Conversation
…ew-prompts reusable Day 1 of revised Plan A — replaces harper's inline 463-line `claude-review.yml` with a ~75-line caller of the reusable workflow shipped in `HarperFast/ai-review-prompts#8`. The single `uses:` ref pin (currently `0a5ccbc6...` = ai-review-prompts main 2026-05-05) controls everything that needs to move together: * The workflow logic itself (the reusable's authorize + review jobs, including the marker-based comment edit, the learnings-channel via $RUNNER_TEMP, the post-#444/#447/#452 calibration shape). * The layer files referenced by `review-layers` (universal, harper/common, harper/v5). * The bash scripts the reusable invokes (compose-review-scope, find-prior-review-comment, log-review-to-ai-review-log, authorize-claude-workflow). * The fix-up commit baking in the honest-allowlist comment block (no longer claiming "Tool allowlist is a security boundary"). What lands * `.github/workflows/claude-review.yml` — replaced with the thin caller. Inputs: `review-layers` (universal + harper/common + harper/v5), `repo-specific-checks` (the Harper-core block, including the "this repo IS Harper core, so 'defer to Harper docs' applies to PLUGIN docs, not in-repo docs" caveat that was previously inline). Secrets passed through. * Removes three scripts the reusable now owns: `.github/scripts/compose-review-scope.sh`, `find-prior-review-comment.sh`, `log-review-to-ai-review-log.sh`. * Keeps three scripts still used by the inline mention / issue-to-pr workflows: `.github/scripts/authorize-claude-workflow.sh` (used by mention + issue-to-pr's authorize jobs; same script as the reusable, intentional duplication until those workflows migrate too), `parse-claude-mention.sh`, `validate-auth-gate-invariants.sh`. * Updates `validate-auth-gate-invariants.sh` to handle caller-pattern workflows: when a `claude-*.yml` has no inline authorize job, the validator now confirms the workflow invokes a `HarperFast/...` reusable via `uses:` pinned to a 40-char SHA (mutable refs would let an attacker silently repoint to a weakened version of the reusable). The reusable's structural invariants are validated separately by ai-review-prompts' own auth-gate-invariants.yml. What's NOT in this PR * `claude-mention.yml` and `claude-issue-to-pr.yml` stay inline. Reusables for those will land later as Day 2 of the revised Plan A; same caller-migration pattern. * oauth migration to caller — separate PR after this lands. Verified locally * YAML parses for both the new caller and the updated validator. * `bash .github/scripts/validate-auth-gate-invariants.sh` against all three current workflows: passes. `claude-review.yml` is recognized as caller-pattern and the SHA pin is enforced. The two inline workflows still pass the structural check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
Same fix as oauth#73: the reusable's auto-derive of the called- workflow ref doesn't work in workflow_call context (github.workflow_ref resolves to the CALLER's ref). Pass the SHA explicitly via the existing ai-review-prompts-ref input until the followup PR drops the broken auto-derive. See HarperFast/oauth#73 for the prior art and rationale.
2 tasks
HarperFast/ai-review-prompts#10 dropped the broken github.workflow_ref auto-derive and made ai-review-prompts-ref required. Bump both places in lockstep.
Merged
3 tasks
…idator Mirrors the oauth #75 shape: now that all three reusables exist on ai-review-prompts main (post-#11/#12/#14), close out harper's caller migration in one shot rather than dragging it across PRs. - `claude-mention.yml` → caller of `_claude-mention.yml` - `claude-issue-to-pr.yml` → caller of `_claude-issue-to-pr.yml` - `claude-review.yml` → SHA pin bumped from `bac5e45` to `11872cb` for parity with the other two Both new callers carry the harper-specific repo conventions (oxlint, RocksDB primary, TypeStrip, `dependencies.md`, no `tsc || true` build tolerance) via the reusables' `repo-specific-conventions:` input. Default `pre-commit-validation` matches the harper-style npm-only flow already shipped in the reusables — no override needed. Adds `validate-caller-workflows.yml` — thin caller of `_validate-caller-workflows.yml`. Catches shadow jobs and mutable refs in the caller files. Make this `validate` job a required status check on `main`. Removes harper's now-redundant local files (oauth dropped the same set in #75; the centralized scripts in `ai-review-prompts` are the single source of truth): - `.github/scripts/authorize-claude-workflow.sh` - `.github/scripts/parse-claude-mention.sh` - `.github/scripts/validate-auth-gate-invariants.sh` - `.github/workflows/auth-gate-invariants.yml` Net: 8 files touched (4 deleted + 1 added + 3 modified), +122 / -795. Caller validator passes locally against the all-caller tree. Workflow-modifying-PR caveat applies — same App-token-401 gotcha that's already kept this PR from getting reviewed by Claude. Subsequent harper PRs will be reviewed normally and will exercise the new `validate-caller-workflows.yml` job. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
heskew
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Day 2 of the AI workflow caller migration for harper. Mirrors oauth #75: now that all three reusables exist on
ai-review-promptsmain (post-#11 / #12 / #14), close out harper's caller migration in one shot rather than dragging it across PRs.After this lands, harper has zero inline Claude workflow logic — everything flows through the centralized reusables in
HarperFast/ai-review-prompts, pinned to11872cb1cc2d0e90659659ade6d8ddbbdfbf1d05.What's migrated to thin callers
claude-review.yml→ caller of_claude-review.yml. Kept the existing repo-specific-checks (Harper core: oxlint, RocksDB, TypeStrip, dependencies.md, notsc || truetolerance). Pin bumped frombac5e45to11872cbfor parity with the other two.claude-mention.yml→ caller of_claude-mention.yml. Harper conventions flow throughrepo-specific-conventions:input.claude-issue-to-pr.yml→ caller of_claude-issue-to-pr.yml. Same harper conventions; defaultpre-commit-validation(npm-only, label-scoped) matches harper's existing flow — no override needed.What's added
.github/workflows/validate-caller-workflows.yml— thin caller of_validate-caller-workflows.yml. Catches shadow jobs (a non-uses:job alongside the legit reusable call would run with the caller's perms, bypassing the auth gate) and mutable refs in eitheruses:orwith.ai-review-prompts-ref. Recommend making thevalidatejob a required status check onmainalongside CODEOWNERS review on.github/.What's removed
.github/scripts/authorize-claude-workflow.sh— now shipped by the reusables..github/scripts/parse-claude-mention.sh— same..github/scripts/validate-auth-gate-invariants.sh— replaced by the new caller-validator workflow (which fully covers the caller pattern; no inline workflows remain to validate)..github/workflows/auth-gate-invariants.yml— replaced byvalidate-caller-workflows.yml.Net: 8 files touched (4 deleted + 1 added + 3 modified), +122 / −795 (inline prompt bodies and scripts now centralized in
ai-review-prompts).Caveat: workflow-modifying-PR App-token-401
This PR will continue to hit the GitHub-side gotcha that's already kept it from getting reviewed by Claude — the action's App token exchange returns 401 because the checked-out workflow content differs from main's. Subsequent harper PRs will be reviewed normally and will exercise the new
validate-caller-workflows.ymljob.Test plan
validate-caller-workflow.shfrom ai-review-prompts main) dry-run locally against the new tree: 3 caller workflows pass, no inline files remain.@claudemention, verify the mention reusable picks up Harper conventions; label a test issue withclaude-fix:typo, verify the issue-to-PR reusable opens a PR.Commits
9bbdae2— initial migration ofclaude-review.ymlto caller patternd2a8e87— passai-review-prompts-refexplicitly (post-auto-derive bug)5c3f255— bump ai-review-prompts pin tobac5e45f9b1c57— (this push) expand to full Day 2: mention + issue-to-PR migrations, caller validator added, local scripts dropped, pin bumped to11872cb🤖 Generated with Claude Code