Skip to content

Commit 9c528a7

Browse files
refactor(rhdh-pr-review): extract shared review framework
Extract shared phases (PR fetch, active verification, findings structure) into reusable references so adding a new repo requires only ~200 lines of repo-specific content instead of duplicating the full ~500-line workflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 9d21c07 commit 9c528a7

6 files changed

Lines changed: 142 additions & 173 deletions

File tree

skills/rhdh-pr-review/SKILL.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,9 @@ See `references/chart-pr-testing.md` for deployment commands.
7575

7676
| Reference | Purpose | Path |
7777
|-----------|---------|------|
78+
| shared-pr-fetch | PR context fetching (shared) | `references/shared-pr-fetch.md` |
79+
| shared-verification | Active verification process (shared) | `references/shared-verification.md` |
80+
| shared-findings-structure | Findings report structure (shared) | `references/shared-findings-structure.md` |
7881
| operator-pr-images | CI image extraction and validation (operator) | `references/operator-pr-images.md` |
7982
| chart-pr-testing | Chart CI behavior, local validation, deployment (chart) | `references/chart-pr-testing.md` |
8083
| github-reference | gh CLI patterns, PR queries | `../rhdh/references/github-reference.md` (if unavailable, use standard `gh` CLI patterns) |
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
# Reference: Findings & Recommendations Structure (Shared)
2+
3+
Shared Phase 7 for all PR review workflows. The calling workflow defines repo-specific best-practice bullets and rollback commands before referencing this file.
4+
5+
<findings_structure>
6+
7+
## Findings & Recommendations
8+
9+
Synthesize the verification results and provide a complete review assessment.
10+
11+
### 7.1 Verification summary
12+
13+
Summarize what was tested and the results:
14+
15+
| Category | Test performed | Result | Evidence |
16+
|---|---|---|---|
17+
| *[category]* | *[what was tested]* | Pass/Fail | *[key observation]* |
18+
19+
### 7.2 Best practice assessment
20+
21+
Review the PR's approach against the repo's development best practices. Reference `../../rhdh/references/rhdh-repos.md` for conventions. Use the repo-specific best-practice bullets defined by the calling workflow.
22+
23+
### 7.3 Security review
24+
25+
Evaluate the changes from a security perspective:
26+
27+
- Are secrets handled safely (no plaintext logging, proper Secret resources)?
28+
- Do RBAC changes follow least-privilege principle?
29+
- Are container image references pinned appropriately?
30+
- Are new network exposures (ports, routes, service accounts) intentional and documented?
31+
- Do dependency updates introduce known CVEs?
32+
- Are user-supplied inputs validated before use in resource names or labels?
33+
34+
Add any repo-specific security concerns defined by the calling workflow.
35+
36+
### 7.4 Improvement suggestions
37+
38+
Based on the findings, suggest concrete improvements if any:
39+
40+
- Code or template changes needed (reference specific files and lines from the diff)
41+
- Missing test coverage for the changed code paths
42+
- Documentation gaps
43+
- Configuration or operational concerns
44+
45+
### 7.5 Rollback instructions
46+
47+
Present the rollback commands recorded in Phase 4. Include verification that the rollback succeeded.
48+
49+
</findings_structure>
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# Reference: Fetch PR Context (Shared)
2+
3+
Shared Phase 1 for all PR review workflows. The calling workflow must set `REPO` and `PR_NUMBER` before referencing this file.
4+
5+
<fetch_pr>
6+
7+
## Fetch PR Context
8+
9+
```bash
10+
gh pr view $PR_NUMBER --repo $REPO \
11+
--json number,title,state,author,body,files,createdAt,headRefOid,baseRefName
12+
```
13+
14+
Validate:
15+
- PR state is `OPEN` (warn if merged or closed — artifacts may still work but PR is not active)
16+
- PR belongs to the expected `$REPO`
17+
18+
Fetch the diff for later checklist generation:
19+
20+
```bash
21+
gh pr diff $PR_NUMBER --repo $REPO
22+
```
23+
24+
Save the changed file list for Phase 5:
25+
26+
```bash
27+
gh pr view $PR_NUMBER --repo $REPO --json files --jq '.files[].path'
28+
```
29+
30+
</fetch_pr>
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
# Reference: Active Verification Process (Shared)
2+
3+
Shared Phase 6 for all PR review workflows. This phase verifies the PR's specific changes on the cluster — not generic health checks. The goal is to exercise the exact code paths the PR modified and capture evidence that the behavioral change works as intended.
4+
5+
<verification_process>
6+
7+
## Active Verification
8+
9+
### 6.1 Analyze the diff
10+
11+
Read the diff hunks from Phase 1. For each changed file, understand:
12+
13+
- What the code did **before** the change
14+
- What it does **after**
15+
- What behavioral difference this introduces on a running cluster
16+
17+
Map each change to a concrete cluster-observable effect — something you can trigger and measure. If a change has no cluster-observable effect (e.g., pure refactor with identical behavior, documentation-only update, CI config change), state that explicitly and explain why.
18+
19+
### 6.2 Propose a verification plan
20+
21+
Present the plan to the user. For each test, specify:
22+
23+
- **What to do**: the exact cluster action
24+
- **What to observe**: where to look (logs, resource spec, status, events, HTTP response)
25+
- **Pass criteria**: what output means the change works
26+
- **Fail criteria**: what output means the change is broken
27+
28+
**STOP. Do not run any verification commands. Present the plan and wait for the user to accept it before proceeding to 6.3.**
29+
30+
### 6.3 Execute the plan
31+
32+
Only after the user accepts the plan:
33+
34+
Run each verification step on the cluster. For every step, capture the actual command output as evidence. Do not summarize — show the raw output so the user can see exactly what happened.
35+
36+
</verification_process>

skills/rhdh-pr-review/workflows/review-chart-pr.md

Lines changed: 12 additions & 91 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,11 @@ Check out a PR's chart changes, validate locally, deploy the full chart to a run
66

77
Read these reference files before starting:
88

9-
1. `../references/chart-pr-testing.md` — Chart CI behavior, local validation, deployment commands
10-
2. `../../rhdh/references/github-reference.md` — gh CLI patterns
9+
1. `../references/shared-pr-fetch.md` — Shared Phase 1 (PR context fetching)
10+
2. `../references/shared-verification.md` — Shared Phase 6 (active verification)
11+
3. `../references/shared-findings-structure.md` — Shared Phase 7 (findings structure)
12+
4. `../references/chart-pr-testing.md` — Chart CI behavior, local validation, deployment commands
13+
5. `../../rhdh/references/github-reference.md` — gh CLI patterns
1114

1215
</required_reading>
1316

@@ -29,26 +32,9 @@ Read these reference files before starting:
2932
```bash
3033
REPO="redhat-developer/rhdh-chart"
3134
PR_NUMBER=<number>
32-
33-
gh pr view $PR_NUMBER --repo $REPO \
34-
--json number,title,state,author,body,files,createdAt,headRefOid,baseRefName
3535
```
3636

37-
Validate:
38-
- PR state is `OPEN` (warn if merged or closed — branch may be deleted)
39-
- PR belongs to `redhat-developer/rhdh-chart`
40-
41-
Fetch the diff for later checklist generation:
42-
43-
```bash
44-
gh pr diff $PR_NUMBER --repo $REPO
45-
```
46-
47-
Save the changed file list for Phase 5:
48-
49-
```bash
50-
gh pr view $PR_NUMBER --repo $REPO --json files --jq '.files[].path'
51-
```
37+
Read `../references/shared-pr-fetch.md` and follow the `<fetch_pr>` instructions using the `REPO` and `PR_NUMBER` variables above.
5238

5339
---
5440

@@ -365,59 +351,17 @@ When done testing, rollback the chart:
365351

366352
## Phase 6: Active Verification
367353

368-
**This phase verifies the PR's specific chart changes on the cluster — not generic health checks.** The goal is to exercise the exact template/values changes the PR introduced and capture evidence that they work as intended.
369-
370-
### 6.1 Analyze the diff
371-
372-
Read the diff hunks from Phase 1. For each changed file, understand:
373-
374-
- What the template/values did **before** the change
375-
- What it does **after**
376-
- What behavioral difference this introduces on a running cluster
377-
378-
Map each change to a concrete cluster-observable effect — something you can trigger and measure. Examples:
379-
380-
- Template adds a new ConfigMap → verify it exists with correct data
381-
- Values add a new toggle → verify it takes effect when enabled/disabled
382-
- Network policy change → verify connectivity is correct
383-
- Route/Ingress change → verify access works from expected paths
384-
385-
If a change has no cluster-observable effect (e.g., helm-docs comment update, CI config change), state that explicitly.
386-
387-
### 6.2 Propose a verification plan
388-
389-
Present the plan to the user. For each test, specify:
390-
391-
- **What to do**: the exact cluster action (apply values override, check resource, curl endpoint, etc.)
392-
- **What to observe**: where to look (resource spec, pod env, logs, HTTP response)
393-
- **Pass criteria**: what output means the change works
394-
- **Fail criteria**: what output means the change is broken
354+
Typical chart verification actions: apply values overrides, check rendered resources, curl endpoints, verify ConfigMap data, test toggle behavior (enabled/disabled), check network policies.
395355

396-
**STOP. Do not run any verification commands. Present the plan and wait for the user to accept it before proceeding to 6.3.**
397-
398-
### 6.3 Execute the plan
399-
400-
Only after the user accepts the plan:
401-
402-
Run each verification step on the cluster. For every step, capture the actual command output as evidence. Do not summarize — show the raw output so the user can see exactly what happened.
356+
Read `../references/shared-verification.md` and follow the `<verification_process>` instructions, applying them to the specific chart changes in this PR.
403357

404358
---
405359

406360
## Phase 7: Findings & Recommendations
407361

408-
Synthesize the verification results and provide a complete review assessment.
409-
410-
### 7.1 Verification summary
411-
412-
Summarize what was tested and the results:
362+
Read `../references/shared-findings-structure.md` and follow the `<findings_structure>` instructions, using the chart-specific context below.
413363

414-
| Category | Test performed | Result | Evidence |
415-
|---|---|---|---|
416-
| *[category]* | *[what was tested]* | Pass/Fail | *[key observation]* |
417-
418-
### 7.2 Best practice assessment
419-
420-
Review the PR's approach against chart development best practices. Reference `../../rhdh/references/rhdh-repos.md` for chart conventions:
364+
### Chart best-practice bullets (for 7.2)
421365

422366
- Does the change follow the subchart architecture (upstream values under `upstream:` key)?
423367
- Are dynamic plugin configurations handled via `global.dynamic.includes` / `global.dynamic.plugins`?
@@ -427,39 +371,16 @@ Review the PR's approach against chart development best practices. Reference `..
427371
- Is the `_helpers.tpl` used for reusable template logic instead of inline duplication?
428372
- Are values documented with `# --` comments so helm-docs generates correct README?
429373

430-
### 7.3 Security review
431-
432-
Evaluate the changes from a security perspective:
374+
### Chart security bullets (for 7.3)
433375

434376
- Are secrets handled safely (no plaintext in values.yaml defaults, proper Secret resources)?
435-
- Do RBAC templates follow least-privilege principle?
436-
- Are container image references pinned appropriately?
437377
- Are new network policies restrictive enough?
438378
- Do new ServiceAccount configurations avoid unnecessary permissions?
439-
- Are user-supplied values sanitized before use in resource names or labels?
440-
441-
### 7.4 Improvement suggestions
442-
443-
Based on the findings, suggest concrete improvements if any:
444-
445-
- Template changes needed (reference specific files and lines from the diff)
446-
- Missing values documentation or schema coverage
447-
- Test gaps (new template logic without corresponding test in `templates/tests/`)
448-
- Configuration or operational concerns
449-
450-
### 7.5 Rollback instructions
451-
452-
Present the rollback command recorded in Phase 4.6:
453-
454-
```bash
455-
helm rollback $HELM_RELEASE $HELM_REVISION -n $HELM_NS
456-
```
457379

458-
To fully restore the previous chart version with its exact values:
380+
### Chart rollback commands (for 7.5)
459381

460382
```bash
461383
helm rollback $HELM_RELEASE $HELM_REVISION -n $HELM_NS
462-
# Verify rollback succeeded
463384
helm history $HELM_RELEASE -n $HELM_NS --max 3
464385
kubectl rollout status deployment/$RHDH_DEPLOY -n $HELM_NS --timeout=300s
465386
```

0 commit comments

Comments
 (0)