Skip to content

Add Claude Code workflow for AI-assisted PR reviews #4738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
shreyas-goenka wants to merge 6 commits into
base: main
Choose a base branch
from
+65 −0
Draft

Add Claude Code workflow for AI-assisted PR reviews #4738

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1713c27
Add Claude Code workflow for AI-assisted PR reviews
shreyas-goenka Mar 14, 2026
875f2a6
Add run tracking to Claude Code dispatcher workflow
shreyas-goenka Mar 16, 2026
8f64c6a
Address review feedback on Claude Code workflow
shreyas-goenka Mar 16, 2026
85fa81a
Update design doc with final architecture for security audit
shreyas-goenka Mar 16, 2026
b640037
Remove design doc from PR
shreyas-goenka Mar 16, 2026
f2eb6a2
Make Claude Code dispatcher review-only
shreyas-goenka Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions .github/workflows/claude-code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Claude Code

# Automated PR reviews (review-only — no interactive @claude / assist).
#
# The actual Claude Code execution runs in eng-dev-ecosystem on
# protected runners whose IPs are allowlisted by the Databricks
# account IP ACL. This workflow is a thin trigger that dispatches
# to eng-dev-ecosystem via the DECO workflow trigger GitHub App.

on:
# Triggers an automatic review when a PR is first opened.
pull_request:
types: [opened]

jobs:
# Automatic review on PR open.
# Restrict to org members/owners to prevent untrusted users (e.g. external
# fork PRs) from consuming model serving resources. See:
# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
review:
if: |
github.event_name == 'pull_request' &&
!github.event.pull_request.head.repo.fork &&
contains(fromJson('["MEMBER","OWNER"]'), github.event.pull_request.author_association)
concurrency:
group: claude-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
runs-on:
group: databricks-deco-testing-runner-group
labels: ubuntu-latest-deco
timeout-minutes: 30
environment: test-trigger-is
permissions:
contents: read

steps:
- name: Generate GitHub App token
id: token
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
with:
app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
owner: databricks-eng
repositories: eng-dev-ecosystem

- name: Trigger Claude Code review
run: |
gh workflow run cli-claude-code.yml \
-R databricks-eng/eng-dev-ecosystem \
--ref main \
-F pull_request_number=${{ github.event.pull_request.number }}
env:
GH_TOKEN: ${{ steps.token.outputs.token }}

- name: Track remote run
run: |
sleep 10
RUN_ID=$(gh run list -R databricks-eng/eng-dev-ecosystem \
--workflow cli-claude-code.yml --limit 1 \
--json databaseId -q '.[0].databaseId')
echo "## Claude Code Review" >> "$GITHUB_STEP_SUMMARY"
echo "[View run](https://github.com/databricks-eng/eng-dev-ecosystem/actions/runs/$RUN_ID)" >> "$GITHUB_STEP_SUMMARY"
gh run watch "$RUN_ID" -R databricks-eng/eng-dev-ecosystem --exit-status
env:
GH_TOKEN: ${{ steps.token.outputs.token }}
Loading