chore(ci): bring ClawReview π¦ mascot + triage to beta#250
Conversation
pull_request_target and issues-triggered workflows run from the PR's/issue's BASE branch, so the bots must exist on beta too β otherwise beta-targeting PRs (most of our volume) never trigger ClawReview. Brings the exact CI files from main (ID-Robots#248): the new pr-review bot, plus the OAuth-transport + sync updates to the issue-triage bot. CI-only files, identical to main.
|
Warning Review limit reached
Next review available in: 32 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review detailsβοΈ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: π Files selected for processing (5)
π WalkthroughWalkthroughAdds a new "ClawReview" GitHub Actions workflow and ChangesClawReview PR Review Bot
Issue Triage Dual-Backend Support
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant GitHub
participant Workflow as pr-review.yml
participant Script as pr-review.mjs
participant Claude as Claude CLI/SDK
participant PRComment as GitHub PR
GitHub->>Workflow: pull_request_target event
Workflow->>Workflow: skip if draft or bot author
Workflow->>Script: run scripts/pr-review.mjs
Script->>Script: gather PR metadata, diff, linked issues
Script->>Script: run deterministic policy checks
Script->>Claude: send prompt for structured review
Claude-->>Script: JSON verdict and findings
Script->>PRComment: upsert review comment
Script->>PRComment: apply area:* labels
Possibly related PRs
π₯ Pre-merge checks | β 4 | β 1β Failed checks (1 warning)
β Passed checks (4 passed)
β¨ Finishing Touchesπ§ͺ Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
π€ Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/issue-triage.yml:
- Around line 59-72: The Mint ClawReview app token step is gated by a value it
sets on itself, so the condition in issue-triage.yml never evaluates as
intended. Update the guard on the app-token step to check
secrets.CLAWREVIEW_APP_ID directly rather than env.HAS_APP, and keep the
existing create-github-app-token usage tied to that secret. If the step remains,
also restrict the resulting token to only the permissions needed by the triage
workflow instead of using the full installation scope.
In @.github/workflows/pr-review.yml:
- Around line 61-74: The Mint ClawReview app token step is gated by an `if`
condition that references `env.HAS_APP` before that stepβs own `env:` is
available, so the token minting always skips. Fix the `app-token` step in
`pr-review.yml` by moving `HAS_APP` to a job-level `env` or deriving it from a
previous step output, then keep the `if` check on that accessible value so the
`actions/create-github-app-token` step can run when the ClawReview secrets are
present.
In `@scripts/issue-triage.mjs`:
- Around line 45-92: The parsing and backend invocation logic in issue-triage is
duplicated from the review script, so refactor it into a shared helper module
and reuse it from both places. Extract the common behavior from parseModelJson,
classifyViaClaudeCli, and classifyViaSdk into a generic
scripts/lib/ai-backend.mjs helper that accepts the system prompt, schema, model,
and any transport-specific limits. Update the call sites in issue-triage.mjs to
import and use those shared helpers so future changes stay synchronized with the
matching review flow.
In `@scripts/pr-review.mjs`:
- Around line 9-11: The top-level `Anthropic` import in `scripts/pr-review.mjs`
can break the OAuth flow before the fallback runs because the SDK is only
installed on the non-OAuth path. Move the `@anthropic-ai/sdk` import into
`reviewViaSdk()` (or lazily load it inside that function) so the CLI fallback
can still execute when `CLAUDE_CODE_OAUTH_TOKEN` is set, while keeping the
existing `reviewViaSdk` and fallback logic intact.
πͺ Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
βΉοΈ Review info
βοΈ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5300f5e1-56b0-47ed-aafa-2cb3ef8fcfa5
π Files selected for processing (4)
.github/workflows/issue-triage.yml.github/workflows/pr-review.ymlscripts/issue-triage.mjsscripts/pr-review.mjs
The OAuth transport installs only the Claude Code CLI, not @anthropic-ai/sdk, but both scripts had a static top-level 'import Anthropic from @anthropic-ai/sdk' β evaluated at module load regardless of transport β so the review job crashed with ERR_MODULE_NOT_FOUND before running (passed my local test only because the SDK was left installed there). Moved the import into a dynamic import() inside reviewViaSdk/classifyViaSdk, reached only on the API-key fallback. Verified by running the OAuth path with node_modules removed.
Per direction: ClawReview should be a knowledgeable, friendly crab mascot that greets and orients on issues/PRs β NOT a code reviewer racing CodeRabbit. PR bot (pr-review.mjs): - Dropped severity findings (P1/P2/P3) and pass/fail verdicts β that was the CodeRabbit-racing part. Schema is now summary + kind + touches + neutral 'highlights' (helpful heads-ups, never bug reports) + duplicate hint. - System prompt recast: 'you are the mascot, not a reviewer; CodeRabbit does the line-by-line; produce orientation, never verdicts'. Empty highlights is normal and encouraged. - Comment is now: greeting -> plain-language summary -> 'At a glance' (kind/touches/base/surface + deterministic policy heads-ups) -> optional 'Good to know' -> sign-off that explicitly defers to CodeRabbit. Issue bot (issue-triage.mjs): - Rebranded the triage comment as the same crab mascot (one character across issues + PRs): friendly greeting + summary + at-a-glance labels + next step. - Added DRY_RUN (prints the comment, skips label writes) for local testing. Deterministic policy checks stay β they're genuine ClawBox-specific value (beta-first, bun.lock, sensitive paths) CodeRabbit can't provide β but are now framed as friendly context, not a verdict. Validated end-to-end via the OAuth CLI transport on PR ID-Robots#227 and issue ID-Robots#232.
CodeRabbit's 4 actionable findings on the bots:
1+2. app-token step's `if: env.HAS_APP` (both workflows) referenced env the
step sets on ITSELF β a step's if can't see its own step-level env, so
the App token would NEVER mint even with the secrets set. Hoisted
HAS_APP to job-level env (visible to the step if), and scoped the minted
token to only the permissions each bot needs (pull-requests+issues for
review, issues for triage) instead of the full installation grant.
3. parseModelJson + the two transports (CLI/SDK) were duplicated across
pr-review.mjs and issue-triage.mjs. Extracted to scripts/lib/
ai-backend.mjs (callClaude); both bots import it, so the transport stays
in sync. This is the 'first SDK-shape change' trigger the earlier reuse
analysis set for extraction.
4. Static @anthropic-ai/sdk import breaking the OAuth path β already fixed
(lazy import); the shared backend now owns the sole lazy import, so
pr-review.mjs no longer imports the SDK at all.
Validated via the OAuth CLI transport with node_modules removed: both bots
produce their mascot output through the shared backend.
|
Thanks @coderabbitai β all 4 addressed in the latest push (identical fix on the main-side PR #252):
Validated end-to-end via the OAuth CLI transport with |
|
Tip For best results, initiate chat on the files or code changes. π§© Analysis chainπ Script executed: #!/bin/bash
set -euo pipefail
gh pr diff 250 --repo ID-Robots/clawbox > /tmp/pr250.diff || true
wc -l /tmp/pr250.diff
grep -n "HAS_APP" -A3 -B3 /tmp/pr250.diff | head -100
echo "-----ai-backend-----"
fd -a ai-backend.mjs
</bash>Length of output: 2103 π Script executed: #!/bin/bash
set -euo pipefail
grep -n "permissions" -A5 /tmp/pr250.diff | head -60
echo "----imports----"
grep -n "ai-backend" -R scripts/*.mjs
echo "----ai-backend content----"
sed -n '1,50p' scripts/lib/ai-backend.mjsLength of output: 3129 All confirmed β the latest push looks solid.
Nice work consolidating the shared backend β that'll make future transport changes much easier to keep in sync across both bots. (=^β’ Ο β’^=) purring approval |
β¦y dry-run - ai-backend.mjs: viaSdk now uses parseModelJson (tolerant of fenced/wrapped JSON) instead of a bare JSON.parse, matching the CLI path. - issue-triage.mjs: DRY_RUN now gates the whole label block (ensure() + gh issue edit), not just the edit β a dry run is fully read-only.
β¦#252) * fix(ci): lazy-load the Anthropic SDK so the OAuth path needs no SDK The OAuth transport (shipped in #248) installs only the Claude Code CLI, not @anthropic-ai/sdk, but both bot scripts had a static top-level 'import Anthropic from @anthropic-ai/sdk' evaluated at module load regardless of transport β so the live bots on main crash with ERR_MODULE_NOT_FOUND before running. Moved the import into a dynamic import() inside reviewViaSdk/classifyViaSdk, reached only on the API-key fallback. Verified by running the OAuth path with node_modules removed. Same fix rides to beta in #250. * feat(ci): reshape ClawReview into an informative mascot (not a reviewer) Per direction: ClawReview should be a knowledgeable, friendly crab mascot that greets and orients on issues/PRs β NOT a code reviewer racing CodeRabbit. PR bot (pr-review.mjs): - Dropped severity findings (P1/P2/P3) and pass/fail verdicts β that was the CodeRabbit-racing part. Schema is now summary + kind + touches + neutral 'highlights' (helpful heads-ups, never bug reports) + duplicate hint. - System prompt recast: 'you are the mascot, not a reviewer; CodeRabbit does the line-by-line; produce orientation, never verdicts'. Empty highlights is normal and encouraged. - Comment is now: greeting -> plain-language summary -> 'At a glance' (kind/touches/base/surface + deterministic policy heads-ups) -> optional 'Good to know' -> sign-off that explicitly defers to CodeRabbit. Issue bot (issue-triage.mjs): - Rebranded the triage comment as the same crab mascot (one character across issues + PRs): friendly greeting + summary + at-a-glance labels + next step. - Added DRY_RUN (prints the comment, skips label writes) for local testing. Deterministic policy checks stay β they're genuine ClawBox-specific value (beta-first, bun.lock, sensitive paths) CodeRabbit can't provide β but are now framed as friendly context, not a verdict. Validated end-to-end via the OAuth CLI transport on PR #227 and issue #232. * chore(assets): add square crab avatar for the ClawReview GitHub App 512x512 crab-only crop of the ClawBox logo (wordmark removed, padded so a circular avatar mask keeps the claws). This is the image to upload when creating the ClawReview GitHub App β a stable raw URL beats the earlier non-square 87x128 crab PNG. * fix(ci): apply CodeRabbit review β app-token if-guard + shared backend CodeRabbit's 4 actionable findings on the bots: 1+2. app-token step's `if: env.HAS_APP` (both workflows) referenced env the step sets on ITSELF β a step's if can't see its own step-level env, so the App token would NEVER mint even with the secrets set. Hoisted HAS_APP to job-level env (visible to the step if), and scoped the minted token to only the permissions each bot needs (pull-requests+issues for review, issues for triage) instead of the full installation grant. 3. parseModelJson + the two transports (CLI/SDK) were duplicated across pr-review.mjs and issue-triage.mjs. Extracted to scripts/lib/ ai-backend.mjs (callClaude); both bots import it, so the transport stays in sync. This is the 'first SDK-shape change' trigger the earlier reuse analysis set for extraction. 4. Static @anthropic-ai/sdk import breaking the OAuth path β already fixed (lazy import); the shared backend now owns the sole lazy import, so pr-review.mjs no longer imports the SDK at all. Validated via the OAuth CLI transport with node_modules removed: both bots produce their mascot output through the shared backend. * fix(ci): address CodeRabbit re-review β tolerant SDK parse + read-only dry-run - ai-backend.mjs: viaSdk now uses parseModelJson (tolerant of fenced/wrapped JSON) instead of a bare JSON.parse, matching the CLI path. - issue-triage.mjs: DRY_RUN now gates the whole label block (ensure() + gh issue edit), not just the edit β a dry run is fully read-only.
Brings both bots to beta so beta-targeting PRs/issues (most of our volume) trigger them β
pull_request_targetandissuesworkflows run from the base branch.Carries the same code as the main-side mascot PR (#252):
scripts/pr-review.mjs+.github/workflows/pr-review.ymlβ the ClawReview mascot (informative orientation, not a code reviewer)scripts/issue-triage.mjs+.github/workflows/issue-triage.ymlβ same crab mascot voice + OAuth subscription transport (SDK lazy-loaded)CI-only files, no device code.
CONTRIBUTING.mdnot synced (read from the default branch only).