Merged
Conversation
* chore: add comprehensive contributing guide * Update CONTRIBUTING.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update CONTRIBUTING.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
- Restore backend and frontend PR checks - Enable Python syntax check and import test for backend - Enable pnpm build check for frontend - Fix 'Expected — Waiting for status to be reported' issue
- Upgrade codex-pr-review.md to 6-perspective review with confidence scoring - Rewrite claude-pr-review.yml with Codex-first fallback pattern - Add claude-ci-autofix.yml for auto-fixing CI failures + dev sync - Add claude-review-responder.yml for auto-responding to PR reviews - Update CI_CD_SETUP.md with new workflow documentation
- [Critical] auto-fix: restrict to same-repo PRs only (fork protection) - [High] review-responder: require explicit @claude mention, restrict to same-repo - [Medium] auto-fix: use `gh run view --log-failed` instead of broken API call - [Medium] pr-review: fix Codex matching to use head_sha + pull_requests - [Low] auto-fix: correct workflow name "Tests" → "Test Suite"
Rename "Claude PR Review (Fallback)" back to "Claude PR Review" so the check name matches what branch protection expects.
Direct contributors to read the contributing guide before starting.
github-actions
bot
added
area/ci
Review Summary by QodoEnhance CI workflow stability with SHA pinning and improved error handling
WalkthroughsDescription• Improve CI workflow robustness with SHA pinning and validation - Replace branch refs with commit SHAs in checkout operations - Add verification that PR branch hasn't advanced since review submission - Enhance error handling and logging in log fetching • Fix workflow conditional logic for missing API keys - Move secret checks from job-level conditions to individual steps - Add explicit skip steps when ANTHROPIC_API_KEY or OPENAI_API_KEY missing • Refine Codex workflow matching logic for better PR detection • Reorder pnpm setup before Node.js in frontend workflows • Update README with contribution guidelines reference Diagramflowchart LR
A["CI Workflows"] -->|"Add SHA pinning"| B["Checkout by commit SHA"]
A -->|"Improve validation"| C["Verify branch hasn't moved"]
A -->|"Better error handling"| D["Enhanced log fetching"]
A -->|"Fix conditionals"| E["Step-level secret checks"]
A -->|"Refine matching"| F["Improved Codex detection"]
A -->|"Fix setup order"| G["pnpm before Node.js"]
File Changes1. .github/workflows/claude-ci-autofix.yml
|
Contributor
Greptile OverviewGreptile SummaryThis PR enhances GitHub Actions workflows with improved reliability, security, and graceful degradation patterns. The main changes focus on SHA pinning for checkout operations (preventing race conditions), better error handling in log fetching, and conditional execution based on API key availability. Key improvements:
Issue found:
Confidence Score: 4/5
|
| Filename | Overview |
|---|---|
| .github/workflows/claude-ci-autofix.yml | Enhanced error handling and SHA pinning for checkout - improved reliability by using head_sha instead of head_branch, added comprehensive log fetching with fallback error handling |
| .github/workflows/claude-pr-review.yml | Enhanced PR/workflow run matching logic - added branch validation and improved robustness for finding matching workflow runs |
| .github/workflows/claude-review-responder.yml | Added SHA pinning verification - prevents race conditions by verifying PR branch hasn't moved since review, uses head_sha for checkout |
| README.md | Added CONTRIBUTING.md reference and test line - the test line on L213 should be removed before merging |
Sequence Diagram
sequenceDiagram
participant Dev as Developer
participant PR as Pull Request
participant CI as CI Workflows
participant Claude as Claude Workflows
participant Codex as Codex Workflows
Dev->>PR: Opens/Updates PR
PR->>CI: Triggers pr-check.yml / test.yml
Note over CI: Setup pnpm BEFORE Node.js<br/>(Fixed ordering)
CI->>CI: Run backend/frontend tests
alt CI Fails
CI->>Claude: Trigger claude-ci-autofix.yml
Note over Claude: Checkout at head_sha (pinned)<br/>Not head_branch
Claude->>Claude: Fetch failed logs with error handling
Claude->>Claude: Analyze and apply safe fixes
Claude->>PR: Push fixes or create fix PR
end
PR->>Codex: Trigger codex-pr-review.yml
alt Codex API Key Missing
Note over Codex: Skip gracefully instead of failing<br/>(Improved condition logic)
Codex-->>Claude: Fallback to Claude review
end
alt Codex succeeds
Codex->>PR: Post review
else Codex fails/times out
Claude->>PR: claude-pr-review.yml fallback
Note over Claude: Enhanced PR/run matching<br/>with branch validation
Claude->>PR: Post comprehensive review
end
Dev->>PR: Reviewer submits review mentioning `@claude`
PR->>Claude: Trigger claude-review-responder.yml
Note over Claude: Verify PR branch hasn't moved<br/>since review (SHA pinning)
Claude->>Claude: Checkout at head_sha (pinned)
Claude->>Claude: Implement review feedback
Claude->>PR: Push changes to PR branch
Claude->>PR: Post response comment
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Code Review by Qodo
1. ci-fix dispatch fails
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+207
to
+224
| ref: ${{ github.event.workflow_run.head_sha }} | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Fetch failed logs | ||
| id: failed_logs | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GH_PAT || github.token }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: | | ||
| gh run view ${{ github.event.workflow_run.id }} --log-failed > failed.log 2>/dev/null || echo "Failed to fetch logs" > failed.log | ||
| set -euo pipefail | ||
|
|
||
| run_id="${{ github.event.workflow_run.id }}" | ||
| run_url="${{ github.event.workflow_run.html_url }}" | ||
|
|
||
| if [ -z "$run_id" ]; then | ||
| echo "::error::Missing workflow_run.id; this job only supports workflow_run triggers." | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
1. Ci-fix dispatch fails 🐞 Bug ⛯ Reliability
• auto-fix is configured to run on workflow_dispatch (task_type == 'ci-fix'), but the steps still unconditionally reference github.event.workflow_run.*. • On manual dispatch, workflow_run.id/head_sha/html_url are absent, causing checkout to use an empty ref and the log-fetch step to exit 1. • Result: the advertised manual ci-fix mode is effectively broken and will fail immediately.
Agent Prompt
### Issue description
The `auto-fix` job claims to support manual `workflow_dispatch` runs for `task_type=ci-fix`, but its implementation assumes a `workflow_run` payload and hard-fails when `workflow_run.id` is missing.
### Issue Context
On `workflow_dispatch`, `github.event.workflow_run.*` fields are not present. The job currently uses those fields for checkout and fails early in the “Fetch failed logs” step.
### Fix Focus Areas
- .github/workflows/claude-ci-autofix.yml[188-224]
### Suggested fix (one good option)
1. Add a `workflow_dispatch` input like `run_id` (required when `task_type=ci-fix`).
2. Add a step that resolves `run_id/head_sha/run_url`:
- If event is `workflow_run`: use `github.event.workflow_run.*`.
- If event is `workflow_dispatch`: call `actions.getWorkflowRun` with the provided `run_id` and output `head_sha` and `html_url`.
3. Update subsequent steps (checkout/log fetch/failure_details) to use the resolved outputs instead of directly reading `github.event.workflow_run.*`.
4. Remove/adjust the `run_id` empty check to only fail when neither `workflow_run` nor the dispatch `run_id` input is provided.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review Summary
This PR improves GitHub Actions workflow robustness through SHA pinning, enhanced error handling, and better conditional execution patterns. The changes are well-structured and follow best practices.
PR Size: S
Lines Changed: 145 (116 additions, 29 deletions)
Files Changed: 9
Issues Found
| Category | Critical | High | Medium | Low |
|---|---|---|---|---|
| Logic & Correctness | 0 | 0 | 0 | 0 |
| Security | 0 | 0 | 0 | 0 |
| Error Handling | 0 | 0 | 0 | 0 |
| Type Safety | 0 | 0 | 0 | 0 |
| Documentation | 0 | 0 | 0 | 0 |
| Tests | 0 | 0 | 0 | 0 |
| Code Clarity | 0 | 0 | 0 | 0 |
Total: 0 issues requiring attention
Key Improvements
-
SHA Pinning (.github/workflows/claude-ci-autofix.yml:207, claude-review-responder.yml:26): Checkout now uses
head_shainstead ofhead_branch, preventing race conditions when branches advance during workflow execution. -
Enhanced Error Handling (.github/workflows/claude-ci-autofix.yml:216-256): The
Fetch failed logsstep now includes comprehensive error checking with proper logging, temp file handling, and GitHub step summaries. -
Improved Conditional Execution (.github/workflows/claude-issue-duplicate-check.yml, codex-issue-triage.yml): Moved API key checks from job-level
ifto step-level conditionals, allowing workflows to skip gracefully rather than fail when secrets are missing. -
PR Matching Logic (.github/workflows/claude-pr-review.yml:52-62): Enhanced matching algorithm now validates both SHA and branch name, with proper handling of empty pull_requests arrays.
-
Branch Verification (.github/workflows/claude-review-responder.yml:28-40): Added explicit verification that PR branch hasn't moved since review submission, with clear error messaging.
-
pnpm Setup Order (.github/workflows/pr-check.yml:42-45, test.yml:69-72): Corrected action order to run pnpm setup before Node.js setup for proper cache initialization.
Review Coverage
- Logic and correctness
- Security (OWASP Top 10)
- Error handling
- Type safety
- Documentation accuracy
- Test coverage
- Code clarity
Notes
- README.md:213: Contains "这是一个测试行" (test line). Consider removing if unintentional.
- .gitignore: Added
.claude/- appropriate for excluding Claude Code workspace files. - All workflow changes follow GitHub Actions best practices and improve reliability.
Automated review by Claude AI
|
REPO="datawhalechina/whale-whisper"
PR="17"
LATEST_COMMIT_SHA="18c5f1feaf54a7edeeb6f38a9a27e955385acd96"Apply size label (computed: S)
gh pr edit "$PR" --repo "$REPO" --add-label "size/S"Inline comments (validated issues only)1)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
变更说明
关联 Issue / 需求
自测方式
cd backend && uv run uvicorn app.main:app --reload --port 8090cd frontend && pnpm --filter @whalewhisper/web dev风险 & 回滚
Checklist
PR Checks)通过📝 PR 说明(Codex 自动生成)
.gitignore中新增忽略项.claude/,并在README.md末尾追加一行“这是一个测试行”。README.md);backend / frontend / ci:无git diff 043b9b81fd40eef60f0f93f8bae592aff4428852..18c5f1feaf54a7edeeb6f38a9a27e955385acd96mkdir -p .claude && git status --porcelain(不应出现.claude/)README.md,确认新增“测试行”是否需要保留README.md的“这是一个测试行”可能为误提交/临时内容;新增忽略.claude/可能导致相关目录内容无法被纳入版本控制(若团队后续希望入库需再调整)。