Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/workflows/claude-baseline-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# ============================================================================
# Claude Baseline Review -- caller for the python-libs repo
# ============================================================================
# Thin caller for the Tier 0 baseline reviewer. The reviewer logic, security
# posture, and prompt live in the reusable workflow in ByronWilliamsCPA/.github;
# this file only supplies the trigger, the permission ceiling, and this repo's
# framing. Part of the tiered-pr-review fleet rollout.
#
# #CRITICAL: a called (reusable) workflow runs with a token bounded by the
# CALLER job's permissions. The four scopes below are the ceiling the reusable
# needs (id-token for the Claude App OIDC exchange); omitting any one fails the
# run at startup.
# #CRITICAL: do NOT add a workflow-level `concurrency` block here. The reusable
# already declares one; a caller block resolves to the same group for a
# pull_request event, and a called workflow that shares its caller's
# concurrency group cancels its own parent, failing the run at startup.
# ============================================================================
name: Claude Baseline Review

on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review, edited]
branches:
- main

permissions: {}

jobs:
review:
permissions:
contents: read
pull-requests: write
issues: write
id-token: write
# #VERIFY before bumping the pin: the target SHA must stay reachable from
# ByronWilliamsCPA/.github main. `gh api
# repos/ByronWilliamsCPA/.github/compare/main...<sha> --jq .status` must not
# return "diverged". Renovate tracks this pin.
uses: ByronWilliamsCPA/.github/.github/workflows/claude-baseline-review.yml@8de6560ef6089fa95d56c77186648186dac6ce26 # main
with:
repo-description: >-
shared Python libraries for ByronWilliamsCPA projects (JWT
authentication, Google Cloud Storage utilities, and related helpers),
consumed as a dependency by other repos in the org.
sensitive-paths: >-
.github/workflows/, pyproject.toml, src/, scripts/
escalation-guidance: |
- Changes to .github/workflows/ that touch permissions:, secrets,
id-token, or on: triggers.
- Changes to dependency manifests (pyproject.toml, requirements files,
lockfiles) that add or change a dependency source.
- Changes to authentication, token handling, or credential storage code
(this library provides JWT auth used by downstream repos).
- Changes under scripts/ that perform writes via gh api, handle secrets,
or transfer or delete resources.
# Least-privilege: pass only the one secret the reusable declares in its
# workflow_call.secrets contract (ANTHROPIC_API_KEY, required: true), rather
# than forwarding every inherited secret via `secrets: inherit`.
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} # pragma: allowlist secret
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Added

- CI: Claude Tier 0 baseline PR review caller (`.github/workflows/claude-baseline-review.yml`), a thin caller of the org reusable in `ByronWilliamsCPA/.github`. Part of the org-wide tiered-pr-review rollout.
- Initial project setup and structure

## [0.1.0] - TBD
Expand Down
Loading