docs: add require-signed-commits hook and global git hook pattern #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Pipeline | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| jobs: | |
| shellcheck: | |
| name: ShellCheck | |
| # Only run for the repo owner — block random fork PRs from consuming CI | |
| if: github.event_name == 'pull_request' && github.actor == 'injectedfusion' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed shell scripts | |
| id: changed | |
| env: | |
| BASE_REF: ${{ github.base_ref }} | |
| run: | | |
| files=$(git diff --name-only --diff-filter=ACMR "origin/$BASE_REF"...HEAD -- '*.sh' | tr '\n' ' ') | |
| echo "files=$files" >> "$GITHUB_OUTPUT" | |
| if [ -n "$files" ]; then | |
| echo "has_files=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Install shellcheck | |
| if: steps.changed.outputs.has_files == 'true' | |
| run: sudo apt-get install -y shellcheck | |
| - name: Run shellcheck on changed scripts | |
| if: steps.changed.outputs.has_files == 'true' | |
| env: | |
| CHANGED_FILES: ${{ steps.changed.outputs.files }} | |
| run: | | |
| exit_code=0 | |
| for f in $CHANGED_FILES; do | |
| [ -f "$f" ] || continue | |
| echo "::group::Checking $f" | |
| shellcheck -S warning "$f" 2>&1 | |
| result=$? | |
| echo "::endgroup::" | |
| if [ $result -ne 0 ]; then | |
| echo "::error file=$f::shellcheck found issues" | |
| exit_code=1 | |
| fi | |
| done | |
| exit $exit_code | |
| # --- Claude Review (waits for CI on PRs, runs directly on @claude mentions) --- | |
| review: | |
| needs: [shellcheck] | |
| # Only the repo owner can trigger reviews — prevents billing abuse on public repo | |
| if: | | |
| always() && github.actor == 'injectedfusion' && | |
| ( | |
| (github.event_name == 'pull_request' && | |
| needs.shellcheck.result != 'failure') || | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment') | |
| ) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - uses: anthropics/claude-code-action@v1 | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| REPO: ${{ github.repository }} | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| track_progress: true | |
| prompt: | | |
| REPO: ${{ env.REPO }} | |
| PR NUMBER: ${{ env.PR_NUMBER }} | |
| You are the sole code reviewer for this repository. Your review decision | |
| determines whether this PR merges to the main branch. | |
| This repo contains reusable pre-commit hooks (bash scripts + .pre-commit-hooks.yaml). | |
| Review this PR focusing on: | |
| - Shell script correctness and safety (quoting, error handling, set -euo pipefail) | |
| - Security (no credential leaks, no unsafe eval/exec patterns) | |
| - Hook configuration validity (.pre-commit-hooks.yaml fields) | |
| - Documentation accuracy (comments match actual behavior) | |
| After your review: | |
| - Use inline comments for specific code issues. | |
| - Post a single PR comment with your overall summary. | |
| - If the PR is acceptable: approve it with `gh pr review --approve` and | |
| then merge it with `gh pr merge --squash --auto`. | |
| - If the PR has issues that must be fixed: request changes with | |
| `gh pr review --request-changes` and do NOT merge. | |
| claude_args: | | |
| --model claude-haiku-4-5-20251001 --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr review:*),Bash(gh pr merge:*)" |