Conversation
botelastic
bot
added
the
needs_team
|
This pull request doesn't have a |
🤖 GitHub commentsJust comment with:
|
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
v1v
left a comment
v1v
left a comment
There was a problem hiding this comment.
I left a fw comments:
- update versions
- git depth 0
- checkout PR
- configure tools for running Claude
- github secret onboarding
One last thing, if it helps, we have all logs/traces for the GitHub actions running at Elastic in ECH. I wonder whether the Build Failure analysis could be performed outside this GitHub workflow and in an agnostic manner using Elastic, so that when we ingest logs for Buildkite builds, we can work in both scenarios.
| - name: Check if all required workflows have completed | ||
| id: check-workflows | ||
| if: github.event.workflow_run.event == 'pull_request' | ||
| uses: actions/github-script@v7 |
There was a problem hiding this comment.
https://github.com/actions/github-script/releases/tag/v8
| uses: actions/github-script@v7 | |
| uses: actions/github-script@v8 |
| - name: Checkout | ||
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Setup Go | ||
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: .go-version | ||
|
|
||
| - name: Setup Python | ||
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version-file: .python-version | ||
|
|
||
| - name: Install system dependencies | ||
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| run: sudo apt-get update && sudo apt-get install -y libpcap-dev librpm-dev python3-venv | ||
|
|
||
| - name: Install Mage | ||
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| run: make mage |
There was a problem hiding this comment.
What's the reason the build failure analyser requires the golang and python context?
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
What's the reason for checking out the whole git history?
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| claude-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} |
There was a problem hiding this comment.
we have a process to onboard GitHub secrets, so we track who created and how to rotated, this is not a blocker, we can work on this together
|
|
||
| - name: Checkout | ||
| if: steps.check-workflows.outputs.should_run != 'false' | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
This will checkout the main branch always, is that expected? or checking out the PR that failed instead?
| @@ -0,0 +1,46 @@ | |||
| name: Claude Issue Triage | |||
There was a problem hiding this comment.
What's the reason for installing the go/python tools for running the issue triage process?
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
What's the reason for using depth 0?
| GITHUB_TOKEN: ${{ github.token }} | ||
| run: gh pr checkout ${{ github.event.issue.number }} | ||
|
|
||
| - uses: actions/setup-go@v5 |
There was a problem hiding this comment.
| - uses: actions/setup-go@v5 | |
| - uses: actions/setup-go@v6 |
| with: | ||
| fetch-depth: 0 |
| contents: write | ||
| pull-requests: write | ||
| issues: write | ||
| id-token: write |
There was a problem hiding this comment.
what's the reason for using id-token: write?
| actions: read | ||
| issues: write | ||
| pull-requests: write | ||
| id-token: write |
There was a problem hiding this comment.
what's the reason for this permission?
| permissions: | ||
| contents: read | ||
| actions: read | ||
| issues: write | ||
| pull-requests: write | ||
| id-token: write |
There was a problem hiding this comment.
nit:
We follow the least-permissive access:
- top permissions (contents: read)
- job permissions (the required ones)
This framework allows us to handle multiple jobs within the same workflow while enforcing the least-permissive access.
v1v
left a comment
v1v
left a comment
There was a problem hiding this comment.
Approved as I don't see any blockers, just some minor and nit comments we can walk through together in a follow-up.
| types: [created] | ||
|
|
||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
What's the reason to enable contents: write permissions here?
There is one caveat when using GITHUB_TOKEN and push a commit, it will not trigger any GitHub workflows (to avoid recurrency), see https://docs.github.com/en/actions/concepts/security/github_token#when-github_token-triggers-workflow-runs
For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
|
this is wip and the current version is in the integrations repo |
3 participants
Add Claude workflows for
@claudein issues, pull requests, and automated pull request reviews.Restricted to: strawgate,AlexanderWert,perk,graphaelli,cmacknz,axw,theletterf,jlind23,nimarezainia,pierrehilbert,bturquet