neuronx-distributed-inference:* with bedrock:InvokeModel permission.
  3. Bedrock model access request in the target region.
  4. Repo secret CLAUDE_CODE_BEDROCK_ROLE_ARN (+ optional CLAUDE_CODE_AWS_REGION / CLAUDE_CODE_BEDROCK_MODEL variables).

Note: until the secret above is configured, the auto-review check on this very PR fails fast at the AWS-credentials step (no Claude/Bedrock call is made). That is expected pre-setup.

Notes / safety

  • Public repo → fork PRs get no credentials, so auto-review is a deliberate no-op for them and runs only for in-repo branches. This avoids exposing credentials to untrusted PR code. Reviewing fork PRs would require a label-gated pull_request_target flow, intentionally left out.
  • Cost control: the interactive workflow only fires on an explicit @claude mention; the review workflow runs once per PR push.
  • Least-privilege permissions on each job; id-token: write only where OIDC is needed.

Follows the existing github-script-based workflow conventions already in .github/workflows/.

Add two GitHub Actions workflows powered by anthropics/claude-code-action:

- claude-code-review.yml: auto-reviews every PR (opened/synchronize),
  posting inline and summary comments with a Neuron/Trainium-aware prompt.
- claude-code.yml: responds to @claude mentions in issues, PR comments,
  and reviews (gated on the mention to control cost).

Both authenticate to Amazon Bedrock via GitHub OIDC (no long-lived API
key). Model, region, and role ARN are configurable via repo
secrets/variables with sensible defaults. Setup for repo admins is
documented in docs/claude-code-review.md.

Fork PRs receive no credentials, so auto-review is a safe no-op for
them and runs for in-repo branches.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant