You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Extract shared phases (PR fetch, active verification, findings
structure) into reusable references so adding a new repo requires
only ~200 lines of repo-specific content instead of duplicating
the full ~500-line workflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Shared Phase 7 for all PR review workflows. The calling workflow defines repo-specific best-practice bullets and rollback commands before referencing this file.
4
+
5
+
<findings_structure>
6
+
7
+
## Findings & Recommendations
8
+
9
+
Synthesize the verification results and provide a complete review assessment.
10
+
11
+
### 7.1 Verification summary
12
+
13
+
Summarize what was tested and the results:
14
+
15
+
| Category | Test performed | Result | Evidence |
16
+
|---|---|---|---|
17
+
|*[category]*|*[what was tested]*| Pass/Fail |*[key observation]*|
18
+
19
+
### 7.2 Best practice assessment
20
+
21
+
Review the PR's approach against the repo's development best practices. Reference `../../rhdh/references/rhdh-repos.md` for conventions. Use the repo-specific best-practice bullets defined by the calling workflow.
22
+
23
+
### 7.3 Security review
24
+
25
+
Evaluate the changes from a security perspective:
26
+
27
+
- Are secrets handled safely (no plaintext logging, proper Secret resources)?
28
+
- Do RBAC changes follow least-privilege principle?
29
+
- Are container image references pinned appropriately?
30
+
- Are new network exposures (ports, routes, service accounts) intentional and documented?
31
+
- Do dependency updates introduce known CVEs?
32
+
- Are user-supplied inputs validated before use in resource names or labels?
33
+
34
+
Add any repo-specific security concerns defined by the calling workflow.
35
+
36
+
### 7.4 Improvement suggestions
37
+
38
+
Based on the findings, suggest concrete improvements if any:
39
+
40
+
- Code or template changes needed (reference specific files and lines from the diff)
41
+
- Missing test coverage for the changed code paths
42
+
- Documentation gaps
43
+
- Configuration or operational concerns
44
+
45
+
### 7.5 Rollback instructions
46
+
47
+
Present the rollback commands recorded in Phase 4. Include verification that the rollback succeeded.
Shared Phase 6 for all PR review workflows. This phase verifies the PR's specific changes on the cluster — not generic health checks. The goal is to exercise the exact code paths the PR modified and capture evidence that the behavioral change works as intended.
4
+
5
+
<verification_process>
6
+
7
+
## Active Verification
8
+
9
+
### 6.1 Analyze the diff
10
+
11
+
Read the diff hunks from Phase 1. For each changed file, understand:
12
+
13
+
- What the code did **before** the change
14
+
- What it does **after**
15
+
- What behavioral difference this introduces on a running cluster
16
+
17
+
Map each change to a concrete cluster-observable effect — something you can trigger and measure. If a change has no cluster-observable effect (e.g., pure refactor with identical behavior, documentation-only update, CI config change), state that explicitly and explain why.
18
+
19
+
### 6.2 Propose a verification plan
20
+
21
+
Present the plan to the user. For each test, specify:
22
+
23
+
-**What to do**: the exact cluster action
24
+
-**What to observe**: where to look (logs, resource spec, status, events, HTTP response)
25
+
-**Pass criteria**: what output means the change works
26
+
-**Fail criteria**: what output means the change is broken
27
+
28
+
**STOP. Do not run any verification commands. Present the plan and wait for the user to accept it before proceeding to 6.3.**
29
+
30
+
### 6.3 Execute the plan
31
+
32
+
Only after the user accepts the plan:
33
+
34
+
Run each verification step on the cluster. For every step, capture the actual command output as evidence. Do not summarize — show the raw output so the user can see exactly what happened.
Read `../references/shared-pr-fetch.md` and follow the `<fetch_pr>` instructions using the `REPO` and `PR_NUMBER` variables above.
52
38
53
39
---
54
40
@@ -365,59 +351,17 @@ When done testing, rollback the chart:
365
351
366
352
## Phase 6: Active Verification
367
353
368
-
**This phase verifies the PR's specific chart changes on the cluster — not generic health checks.** The goal is to exercise the exact template/values changes the PR introduced and capture evidence that they work as intended.
369
-
370
-
### 6.1 Analyze the diff
371
-
372
-
Read the diff hunks from Phase 1. For each changed file, understand:
373
-
374
-
- What the template/values did **before** the change
375
-
- What it does **after**
376
-
- What behavioral difference this introduces on a running cluster
377
-
378
-
Map each change to a concrete cluster-observable effect — something you can trigger and measure. Examples:
379
-
380
-
- Template adds a new ConfigMap → verify it exists with correct data
381
-
- Values add a new toggle → verify it takes effect when enabled/disabled
382
-
- Network policy change → verify connectivity is correct
383
-
- Route/Ingress change → verify access works from expected paths
384
-
385
-
If a change has no cluster-observable effect (e.g., helm-docs comment update, CI config change), state that explicitly.
386
-
387
-
### 6.2 Propose a verification plan
388
-
389
-
Present the plan to the user. For each test, specify:
390
-
391
-
-**What to do**: the exact cluster action (apply values override, check resource, curl endpoint, etc.)
392
-
-**What to observe**: where to look (resource spec, pod env, logs, HTTP response)
393
-
-**Pass criteria**: what output means the change works
394
-
-**Fail criteria**: what output means the change is broken
**STOP. Do not run any verification commands. Present the plan and wait for the user to accept it before proceeding to 6.3.**
397
-
398
-
### 6.3 Execute the plan
399
-
400
-
Only after the user accepts the plan:
401
-
402
-
Run each verification step on the cluster. For every step, capture the actual command output as evidence. Do not summarize — show the raw output so the user can see exactly what happened.
356
+
Read `../references/shared-verification.md` and follow the `<verification_process>` instructions, applying them to the specific chart changes in this PR.
403
357
404
358
---
405
359
406
360
## Phase 7: Findings & Recommendations
407
361
408
-
Synthesize the verification results and provide a complete review assessment.
409
-
410
-
### 7.1 Verification summary
411
-
412
-
Summarize what was tested and the results:
362
+
Read `../references/shared-findings-structure.md` and follow the `<findings_structure>` instructions, using the chart-specific context below.
413
363
414
-
| Category | Test performed | Result | Evidence |
415
-
|---|---|---|---|
416
-
|*[category]*|*[what was tested]*| Pass/Fail |*[key observation]*|
417
-
418
-
### 7.2 Best practice assessment
419
-
420
-
Review the PR's approach against chart development best practices. Reference `../../rhdh/references/rhdh-repos.md` for chart conventions:
364
+
### Chart best-practice bullets (for 7.2)
421
365
422
366
- Does the change follow the subchart architecture (upstream values under `upstream:` key)?
423
367
- Are dynamic plugin configurations handled via `global.dynamic.includes` / `global.dynamic.plugins`?
@@ -427,39 +371,16 @@ Review the PR's approach against chart development best practices. Reference `..
427
371
- Is the `_helpers.tpl` used for reusable template logic instead of inline duplication?
428
372
- Are values documented with `# --` comments so helm-docs generates correct README?
429
373
430
-
### 7.3 Security review
431
-
432
-
Evaluate the changes from a security perspective:
374
+
### Chart security bullets (for 7.3)
433
375
434
376
- Are secrets handled safely (no plaintext in values.yaml defaults, proper Secret resources)?
435
-
- Do RBAC templates follow least-privilege principle?
436
-
- Are container image references pinned appropriately?
437
377
- Are new network policies restrictive enough?
438
378
- Do new ServiceAccount configurations avoid unnecessary permissions?
439
-
- Are user-supplied values sanitized before use in resource names or labels?
440
-
441
-
### 7.4 Improvement suggestions
442
-
443
-
Based on the findings, suggest concrete improvements if any:
444
-
445
-
- Template changes needed (reference specific files and lines from the diff)
446
-
- Missing values documentation or schema coverage
447
-
- Test gaps (new template logic without corresponding test in `templates/tests/`)
448
-
- Configuration or operational concerns
449
-
450
-
### 7.5 Rollback instructions
451
-
452
-
Present the rollback command recorded in Phase 4.6:
0 commit comments