ci: add AI code review workflow (Claude on Bedrock)#6053
Open
jam-jee wants to merge 1 commit into
Open
Conversation
Adds an automated PR review using anthropics/claude-code-action@v1 running on Amazon Bedrock. Inference stays in-account and is CloudTrail-audited; no external API key is required. Reuses the existing collaborator gate from pr-checks-master.yml so that collaborator PRs auto-run and fork/external PRs require manual approval before any secret or the Bedrock role is exposed (safe under pull_request_target).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an automated AI code-review workflow (
.github/workflows/ai-code-review.yml) that reviews PRs usinganthropics/claude-code-action@v1running on Amazon Bedrock.This follows the same pattern already used by other public
aws/*repos (e.g.aws/aws-workload-credentials-provider,aws/secrets-store-csi-driver-provider-aws, the Bedrock AgentCore SDKs).Why Bedrock
InvokeModelcall is CloudTrail-audited for cost attribution and security review.Fork safety
The workflow uses
pull_request_target(required to assume the Bedrock role and post comments), so it reuses the existing collaborator gate frompr-checks-master.yml:auto-approveenvironment (runs immediately).manual-approvalenvironment (a maintainer must approve the run before any secret or the Bedrock role is exposed).No new environments are introduced —
auto-approveandmanual-approvalalready exist on this repo.Setup required before this is functional
This PR adds the workflow only. A maintainer must also:
us.anthropic.claude-opus-4-8in the CI account/region (us-west-2).bedrock:InvokeModel, trust scoped torepo:aws/sagemaker-python-sdk:*, and store its ARN as theCODE_REVIEW_ROLEsecret.COLLAB_CHECK_TOKENis already used by existing workflows — no change needed.Notes / open to feedback
paths:) to thesagemaker-train,sagemaker-serve,sagemaker-mlops, andsagemaker-coredirectories, mirroringpr-checks-master.yml. Remove that block to review every PR.github-actions[bot]viaGITHUB_TOKEN. Can switch to a dedicated GitHub App identity if preferred.Raised for evaluation — happy to adjust triggers, scope, model, or prompt per maintainer preference.