Add Claude Code workflow for AI-assisted PR reviews by shreyas-goenka · Pull Request #4738 · databricks/cli

shreyas-goenka · 2026-03-13T16:29:06Z

Summary

Adds a GitHub Actions workflow for AI-assisted PR reviews and interactive @claude mentions. This is a thin dispatcher — it triggers execution in databricks-eng/eng-dev-ecosystem on protected runners via the DECO workflow trigger GitHub App.

Review: automatic on PR open
Assist: triggered by @claude comments, can edit and push

Access restricted to org MEMBER/OWNER via author_association allowlists.

Depends on

https://github.com/databricks-eng/eng-dev-ecosystem/pull/1202

Test plan

End-to-end: review posted on CLI PR via dispatched workflow
End-to-end: @claude assist mode tested

eng-dev-ecosystem-bot · 2026-03-13T16:38:54Z

Commit: 3cf6d9b

Run: 23075285472

	Env	🔄flaky	💚RECOVERED	🙈SKIP	✅pass	🙈skip	Time
💚	aws linux		8	7	268	787	6:21
💚	aws windows		8	7	270	785	4:47
🔄	aws-ucws linux	2	7	7	364	702	7:40
🔄	aws-ucws windows	2	7	7	366	700	6:31
💚	azure linux		2	9	271	785	7:07
💚	azure windows		2	9	273	783	7:35
🔄	azure-ucws linux	4	1	9	367	698	8:21
🔄	azure-ucws windows	2	1	9	371	696	6:41
💚	gcp linux		2	9	267	788	6:15
💚	gcp windows		2	9	269	786	4:52

18 interesting tests: 7 SKIP, 6 RECOVERED, 5 flaky

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
🔄	TestAccept	💚R	💚R	🔄f	💚R	💚R	💚R	💚R	🔄f	💚R	💚R
🙈	TestAccept/bundle/resources/permissions	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	💚R	💚R	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	💚R	💚R	💚R	💚R
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	💚R	💚R	💚R	💚R
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	💚R	💚R	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	💚R	💚R	💚R	💚R
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	💚R	💚R	💚R	💚R
🙈	TestAccept/bundle/resources/postgres_branches/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/update_protected	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/synced_database_tables/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🔄	TestAccept/ssh/connect-serverless-gpu	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s
🔄	TestAccept/ssh/connection	💚R	💚R	💚R	🔄f	💚R	💚R	🔄f	💚R	💚R	💚R
🔄	TestFsLsWithAbsolutePaths	✅p	✅p	✅p	✅p	✅p	✅p	🔄f	✅p	✅p	✅p
🔄	TestFsLsWithAbsolutePaths/uc-volumes	🙈s	🙈s	✅p	✅p	🙈s	🙈s	🔄f	✅p	🙈s	🙈s

Top 20 slowest tests (at least 2 minutes):

duration	env	testname
5:35	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:45	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:16	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:08	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:47	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:43	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:13	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:11	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:07	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:58	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:57	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:50	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:44	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:43	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:40	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:39	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:18	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:11	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:09	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:03	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

eng-dev-ecosystem-bot · 2026-03-14T11:36:03Z

Added author_association check to the assist job conditions in both claude.yml and claude-code.yml.

Changes:

Both workflows now require the commenter's author_association to be one of COLLABORATOR, MEMBER, or OWNER before triggering on @claude mentions
claude.yml also gained the user.type != 'Bot' check it was previously missing
This prevents arbitrary GitHub users from triggering Claude workflows, consuming runner resources, API credits, and expanding the prompt injection surface

eng-dev-ecosystem-bot · 2026-03-14T11:37:06Z

Claude Review: Restrict auto-review to trusted PR authors

Addressed the prompt injection concern by adding author_association checks to both workflow files:

.github/workflows/claude-code.yml — The review job now only triggers for PRs from COLLABORATOR, MEMBER, or OWNER authors.
.github/workflows/claude.yml — Same guard added to the local reusable workflow's review job.

External/first-time contributors can still request a review via @claude review in a comment, which is already gated by the user.type != 'Bot' check in the assist job. This means a maintainer must explicitly trigger or approve a review for untrusted PRs.

eng-dev-ecosystem-bot · 2026-03-14T11:38:31Z

Commit: 1713c27

Run: 23090758314

	Env	🟨KNOWN	🔄flaky	💚RECOVERED	🙈SKIP	✅pass	🙈skip	Time
🟨	aws linux	7		1	7	268	787	6:48
🟨	aws windows	7		1	7	270	785	6:07
🔄	aws-ucws linux		2	7	7	364	702	7:12
🔄	aws-ucws windows		2	7	7	366	700	5:45
💚	azure linux			2	9	271	785	5:56
💚	azure windows			2	9	273	783	4:27
🔄	azure-ucws linux		2	1	9	369	698	7:18
🔄	azure-ucws windows		2	1	9	371	696	6:02
💚	gcp linux			2	9	267	788	5:34
💚	gcp windows			2	9	269	786	5:16

16 interesting tests: 7 KNOWN, 7 SKIP, 2 flaky

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
🟨	TestAccept	🟨K	🟨K	💚R	🔄f	💚R	💚R	💚R	💚R	💚R	💚R
🙈	TestAccept/bundle/resources/permissions	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	🟨K	🟨K	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨K	🟨K	💚R	💚R
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨K	🟨K	💚R	💚R
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	🟨K	🟨K	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨K	🟨K	💚R	💚R
🟨	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨K	🟨K	💚R	💚R
🙈	TestAccept/bundle/resources/postgres_branches/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/update_protected	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/synced_database_tables/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🔄	TestAccept/ssh/connect-serverless-gpu	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s
🔄	TestAccept/ssh/connection	💚R	💚R	🔄f	💚R	💚R	💚R	🔄f	🔄f	💚R	💚R

Top 20 slowest tests (at least 2 minutes):

duration	env	testname
3:51	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:45	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:41	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:17	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:16	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:07	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:07	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:53	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:44	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:44	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:44	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:41	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:39	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:37	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:11	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:11	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:09	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:08	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:07	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:07	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@claude

Add a GitHub Actions workflow that provides AI-assisted PR reviews and interactive @claude mentions using Claude Code backed by Databricks Model Serving. The workflow dispatches to eng-dev-ecosystem's protected runners (whose IPs are allowlisted by the Databricks account IP ACL) via the DECO workflow trigger GitHub App. Two modes: - Review: automatic on PR open, posts a review comment - Assist: triggered by @claude mentions, can edit code and push Access is restricted to COLLABORATOR/MEMBER/OWNER via author_association allowlists. Co-authored-by: Isaac

eng-dev-ecosystem-bot

Workflow looks well-structured overall. Good security practices: fork PR checks, author_association allowlists, and using process.env to avoid script injection for comment_body. Two minor observations below.

eng-dev-ecosystem-bot · 2026-03-15T14:09:44Z

.github/workflows/claude-code.yml

+              workflow_id: 'cli-claude-code.yml',
+              ref: 'main',
+              inputs: {
+                pull_request_number: '${{ steps.pr.outputs.number }}',


Nit: steps.pr.outputs.number is interpolated directly into the script block via ${{ }}. This is safe in practice (it's a GitHub-assigned integer), but it's inconsistent with line 131 where comment_body correctly uses process.env to avoid expression injection.

For defense-in-depth, consider passing this through an env var too:

env: COMMENT_BODY: ${{ github.event.comment.body }} PR_NUMBER: ${{ steps.pr.outputs.number }}

pull_request_number: process.env.PR_NUMBER,

eng-dev-ecosystem-bot · 2026-03-15T14:09:44Z

.github/workflows/claude-code.yml

+        (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))
+      )
+    runs-on:


Minor: The assist job has no concurrency group, unlike review (line 34-36). Multiple @claude mentions on the same PR could trigger parallel dispatches. If that's intentional, a brief comment would help; otherwise, consider adding:

concurrency: group: claude-assist-${{ github.event.issue.number || github.event.pull_request.number }} cancel-in-progress: true

shreyas-goenka · 2026-03-15T14:13:22Z

@claude reply to me in this PR with a comment saying hi

shreyas-goenka · 2026-03-15T23:40:56Z

@claude say hi

eng-dev-ecosystem-bot · 2026-03-16T12:23:47Z

Commit: b640037

Run: 23144796070

	Env	🔄flaky	💚RECOVERED	🙈SKIP	✅pass	🙈skip	Time
💚	aws linux		8	9	268	786	6:36
💚	aws windows		8	9	270	784	5:33
🔄	aws-ucws linux	2	7	9	364	701	9:42
🔄	aws-ucws windows	2	7	9	366	699	10:26
💚	azure linux		2	11	271	784	6:41
💚	azure windows		2	11	273	782	5:58
🔄	azure-ucws linux	3	1	11	368	697	12:10
🔄	azure-ucws windows	2	1	11	371	695	10:22
💚	gcp linux		2	11	267	787	6:06
💚	gcp windows		2	11	269	785	6:04

19 interesting tests: 9 SKIP, 6 RECOVERED, 4 flaky

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
🔄	TestAccept	💚R	💚R	💚R	🔄f	💚R	💚R	💚R	💚R	💚R	💚R
🙈	TestAccept/bundle/resources/permissions	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	💚R	💚R	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	💚R	💚R	💚R	💚R
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	💚R	💚R	💚R	💚R
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	💚R	💚R	💚R	💚R	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	💚R	💚R	💚R	💚R
💚	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	💚R	💚R	💚R	💚R
🙈	TestAccept/bundle/resources/postgres_branches/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/update_protected	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_endpoints/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/postgres_projects/update_display_name	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🙈	TestAccept/bundle/resources/synced_database_tables/basic	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S
🔄	TestAccept/ssh/connect-serverless-gpu	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s	🔄f	🔄f	🙈s	🙈s
🔄	TestAccept/ssh/connection	💚R	💚R	🔄f	💚R	💚R	💚R	🔄f	🔄f	💚R	💚R
🔄	TestFetchRepositoryInfoAPI_FromRepo	✅p	✅p	✅p	✅p	✅p	✅p	🔄f	✅p	✅p	✅p

Top 22 slowest tests (at least 2 minutes):

duration	env	testname
3:53	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:37	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:22	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:20	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:14	azure-ucws windows	TestAccept/bundle/resources/permissions/jobs/delete_one/cloud/DATABRICKS_BUNDLE_ENGINE=terraform
3:11	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:08	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:07	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:06	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:51	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:50	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:47	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:46	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:42	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:27	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:26	azure-ucws windows	TestAccept/bundle/resources/volumes/recreate/DATABRICKS_BUNDLE_ENGINE=terraform
2:24	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:23	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:17	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:16	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:16	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:13	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

eng-dev-ecosystem-bot

Clean, well-structured workflow. Good security practices: fork checks on both jobs, author association gating, and passing comment_body through process.env instead of ${{ }} interpolation to avoid script injection. One suggestion below.

eng-dev-ecosystem-bot · 2026-03-16T12:23:53Z

.github/workflows/claude-code.yml

+      (
+        (github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))
+      )


Nit: The review job has a concurrency group to cancel in-progress runs, but assist does not. If someone posts multiple @claude comments in quick succession, they could all trigger simultaneously. Consider adding:

concurrency: group: claude-assist-${{ github.event.issue.number || github.event.pull_request.number }} cancel-in-progress: true

shreyas-goenka · 2026-03-16T12:43:19Z

@claude is elon musk the founder of computing?

After dispatching to eng-dev-ecosystem, the workflow now finds the remote run, posts a link in the step summary, and waits for it to complete. This keeps the check visible on the PR while Claude works. Co-authored-by: Isaac

- Pin actions to commit SHAs instead of mutable version tags - Add concurrency group to assist job to prevent parallel dispatches - Pass PR number through env var for defense-in-depth against injection Co-authored-by: Isaac

Reflects current implementation: composite action, standalone workflows, OIDC policies, SHA-pinned actions, concurrency groups, allowed tools, and comprehensive threat model. Co-authored-by: Isaac

Co-authored-by: Isaac

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 16:30 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 16:42 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 17:19 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 17:58 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from b418b20 to 0d2b698 Compare March 13, 2026 19:56

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 19:56 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from 0d2b698 to 6dbf8a3 Compare March 13, 2026 20:03

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 20:04 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from 6dbf8a3 to 275b67a Compare March 13, 2026 20:17

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 20:18 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from 275b67a to fc25d50 Compare March 13, 2026 20:25

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 20:26 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from fc25d50 to 47a7034 Compare March 13, 2026 20:33

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 20:33 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:14 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:28 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:33 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:38 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:40 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:47 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:49 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:51 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 22:58 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 23:01 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 23:04 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 23:06 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 23:08 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 23:10 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 13, 2026 23:34 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 14:05 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 14:07 — with GitHub Actions Inactive

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 14:12 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from e8a70ba to 8e9e3f0 Compare March 14, 2026 14:44

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 14:44 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from 8e9e3f0 to 2ade542 Compare March 14, 2026 14:50

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 14:51 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from 2ade542 to c46e877 Compare March 14, 2026 14:55

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 14:55 — with GitHub Actions Inactive

shreyas-goenka force-pushed the add-claude-code-workflow branch from c46e877 to 1713c27 Compare March 14, 2026 15:22

shreyas-goenka temporarily deployed to test-trigger-is March 14, 2026 15:23 — with GitHub Actions Inactive

eng-dev-ecosystem-bot reviewed Mar 15, 2026

View reviewed changes

eng-dev-ecosystem-bot reviewed Mar 16, 2026

View reviewed changes

Add run tracking to Claude Code dispatcher workflow

875f2a6

After dispatching to eng-dev-ecosystem, the workflow now finds the remote run, posts a link in the step summary, and waits for it to complete. This keeps the check visible on the PR while Claude works. Co-authored-by: Isaac

shreyas-goenka temporarily deployed to test-trigger-is March 16, 2026 12:47 — with GitHub Actions Inactive

Address review feedback on Claude Code workflow

8f64c6a

- Pin actions to commit SHAs instead of mutable version tags - Add concurrency group to assist job to prevent parallel dispatches - Pass PR number through env var for defense-in-depth against injection Co-authored-by: Isaac

shreyas-goenka temporarily deployed to test-trigger-is March 16, 2026 12:50 — with GitHub Actions Inactive

Update design doc with final architecture for security audit

85fa81a

Reflects current implementation: composite action, standalone workflows, OIDC policies, SHA-pinned actions, concurrency groups, allowed tools, and comprehensive threat model. Co-authored-by: Isaac

shreyas-goenka temporarily deployed to test-trigger-is March 16, 2026 12:52 — with GitHub Actions Inactive

Remove design doc from PR

b640037

Co-authored-by: Isaac

shreyas-goenka force-pushed the add-claude-code-workflow branch from f2d638a to b640037 Compare March 16, 2026 12:56

shreyas-goenka temporarily deployed to test-trigger-is March 16, 2026 12:56 — with GitHub Actions Inactive

Conversation

shreyas-goenka commented Mar 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Depends on

Test plan

Uh oh!

eng-dev-ecosystem-bot commented Mar 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

eng-dev-ecosystem-bot commented Mar 14, 2026

Uh oh!

eng-dev-ecosystem-bot commented Mar 14, 2026

Claude Review: Restrict auto-review to trusted PR authors

Uh oh!

eng-dev-ecosystem-bot commented Mar 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

eng-dev-ecosystem-bot left a comment

Choose a reason for hiding this comment

Uh oh!

eng-dev-ecosystem-bot Mar 15, 2026

Choose a reason for hiding this comment

Uh oh!

eng-dev-ecosystem-bot Mar 15, 2026

Choose a reason for hiding this comment

Uh oh!

shreyas-goenka commented Mar 15, 2026

Uh oh!

shreyas-goenka commented Mar 15, 2026

Uh oh!

eng-dev-ecosystem-bot commented Mar 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

eng-dev-ecosystem-bot left a comment

Choose a reason for hiding this comment

Uh oh!

eng-dev-ecosystem-bot Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

shreyas-goenka commented Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

shreyas-goenka commented Mar 13, 2026 •

edited

Loading

eng-dev-ecosystem-bot commented Mar 13, 2026 •

edited

Loading

eng-dev-ecosystem-bot commented Mar 14, 2026 •

edited

Loading

eng-dev-ecosystem-bot commented Mar 16, 2026 •

edited

Loading