From dc29046403d6d5b85bd931edb3b0a7cc5c05886e Mon Sep 17 00:00:00 2001
From: Rohit Agrawal <rohit@tecton.ai>
Date: Tue, 26 May 2026 13:38:36 -0400
Subject: [PATCH 1/6] Add Claude GitHub workflows: @claude mention and PR
 auto-review

claude-mention.yml triggers anthropics/claude-code-action when "@claude"
appears in an issue, PR comment, review, or review comment. Useful for
ad-hoc requests ("@claude please fix the flake in test_X").

claude-review.yml runs the action on PR open and posts a single review
focused on correctness, conventions, security, and test coverage. Limited
to [opened] (not synchronize) to keep cost and noise low; flip to add
synchronize if you want re-review on every push.

Both pin actions/checkout to v4.2.2 (same SHA as ci.yml) and pin
claude-code-action to the v1 commit. Requires ANTHROPIC_API_KEY in repo
secrets.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/claude-mention.yml | 34 +++++++++++++++++++++++
 .github/workflows/claude-review.yml  | 40 ++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 .github/workflows/claude-mention.yml
 create mode 100644 .github/workflows/claude-review.yml

diff --git a/.github/workflows/claude-mention.yml b/.github/workflows/claude-mention.yml
new file mode 100644
index 0000000..b6ba4e2
--- /dev/null
+++ b/.github/workflows/claude-mention.yml
@@ -0,0 +1,34 @@
+name: Claude Mention
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  pull_request_review:
+    types: [submitted]
+  issues:
+    types: [opened, assigned]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251  # v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          trigger_phrase: "@claude"
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
new file mode 100644
index 0000000..4c5f150
--- /dev/null
+++ b/.github/workflows/claude-review.yml
@@ -0,0 +1,40 @@
+name: Claude PR Review
+
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251  # v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number }}
+
+            Review this pull request. Focus on:
+            - Correctness — bugs, edge cases, broken assumptions
+            - Project conventions — match the patterns in neighboring code; this is a Python project using uv, ruff, pytest
+            - Security — secret handling, subprocess invocations, path traversal
+            - Tests — does new behavior have coverage in tests/?
+
+            Be concise. Skip nitpicks. If the PR is small and clean, say so in one line rather than inventing feedback.
+
+            The PR branch is already checked out in the current working directory.
+            Use `gh pr comment` for top-level feedback.
+            Use `mcp__github_inline_comment__create_inline_comment` (with `confirmed: true`) to highlight specific code issues.
+            Only post GitHub comments — don't submit review text as messages.
+
+          claude_args: |
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"

From b6ab8ce0384f03b8393ba805054937952aa8da4d Mon Sep 17 00:00:00 2001
From: Rohit Agrawal <rohit@tecton.ai>
Date: Tue, 26 May 2026 13:41:36 -0400
Subject: [PATCH 2/6] Wire Anthropic gateway env vars through secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds job-level env: blocks to both Claude workflows that forward
ANTHROPIC_BASE_URL, ANTHROPIC_CUSTOM_HEADERS, and the three
ANTHROPIC_DEFAULT_*_MODEL overrides from repo secrets to the action.

The action is a composite action and reads these via env.X, so they
must be set at the job (or workflow) level rather than on the
uses: step. Unset secrets expand to empty strings, which the action
treats as "no override" — so you only create the secrets you actually
want to apply.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/claude-mention.yml | 6 ++++++
 .github/workflows/claude-review.yml  | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.github/workflows/claude-mention.yml b/.github/workflows/claude-mention.yml
index b6ba4e2..89dd6c1 100644
--- a/.github/workflows/claude-mention.yml
+++ b/.github/workflows/claude-mention.yml
@@ -18,6 +18,12 @@ jobs:
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
+    env:
+      ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
+      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
+      ANTHROPIC_DEFAULT_OPUS_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_OPUS_MODEL }}
+      ANTHROPIC_DEFAULT_SONNET_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_SONNET_MODEL }}
+      ANTHROPIC_DEFAULT_HAIKU_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_HAIKU_MODEL }}
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 4c5f150..b5b540e 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -7,6 +7,12 @@ on:
 jobs:
   review:
     runs-on: ubuntu-latest
+    env:
+      ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
+      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
+      ANTHROPIC_DEFAULT_OPUS_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_OPUS_MODEL }}
+      ANTHROPIC_DEFAULT_SONNET_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_SONNET_MODEL }}
+      ANTHROPIC_DEFAULT_HAIKU_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_HAIKU_MODEL }}
     permissions:
       contents: read
       pull-requests: write

From e74d84f24d4bf1d8faf216e92d39610d9ab5c78c Mon Sep 17 00:00:00 2001
From: Rohit Agrawal <rohit@tecton.ai>
Date: Tue, 26 May 2026 13:52:42 -0400
Subject: [PATCH 3/6] Inline non-sensitive gateway config; keep API key + base
 URL as secrets

Custom headers (just the coding-agent-mode flag) and the three model
ID overrides are config, not credentials, so hardcode them in the
workflow files. Leaves ANTHROPIC_API_KEY and ANTHROPIC_BASE_URL as the
only repo secrets needed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/claude-mention.yml | 8 ++++----
 .github/workflows/claude-review.yml  | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/claude-mention.yml b/.github/workflows/claude-mention.yml
index 89dd6c1..0d0e681 100644
--- a/.github/workflows/claude-mention.yml
+++ b/.github/workflows/claude-mention.yml
@@ -20,10 +20,10 @@ jobs:
     runs-on: ubuntu-latest
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
-      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
-      ANTHROPIC_DEFAULT_OPUS_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_OPUS_MODEL }}
-      ANTHROPIC_DEFAULT_SONNET_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_SONNET_MODEL }}
-      ANTHROPIC_DEFAULT_HAIKU_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_HAIKU_MODEL }}
+      ANTHROPIC_CUSTOM_HEADERS: "x-databricks-use-coding-agent-mode: true"
+      ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
+      ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
+      ANTHROPIC_DEFAULT_HAIKU_MODEL: databricks-claude-haiku-4-5
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index b5b540e..7971d76 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
-      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
-      ANTHROPIC_DEFAULT_OPUS_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_OPUS_MODEL }}
-      ANTHROPIC_DEFAULT_SONNET_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_SONNET_MODEL }}
-      ANTHROPIC_DEFAULT_HAIKU_MODEL: ${{ secrets.ANTHROPIC_DEFAULT_HAIKU_MODEL }}
+      ANTHROPIC_CUSTOM_HEADERS: "x-databricks-use-coding-agent-mode: true"
+      ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
+      ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
+      ANTHROPIC_DEFAULT_HAIKU_MODEL: databricks-claude-haiku-4-5
     permissions:
       contents: read
       pull-requests: write

From 9519aa953fd7f9b3f80ad7ed1403e88bcbfa4a2f Mon Sep 17 00:00:00 2001
From: Rohit Agrawal <rohit@tecton.ai>
Date: Tue, 26 May 2026 13:55:12 -0400
Subject: [PATCH 4/6] Move ANTHROPIC_CUSTOM_HEADERS back to a secret for Bearer
 auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Databricks AI Gateway only accepts Authorization: Bearer, so the auth
header has to live inside ANTHROPIC_CUSTOM_HEADERS rather than going
through ANTHROPIC_API_KEY (which the CLI sends as x-api-key). That
makes CUSTOM_HEADERS sensitive and it has to come from secrets.

ANTHROPIC_API_KEY stays referenced because the action requires the
input — the value is ignored by the gateway, so a placeholder works.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/claude-mention.yml | 2 +-
 .github/workflows/claude-review.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-mention.yml b/.github/workflows/claude-mention.yml
index 0d0e681..f7fb691 100644
--- a/.github/workflows/claude-mention.yml
+++ b/.github/workflows/claude-mention.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
-      ANTHROPIC_CUSTOM_HEADERS: "x-databricks-use-coding-agent-mode: true"
+      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
       ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
       ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
       ANTHROPIC_DEFAULT_HAIKU_MODEL: databricks-claude-haiku-4-5
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 7971d76..9ab15b1 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
-      ANTHROPIC_CUSTOM_HEADERS: "x-databricks-use-coding-agent-mode: true"
+      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
       ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
       ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
       ANTHROPIC_DEFAULT_HAIKU_MODEL: databricks-claude-haiku-4-5

From 3e08d19fc72b7fd16405b3966e6bbac252c263ce Mon Sep 17 00:00:00 2001
From: Rohit Agrawal <rohit@tecton.ai>
Date: Tue, 26 May 2026 13:57:13 -0400
Subject: [PATCH 5/6] Split CUSTOM_HEADERS: auth from secret, coding-agent flag
 inline

Only the Authorization: Bearer line carries the PAT, so that's the
sensitive part worth hiding in a secret. The x-databricks-use-coding-
agent-mode header is just a feature flag and lives in the workflow YAML
where it can be sanity-checked at a glance.

The two are concatenated into ANTHROPIC_CUSTOM_HEADERS via a YAML block
scalar; the Claude CLI splits on newlines so both headers get sent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/claude-mention.yml | 4 +++-
 .github/workflows/claude-review.yml  | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-mention.yml b/.github/workflows/claude-mention.yml
index f7fb691..49aa125 100644
--- a/.github/workflows/claude-mention.yml
+++ b/.github/workflows/claude-mention.yml
@@ -20,7 +20,9 @@ jobs:
     runs-on: ubuntu-latest
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
-      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
+      ANTHROPIC_CUSTOM_HEADERS: |
+        ${{ secrets.ANTHROPIC_AUTH_HEADER }}
+        x-databricks-use-coding-agent-mode: true
       ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
       ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
       ANTHROPIC_DEFAULT_HAIKU_MODEL: databricks-claude-haiku-4-5
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 9ab15b1..c76904b 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -9,7 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
-      ANTHROPIC_CUSTOM_HEADERS: ${{ secrets.ANTHROPIC_CUSTOM_HEADERS }}
+      ANTHROPIC_CUSTOM_HEADERS: |
+        ${{ secrets.ANTHROPIC_AUTH_HEADER }}
+        x-databricks-use-coding-agent-mode: true
       ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
       ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
       ANTHROPIC_DEFAULT_HAIKU_MODEL: databricks-claude-haiku-4-5

From f4390285f4c656a7745b539d9a609bfbd63cd182 Mon Sep 17 00:00:00 2001
From: Rohit Agrawal <rohit@tecton.ai>
Date: Tue, 26 May 2026 13:58:24 -0400
Subject: [PATCH 6/6] Construct Authorization header inline from
 ANTHROPIC_API_KEY secret

Single secret holds the raw PAT; the workflow prefixes "Authorization:
Bearer " when assembling ANTHROPIC_CUSTOM_HEADERS. Same PAT also flows
to the action's anthropic_api_key input (gateway ignores the resulting
x-api-key header, no harm). Removes the need for a separate
ANTHROPIC_AUTH_HEADER secret.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/claude-mention.yml | 2 +-
 .github/workflows/claude-review.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-mention.yml b/.github/workflows/claude-mention.yml
index 49aa125..4370162 100644
--- a/.github/workflows/claude-mention.yml
+++ b/.github/workflows/claude-mention.yml
@@ -21,7 +21,7 @@ jobs:
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
       ANTHROPIC_CUSTOM_HEADERS: |
-        ${{ secrets.ANTHROPIC_AUTH_HEADER }}
+        Authorization: Bearer ${{ secrets.ANTHROPIC_API_KEY }}
         x-databricks-use-coding-agent-mode: true
       ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
       ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6
diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index c76904b..a6421a2 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -10,7 +10,7 @@ jobs:
     env:
       ANTHROPIC_BASE_URL: ${{ secrets.ANTHROPIC_BASE_URL }}
       ANTHROPIC_CUSTOM_HEADERS: |
-        ${{ secrets.ANTHROPIC_AUTH_HEADER }}
+        Authorization: Bearer ${{ secrets.ANTHROPIC_API_KEY }}
         x-databricks-use-coding-agent-mode: true
       ANTHROPIC_DEFAULT_OPUS_MODEL: databricks-claude-opus-4-7
       ANTHROPIC_DEFAULT_SONNET_MODEL: databricks-claude-sonnet-4-6