Merged
Conversation
* chore: add comprehensive contributing guide * Update CONTRIBUTING.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
- Restore backend and frontend PR checks - Enable Python syntax check and import test for backend - Enable pnpm build check for frontend - Fix 'Expected — Waiting for status to be reported' issue
- Upgrade codex-pr-review.md to 6-perspective review with confidence scoring - Rewrite claude-pr-review.yml with Codex-first fallback pattern - Add claude-ci-autofix.yml for auto-fixing CI failures + dev sync - Add claude-review-responder.yml for auto-responding to PR reviews - Update CI_CD_SETUP.md with new workflow documentation
github-actions
bot
added
area/ci
Review Summary by QodoEnhance CI/CD with advanced PR review, auto-fix, and contributing guide
WalkthroughsDescription• Upgrade PR review system with Codex-first fallback pattern • Add comprehensive 6-perspective code review framework with confidence scoring • Implement CI auto-fix workflow for safe mechanical error fixes • Add PR review responder for automated feedback implementation • Create detailed bilingual contributing guide (Chinese + English) Diagramflowchart LR
PR["Pull Request"] -->|opened/sync| CheckCodex["Check Codex Status"]
CheckCodex -->|success| Skip["Skip Claude"]
CheckCodex -->|fail/timeout| Claude["Claude PR Review<br/>6-perspective analysis"]
Claude -->|findings| InlineComments["Post Inline Comments"]
InlineComments -->|summary| PRReview["PR Review Summary"]
CIFail["CI Failure"] -->|triggered| AutoFix["Claude CI Auto-Fix"]
AutoFix -->|safe fixes| Commit["Create Fix Commit"]
Commit -->|PR| FixPR["Auto-fix PR"]
ReviewSubmit["Review Submitted"] -->|changes_requested| Responder["Claude Review Responder"]
Responder -->|implement| Changes["Apply Safe Changes"]
Changes -->|commit| Response["Post Structured Response"]
Docs["Documentation"] -->|bilingual| CONTRIBUTING["CONTRIBUTING.md"]
File Changes1. .github/CI_CD_SETUP.md
|
Contributor
Greptile OverviewGreptile SummaryThis PR significantly upgrades the CI/CD automation infrastructure by introducing three new Claude-powered workflows and comprehensive documentation. The changes establish a sophisticated review and auto-fix system with Codex as primary reviewer and Claude as fallback, automatic CI failure remediation, and intelligent review response automation. Key Changes
Issues IdentifiedLogic Issues (3):
Workflow Interaction FlowThe PR establishes a multi-layered automation system:
Security PostureThe workflows implement multiple security layers:
Confidence Score: 4/5
|
| Filename | Overview |
|---|---|
| .github/workflows/claude-ci-autofix.yml | New workflow for auto-fixing CI failures and syncing branches. Includes branch validation and safe-fix categorization logic. |
| .github/workflows/claude-review-responder.yml | New workflow that auto-responds to PR reviews. Triggers on review submission with proper bot filtering. |
| .github/workflows/claude-pr-review.yml | Enhanced PR review workflow with Codex fallback logic. Added wait mechanism to avoid duplicate reviews. |
| .github/prompts/codex-pr-review.md | Comprehensive rewrite of PR review prompt with 6 specialized review perspectives and strict confidence scoring system. |
| CONTRIBUTING.md | New comprehensive bilingual contributing guide covering workflow, branch naming, commit format, code style, and testing requirements. |
Sequence Diagram
sequenceDiagram
participant Dev as Developer
participant PR as Pull Request
participant Codex as Codex PR Review
participant Claude as Claude PR Review
participant Checks as PR Checks
participant AutoFix as CI Auto-Fix
participant Responder as Review Responder
Dev->>PR: Open/Update PR
rect rgb(220, 240, 255)
Note over PR,Claude: PR Review Phase
PR->>Codex: Trigger review (pull_request_target)
PR->>Claude: Trigger review (pull_request_target)
Claude->>Claude: Check if bot or draft
alt External User
Claude->>Claude: Skip Codex check, run immediately
else Internal User
Claude->>Claude: Wait for Codex (max 10 min)
Codex-->>Claude: Status update
alt Codex succeeds
Claude->>Claude: Skip (Codex handled it)
else Codex fails/timeout
Claude->>Claude: Run as fallback
end
end
Claude->>PR: Post review comments
end
rect rgb(255, 240, 220)
Note over Checks,AutoFix: CI & Auto-Fix Phase
PR->>Checks: Run backend/frontend checks
alt Checks fail
Checks->>AutoFix: Trigger workflow_run
AutoFix->>AutoFix: Analyze CI logs
AutoFix->>AutoFix: Categorize errors
AutoFix->>AutoFix: Apply safe fixes
alt Has PR
AutoFix->>PR: Create fix PR
else No PR
AutoFix->>PR: Push fixes directly
end
end
end
rect rgb(240, 255, 240)
Note over Dev,Responder: Review Response Phase
Dev->>PR: Submit review feedback
alt Review requires changes OR mentions @claude
PR->>Responder: Trigger review response
Responder->>Responder: Analyze feedback
Responder->>Responder: Classify (Must/Should/Consider/Question)
Responder->>Responder: Implement safe changes
Responder->>PR: Push fixes & post response
end
end
rect rgb(255, 245, 220)
Note over Dev,AutoFix: Manual Sync (Release)
Dev->>AutoFix: Manual trigger (sync-dev)
AutoFix->>AutoFix: Validate branches (only main→dev)
AutoFix->>AutoFix: Rebase dev onto main
AutoFix->>AutoFix: Resolve conflicts
AutoFix->>AutoFix: Verify build
AutoFix->>PR: Push with --force-with-lease
end
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.event.workflow_run.head_branch }} |
Contributor
There was a problem hiding this comment.
Missing ref when workflow_dispatch is used. When manually triggered, github.event.workflow_run.head_branch is undefined.
Suggested change
| ref: ${{ github.event.workflow_run.head_branch }} | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || github.event.workflow_run.head_branch }} |
| const run = await github.rest.actions.getWorkflowRun({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| run_id: ${{ github.event.workflow_run.id }} |
Contributor
There was a problem hiding this comment.
Missing null check. github.event.workflow_run.id is undefined when workflow_dispatch is triggered.
Suggested change
| run_id: ${{ github.event.workflow_run.id }} | |
| run_id: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.id || 0 }} |
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.event.inputs.target_branch }} |
Contributor
There was a problem hiding this comment.
Branch validation occurs after checkout, meaning the workflow checks out potentially arbitrary branches first. Move validation before checkout.
Suggested change
| ref: ${{ github.event.inputs.target_branch }} | |
| - name: Validate branch parameters | |
| run: | | |
| TARGET="${{ github.event.inputs.target_branch }}" | |
| SOURCE="${{ github.event.inputs.source_branch }}" | |
| if [[ "$TARGET" != "dev" ]]; then | |
| echo "::error::Security: Only 'dev' branch is allowed as target. Got: $TARGET" | |
| exit 1 | |
| fi | |
| if [[ "$SOURCE" != "main" ]]; then | |
| echo "::error::Security: Only 'main' branch is allowed as source. Got: $SOURCE" | |
| exit 1 | |
| fi | |
| echo "Branch validation passed: syncing $SOURCE -> $TARGET" | |
| - name: Checkout code | |
| uses: actions/checkout@v5 |
Code Review by Qodo
1. CI logs sent to Claude
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+219
to
+289
| const jobs = await github.rest.actions.listJobsForWorkflowRun({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| run_id: ${{ github.event.workflow_run.id }} | ||
| }); | ||
|
|
||
| const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure'); | ||
|
|
||
| let errorLogs = []; | ||
| for (const job of failedJobs) { | ||
| try { | ||
| const logs = await github.rest.actions.downloadJobLogsForWorkflowRun({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| job_id: job.id | ||
| }); | ||
| const logLines = logs.data.split('\n'); | ||
| const relevantLogs = logLines.slice(-3000).join('\n'); | ||
| errorLogs.push({ | ||
| jobName: job.name, | ||
| logs: relevantLogs | ||
| }); | ||
| } catch (error) { | ||
| console.log(`Failed to get logs for job ${job.name}: ${error.message}`); | ||
| } | ||
| } | ||
|
|
||
| const pullRequests = ${{ toJSON(github.event.workflow_run.pull_requests) }}; | ||
| const hasPR = pullRequests && pullRequests.length > 0; | ||
|
|
||
| return { | ||
| runUrl: run.data.html_url, | ||
| workflowName: run.data.name, | ||
| failedJobs: failedJobs.map(j => j.name), | ||
| errorLogs: errorLogs, | ||
| hasPR: hasPR, | ||
| prNumber: hasPR ? pullRequests[0].number : null, | ||
| headBranch: '${{ github.event.workflow_run.head_branch }}' | ||
| }; | ||
|
|
||
| - name: Run Claude Code for Auto-Fix | ||
| uses: anthropics/claude-code-action@v1 | ||
| env: | ||
| ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }} | ||
|
|
||
| prompt: | | ||
| # Role: CI Failure Auto-Fix Assistant | ||
|
|
||
| You are a CI failure auto-fixer for repository ${{ github.repository }}. Your task is to analyze CI failures and apply safe, minimal fixes. | ||
|
|
||
| --- | ||
|
|
||
| ## Context | ||
|
|
||
| - **Workflow**: ${{ fromJSON(steps.failure_details.outputs.result).workflowName }} | ||
| - **Failed Run**: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }} | ||
| - **Branch**: ${{ fromJSON(steps.failure_details.outputs.result).headBranch }} | ||
| - **Has PR**: ${{ fromJSON(steps.failure_details.outputs.result).hasPR }} | ||
| - **PR Number**: ${{ fromJSON(steps.failure_details.outputs.result).prNumber }} | ||
| - **Failed Jobs**: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs, ', ') }} | ||
|
|
||
| --- | ||
|
|
||
| ## Error Logs | ||
|
|
||
| ``` | ||
| ${{ toJSON(fromJSON(steps.failure_details.outputs.result).errorLogs) }} | ||
| ``` |
There was a problem hiding this comment.
1. Ci logs sent to claude 📘 Rule violation ⛨ Security
• The workflow collects raw CI job logs and injects them into an external LLM prompt, which can unintentionally include sensitive values (tokens, secrets, PII) that appear in CI output. • This violates secure logging/data-handling expectations because sensitive information must not be emitted or shared via logs, and external inputs must be handled in a way that prevents unintended disclosure. • Impact: potential secret/PII exposure to a third-party service, plus increased blast radius if masking fails or sensitive values are not covered by GitHub’s masking.
Agent Prompt
## Issue description
The workflow downloads raw CI job logs and includes them in the Claude prompt. CI logs can contain secrets/PII or other sensitive data, which must not be exposed or shared externally.
## Issue Context
GitHub secret masking is not a complete guarantee (e.g., non-registered secrets, partial tokens, user-provided credentials, or PII). Passing logs verbatim to an external provider increases disclosure risk.
## Fix Focus Areas
- .github/workflows/claude-ci-autofix.yml[219-289]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+188
to
+207
| auto-fix: | ||
| if: | | ||
| (github.event_name == 'workflow_run' && | ||
| github.event.workflow_run.conclusion == 'failure' && | ||
| !startsWith(github.event.workflow_run.head_branch, 'claude-fix-')) || | ||
| (github.event_name == 'workflow_dispatch' && github.event.inputs.task_type == 'ci-fix') | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| actions: read | ||
| issues: write | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.event.workflow_run.head_branch }} | ||
| fetch-depth: 0 | ||
|
|
There was a problem hiding this comment.
2. Unvalidated head_branch checkout 📘 Rule violation ⛨ Security
• The auto-fix job checks out ${{ github.event.workflow_run.head_branch }} with write permissions,
but does not validate that the branch originates from the same repository (non-fork) or otherwise
trusted context.
• This violates security-first input validation/authorization expectations: the branch name is
external event data and should be treated as untrusted, especially when secrets and write tokens are
available.
• Impact: a malicious or untrusted source branch could cause the workflow to operate on
attacker-controlled code with elevated permissions, increasing risk of secret exfiltration or
unwanted writes.
Agent Prompt
## Issue description
The workflow uses `github.event.workflow_run.head_branch` to checkout code under write permissions without validating repository origin/trust. This can enable unsafe operations on untrusted code.
## Issue Context
`workflow_run` executes in the base repository context and may have access to secrets/permissions. Event payload values (like branch names and PR metadata) must be treated as untrusted unless validated.
## Fix Focus Areas
- .github/workflows/claude-ci-autofix.yml[188-207]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+435
to
+446
| **For non-PR branch (hasPR = false):** | ||
| ```bash | ||
| git add . | ||
| git commit -m "fix: auto-fix CI failures | ||
|
|
||
| Fixed: | ||
| - [List each fix] | ||
|
|
||
| CI Run: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}" | ||
|
|
||
| git push origin ${{ fromJSON(steps.failure_details.outputs.result).headBranch }} | ||
| ``` |
There was a problem hiding this comment.
3. Auto-fix pushes to branch 🐞 Bug ⛨ Security
• claude-ci-autofix.yml 监听 workflow_run(PR Checks/Tests)失败后触发,且 auto-fix job 具备 `contents:
write 并 checkout workflow_run.head_branch`,会在失败分支上运行可执行 Bash 的 agent。
• 对于非 PR 场景(hasPR=false,例如 Tests 在 push 到 main/dev 失败),prompt 明确指示直接 `git push origin
{headBranch},可能导致无人审查的自动提交直接落到 main/dev`,并可能在持续失败时形成反复触发/推送的循环。
Agent Prompt
### Issue description
`claude-ci-autofix.yml` 在 `workflow_run` 失败时运行,具备写权限并 checkout 失败的 `head_branch`。对无 PR 的失败(例如 push 到 main/dev 的 Tests 失败),prompt 指示直接 push 回该分支,带来“AI 直接写入主分支”的重大流程/安全风险。
### Issue Context
应避免在拥有 secrets/写权限的上下文中自动执行不受信任代码或自动推送到受保护分支。
### Fix Focus Areas
- .github/workflows/claude-ci-autofix.yml[1-7]
- .github/workflows/claude-ci-autofix.yml[188-207]
- .github/workflows/claude-ci-autofix.yml[435-446]
### Suggested direction
- 在 `auto-fix` job 增加约束:仅当 `github.event.workflow_run.event == 'pull_request'` 且 `pull_requests` 非空时运行
- 对非 PR 失败:禁止直接 push;改为新建分支并创建 PR 指向 `dev`/`main`(由人 review/merge)
- 如需 checkout PR 分支,增加 gate:仅允许同仓库分支(避免 fork),并尽量移除 `Bash(*)`/包管理器执行
- 增加额外 loop 防护(例如检测最近 N 次是否为 auto-fix 提交,或为 push 场景直接跳过)
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+259
to
+266
| - name: Run Claude Code for Auto-Fix | ||
| uses: anthropics/claude-code-action@v1 | ||
| env: | ||
| ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }} | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }} | ||
|
|
There was a problem hiding this comment.
4. Gh_pat never used 🐞 Bug ✓ Correctness
• auto-fix job 的 github_token 使用 ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }},由于
GITHUB_TOKEN 通常总是存在,导致即使配置了 GH_PAT 也不会被选中。
• 这会与文档中“sync-dev 需要 GH_PAT 推送到受保护分支”的预期相违背,且在需要更高权限时造成不可预期的权限失败。
Agent Prompt
### Issue description
`github_token: ${{ secrets.GITHUB_TOKEN || secrets.GH_PAT }}` 的短路逻辑会让 GH_PAT 永远不会生效。
### Issue Context
文档要求 GH_PAT 用于推送到受保护分支;即使不推送受保护分支,也应让“配置了 GH_PAT 就优先使用”成为一致行为。
### Fix Focus Areas
- .github/workflows/claude-ci-autofix.yml[259-266]
### Suggested direction
- 改为:`github_token: ${{ secrets.GH_PAT || secrets.GITHUB_TOKEN }}`
- 如特定模式强依赖 GH_PAT(例如 sync-dev),在缺失时 fail-fast 并输出清晰错误信息
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
🤖 Codex PR ReviewPR Summary
Key Risks
Findings
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
变更说明
关联 Issue / 需求
自测方式
cd backend && uv run uvicorn app.main:app --reload --port 8090cd frontend && pnpm --filter @whalewhisper/web dev风险 & 回滚
Checklist
PR Checks)通过📝 PR 说明(Codex 自动生成)
.github/下的 PR Review/CI 自动化:Claude PR Review改为等待Codex PR Review(最多 10 分钟)结果后再决定是否作为兜底运行,并新增Claude CI Auto-Fix(CI 失败自动尝试安全修复/手动 main→dev 同步)与Claude PR Review Responder(基于 review 反馈自动修改并回复)。同时升级codex-pr-review提示词与 CI/CD 配置文档,补充 size label、6 视角审查、置信度阈值/误报过滤与输出规范。.github/CI_CD_SETUP.md、.github/prompts/codex-pr-review.md;ci:.github/workflows/claude-pr-review.yml(fallback 逻辑)、新增.github/workflows/claude-ci-autofix.yml/.github/workflows/claude-review-responder.yml。.github/CI_CD_SETUP.md配置 Secrets(至少ANTHROPIC_API_KEY;sync-dev推送到受保护分支需GH_PAT)。Claude CI Auto-Fix(workflow_dispatch),分别以task_type=ci-fix与task_type=sync-dev(source=main, target=dev;参数会被白名单校验)试跑。Claude PR Review (Fallback)是否跳过;提交 review(changes_requested或 review body 含@claude)后Claude PR Review Responder是否触发并写回提交/评论。claude-ci-autofix.yml/claude-review-responder.yml具有contents: write且允许执行Bash(*)(自动提交/推送/创建 PR),需确认触发范围、分支保护与 secrets 权限符合预期;另外claude-ci-autofix.yml监听 workflow 名包含"Tests",但当前测试工作流名为"Test Suite",可能导致测试工作流失败时不触发 auto-fix。