Skip to content

ci: add Claude Code PR review via jamf/github-actions-claude #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ktn-jamf wants to merge 1 commit into from
+62 −0
Closed

ci: add Claude Code PR review via jamf/github-actions-claude #109

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions .github/workflows/claude-code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Automated Claude Code PR reviews via AWS Bedrock.
# Uses the shared Jamf reusable workflow — no AWS keys or setup required.
# See https://github.com/jamf/github-actions-claude for docs and customization.

name: Claude Code

on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]

permissions:
id-token: write
contents: write # needed for resolve_threads
pull-requests: write
issues: write
actions: read

jobs:
review:
uses: jamf/github-actions-claude/.github/workflows/review.yml@v1
secrets: inherit
with:
severity_taxonomy: true
resolve_threads: true
cleanup_comments: true
additional_context: |
This is a Go CLI for the Jamf platform (Jamf Pro + Jamf Protect).

GENERATED CODE — SKIP REVIEW:
Files in internal/commands/pro/generated/ are auto-generated from OpenAPI
specs by the code generator in generator/. They contain the header
"Code generated by jamf-cli generator. DO NOT EDIT." If a PR modifies
these files, verify the changes came from `make generate` — don't review
the generated code line-by-line. Review the generator source instead
(generator/parser/, generator/classic/).

CI ALREADY CHECKS:
golangci-lint, `make test`, `make verify-generated`, and `make build`
run on every PR via ci.yaml. Don't duplicate linter or test-pass feedback.
Focus on what CI can't catch: design, correctness, security, and
architectural fit.

CRITICAL — CREDENTIAL INPUT POLICY:
Never accept credentials (passwords, tokens, client secrets) via CLI flags
or stdin. This prevents exposure in shell history and ps output. Flag any
PR that adds --password, --token, --client-secret, or similar flags.
Interactive prompts or env vars only.

GENERATOR CHANGES:
If a PR modifies generator/parser/generator.go or generator/classic/generator.go,
the review should focus on the template constants (resourceTemplate,
classicResourceTemplate) and verify that `make generate && make test` would
produce correct output. Template changes affect all 200+ generated commands.

SPECS:
OpenAPI specs live in specs/*.yaml. Changes here come from `make sync-specs`
and are usually paired with regenerated commands. Verify the spec change
matches the generated output.