9048892848
This PR was triggered by @t0yv0 generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit
[daf8aba035d6ed8919db6089c780f56cb7fefc69](daf8aba035).
Co-authored-by: Pulumi Bot <bot@pulumi.com>
75 lines
3.5 KiB
Markdown
75 lines
3.5 KiB
Markdown
---
|
|
permissions:
|
|
contents: read
|
|
pull-requests: read
|
|
id-token: write
|
|
engine:
|
|
id: claude
|
|
env:
|
|
ANTHROPIC_API_KEY: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY || '__GH_AW_ACTIVATION_PLACEHOLDER__' }}
|
|
steps:
|
|
- env:
|
|
ESC_ACTION_ENVIRONMENT: imports/github-secrets
|
|
ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
|
|
ESC_ACTION_OIDC_AUTH: "true"
|
|
ESC_ACTION_OIDC_ORGANIZATION: pulumi
|
|
ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
|
|
id: esc-secrets
|
|
name: Fetch secrets from ESC
|
|
uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
|
|
- name: Validate ESC secret output
|
|
env:
|
|
ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
|
|
run: |
|
|
test -n "$ANTHROPIC_API_KEY_FROM_ESC" || {
|
|
echo "ESC did not return ANTHROPIC_API_KEY";
|
|
exit 1;
|
|
}
|
|
tools:
|
|
cache-memory: true
|
|
github:
|
|
toolsets: [pull_requests, repos]
|
|
safe-outputs:
|
|
threat-detection: false
|
|
create-pull-request-review-comment:
|
|
max: 12
|
|
side: "RIGHT"
|
|
target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
|
|
target-repo: "${{ github.repository }}"
|
|
resolve-pull-request-review-thread:
|
|
max: 12
|
|
target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
|
|
target-repo: "${{ github.repository }}"
|
|
submit-pull-request-review:
|
|
max: 1
|
|
allowed-events: [APPROVE, REQUEST_CHANGES, COMMENT]
|
|
target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
|
|
noop:
|
|
max: 1
|
|
messages:
|
|
footer: "> Reviewed by [{workflow_name}]({run_url})"
|
|
run-started: "Started automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
|
|
run-success: "Finished automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
|
|
run-failure: "Automated PR review failed for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} ({status})."
|
|
---
|
|
|
|
|
|
Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository `${{ github.repository }}`.
|
|
|
|
Workflow-specific rules:
|
|
- Use `${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}` as the authoritative PR target.
|
|
- Treat the imported review prompt as the source of the review procedure.
|
|
- Use only gh-aw safe outputs for side effects:
|
|
- `create-pull-request-review-comment` for actionable inline findings on changed lines
|
|
- `resolve-pull-request-review-thread` for previously reported bot-authored threads that are now fixed or clearly acknowledged
|
|
- `submit-pull-request-review` for the final review
|
|
- `noop` when the PR is not reviewable or required context is missing
|
|
- Submit exactly one final review:
|
|
- `REQUEST_CHANGES` when at least one blocking issue exists.
|
|
- `APPROVE` otherwise, including when only non-blocking observations exist.
|
|
- Do not submit `COMMENT` as the final review state.
|
|
- Do not post free-form issue comments outside safe outputs.
|
|
- Respect the configured inline comment limit and prioritize the highest-signal unique findings.
|
|
- Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
|
|
- Ignore discovery steps intended for runs without PR context.
|