diff --git a/.github/workflows/claude-baseline-review.yml b/.github/workflows/claude-baseline-review.yml new file mode 100644 index 0000000..15fa4d8 --- /dev/null +++ b/.github/workflows/claude-baseline-review.yml @@ -0,0 +1,60 @@ +# ============================================================================ +# Claude Baseline Review -- caller for the python-libs repo +# ============================================================================ +# Thin caller for the Tier 0 baseline reviewer. The reviewer logic, security +# posture, and prompt live in the reusable workflow in ByronWilliamsCPA/.github; +# this file only supplies the trigger, the permission ceiling, and this repo's +# framing. Part of the tiered-pr-review fleet rollout. +# +# #CRITICAL: a called (reusable) workflow runs with a token bounded by the +# CALLER job's permissions. The four scopes below are the ceiling the reusable +# needs (id-token for the Claude App OIDC exchange); omitting any one fails the +# run at startup. +# #CRITICAL: do NOT add a workflow-level `concurrency` block here. The reusable +# already declares one; a caller block resolves to the same group for a +# pull_request event, and a called workflow that shares its caller's +# concurrency group cancels its own parent, failing the run at startup. +# ============================================================================ +name: Claude Baseline Review + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review, edited] + branches: + - main + +permissions: {} + +jobs: + review: + permissions: + contents: read + pull-requests: write + issues: write + id-token: write + # #VERIFY before bumping the pin: the target SHA must stay reachable from + # ByronWilliamsCPA/.github main. `gh api + # repos/ByronWilliamsCPA/.github/compare/main... --jq .status` must not + # return "diverged". Renovate tracks this pin. + uses: ByronWilliamsCPA/.github/.github/workflows/claude-baseline-review.yml@8de6560ef6089fa95d56c77186648186dac6ce26 # main + with: + repo-description: >- + shared Python libraries for ByronWilliamsCPA projects (JWT + authentication, Google Cloud Storage utilities, and related helpers), + consumed as a dependency by other repos in the org. + sensitive-paths: >- + .github/workflows/, pyproject.toml, src/, scripts/ + escalation-guidance: | + - Changes to .github/workflows/ that touch permissions:, secrets, + id-token, or on: triggers. + - Changes to dependency manifests (pyproject.toml, requirements files, + lockfiles) that add or change a dependency source. + - Changes to authentication, token handling, or credential storage code + (this library provides JWT auth used by downstream repos). + - Changes under scripts/ that perform writes via gh api, handle secrets, + or transfer or delete resources. + # Least-privilege: pass only the one secret the reusable declares in its + # workflow_call.secrets contract (ANTHROPIC_API_KEY, required: true), rather + # than forwarding every inherited secret via `secrets: inherit`. + secrets: + ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} # pragma: allowlist secret diff --git a/CHANGELOG.md b/CHANGELOG.md index 066b487..be491ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -78,6 +78,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- CI: Claude Tier 0 baseline PR review caller (`.github/workflows/claude-baseline-review.yml`), a thin caller of the org reusable in `ByronWilliamsCPA/.github`. Part of the org-wide tiered-pr-review rollout. - Initial project setup and structure ## [0.1.0] - TBD