[PM-26935]

Craft a reusable workflow to consolidating Claude business logic into one place

Author: theMickster

.github/workflows/_review-code.yml

@@ -0,0 +1,143 @@
+name: Code Review
+
+on:
+  workflow_call:
+    secrets:
+      AZURE_SUBSCRIPTION_ID:
+        required: true
+      AZURE_TENANT_ID:
+        required: true
+      AZURE_CLIENT_ID:
+        required: true
+
+jobs:
+  validation:
+    name: Validation
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    outputs:
+      should_review: ${{ steps.validate.outputs.should_review }}
+
+    steps:
+      - name: Check PR requirements
+        id: check-pr
+        env:
+          IS_DRAFT: ${{ github.event.pull_request.draft }}
+        run: |
+          if [ "$IS_DRAFT" == "true" ]; then
+            echo "⚠️  Validation: PR is a draft - skipping review"
+            echo "pr_valid=false" >> $GITHUB_OUTPUT
+          else
+            echo "✅ Validation: PR is ready for review"
+            echo "pr_valid=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check if prompt file exists using GitHub CLI
+        id: check-prompt
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          REF: ${{ github.event.pull_request.head.sha }}
+          FILE_PATH: ".claude/prompts/review-code.md"
+        run: |
+          if gh api "repos/$REPO/contents/$FILE_PATH?ref=$REF" --silent 2>/dev/null; then
+            echo "prompt_exists=true" >> $GITHUB_OUTPUT
+            echo "✅ Found $FILE_PATH in $REPO"
+          else
+            echo "prompt_exists=false" >> $GITHUB_OUTPUT
+            echo "⚠️  Validation: No $FILE_PATH found - skipping Claude review"
+          fi
+
+      - name: Set validation result
+        id: validate
+        env:
+          PR_VALID: ${{ steps.check-pr.outputs.pr_valid }}
+          PROMPT_EXISTS: ${{ steps.check-prompt.outputs.prompt_exists }}
+        run: |
+          if [ "$PR_VALID" == "true" ] && \
+             [ "$PROMPT_EXISTS" == "true" ]; then
+            echo "should_review=true" >> $GITHUB_OUTPUT
+            echo "✅ Validation passed - code review will proceed"
+          else
+            echo "should_review=false" >> $GITHUB_OUTPUT
+            echo "⚠️  Validation failed - code review will be skipped"
+          fi
+
+  review:
+    name: Review
+    runs-on: ubuntu-24.04
+    needs: validation
+    if: needs.validation.outputs.should_review == 'true'
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "ANTHROPIC-API-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Build review prompt
+        id: build-prompt
+        env:
+          PR_REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_COMMIT: ${{ github.event.pull_request.head.sha }}
+        run: |
+          PROMPT_FILE=".claude/prompts/review-code.md"
+
+          # Build the full prompt with GitHub context + repo's prompt
+          {
+            printf "REPO: %s\n" "$PR_REPO"
+            printf "PR NUMBER: %s\n" "$PR_NUMBER"
+            printf "TITLE: %s\n" "$PR_TITLE"
+            printf "BODY: %s\n" "$PR_BODY"
+            printf "AUTHOR: %s\n" "$PR_AUTHOR"
+            printf "COMMIT: %s\n" "$PR_COMMIT"
+            printf "\n"
+            printf "Note: The PR branch is already checked out in the current working directory.\n"
+            printf "\n---\n\n"
+            cat "$PROMPT_FILE"
+          } > /tmp/review-prompt.md
+
+          # Output the prompt
+          {
+            echo 'FINAL_PROMPT<<EOF'
+            cat /tmp/review-prompt.md
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Review with Claude Code
+        uses: anthropics/claude-code-action@e8bad572273ce919ba15fec95aef0ce974464753 # v1.0.13
+        with:
+          anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-API-KEY }}
+          track_progress: true
+          use_sticky_comment: true
+          prompt: ${{ steps.build-prompt.outputs.FINAL_PROMPT }}
+          claude_args: |
+            --allowedTools "mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*)"

.github/workflows/review-code.yml

@@ -4,152 +4,15 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
-  validation:
-    name: Validation
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-    outputs:
-      should_review: ${{ steps.validate.outputs.should_review }}
-
-    steps:
-      - name: Check PR requirements
-        id: check-pr
-        run: |
-          if [ "${{ github.event.pull_request.draft }}" == "true" ]; then
-            echo "⚠️  Validation: PR is a draft - skipping review"
-            echo "pr_valid=false" >> $GITHUB_OUTPUT
-          else
-            echo "✅ Validation: PR is ready for review"
-            echo "pr_valid=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Check for Azure credentials
-        id: check-azure-secret
-        env:
-          _AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          _AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          _AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-        run: |
-          if [ -n "$_AZURE_SUBSCRIPTION_ID" ] && [ -n "$_AZURE_TENANT_ID" ] && [ -n "$_AZURE_CLIENT_ID" ]; then
-            echo "credentials_valid=true" >> $GITHUB_OUTPUT
-            echo "✅ Validation: Azure credentials available"
-          else
-            echo "credentials_valid=false" >> $GITHUB_OUTPUT
-            echo "⚠️  Validation: Azure credentials not available"
-            echo "This is expected for external contributors or forks"
-          fi
-
-      - name: Check if prompt file exists
-        id: check-prompt
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          # Use GitHub API to check file existence WITHOUT checkout
-          FILE_PATH=".claude/prompts/review-code.md"
-          REPO="${{ github.repository }}"
-          REF="${{ github.event.pull_request.head.sha }}"
-
-          # Check if file exists via API
-          if gh api "repos/$REPO/contents/$FILE_PATH?ref=$REF" --silent 2>/dev/null; then
-            echo "prompt_exists=true" >> $GITHUB_OUTPUT
-            echo "✅ Found $FILE_PATH in $REPO"
-          else
-            echo "prompt_exists=false" >> $GITHUB_OUTPUT
-            echo "⚠️  Validation: No $FILE_PATH found - skipping Claude review"
-          fi
-
-      - name: Set validation result
-        id: validate
-        run: |
-          if [ "${{ steps.check-pr.outputs.pr_valid }}" == "true" ] && \
-             [ "${{ steps.check-azure-secret.outputs.credentials_valid }}" == "true" ] && \
-             [ "${{ steps.check-prompt.outputs.prompt_exists }}" == "true" ]; then
-            echo "should_review=true" >> $GITHUB_OUTPUT
-            echo "✅ Validation passed - code review will proceed"
-          else
-            echo "should_review=false" >> $GITHUB_OUTPUT
-            echo "⚠️  Validation failed - code review will be skipped"
-          fi
-
   review:
     name: Review
-    runs-on: ubuntu-24.04
-    needs: validation
-    if: needs.validation.outputs.should_review == 'true'
+    uses: bitwarden/gh-actions/.github/workflows/_review-code.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
     permissions:
       contents: read
-      id-token: write
       pull-requests: write
-
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "ANTHROPIC-API-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Build review prompt
-        id: build-prompt
-        env:
-          PR_REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          PR_TITLE: ${{ github.event.pull_request.title }}
-          PR_BODY: ${{ github.event.pull_request.body }}
-          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
-          PR_COMMIT: ${{ github.event.pull_request.head.sha }}
-        run: |
-          PROMPT_FILE=".claude/prompts/review-code.md"
-
-          # Build the full prompt with GitHub context + repo's prompt
-          {
-            printf "REPO: %s\n" "$PR_REPO"
-            printf "PR NUMBER: %s\n" "$PR_NUMBER"
-            printf "TITLE: %s\n" "$PR_TITLE"
-            printf "BODY: %s\n" "$PR_BODY"
-            printf "AUTHOR: %s\n" "$PR_AUTHOR"
-            printf "COMMIT: %s\n" "$PR_COMMIT"
-            printf "\n"
-            printf "Note: The PR branch is already checked out in the current working directory.\n"
-            printf "\n---\n\n"
-            cat "$PROMPT_FILE"
-          } > /tmp/review-prompt.md
-
-          # Output the prompt
-          {
-            echo 'FINAL_PROMPT<<EOF'
-            cat /tmp/review-prompt.md
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Review with Claude Code
-        uses: anthropics/claude-code-action@e8bad572273ce919ba15fec95aef0ce974464753 # v1.0.13
-        with:
-          anthropic_api_key: ${{ steps.get-kv-secrets.outputs.ANTHROPIC-API-KEY }}
-          track_progress: true
-          use_sticky_comment: true
-          prompt: ${{ steps.build-prompt.outputs.FINAL_PROMPT }}
-          claude_args: |
-            --allowedTools "mcp__github_comment__update_claude_comment,mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*)"
+      id-token: write