ci: inline workflows for public repo compatibility

rsafier · claude · rsafier · commit 0584d014df01 · 2026-02-13T21:17:53.000-05:00
Public repos cannot use reusable workflows from private repos (GitHub platform constraint). Replace all 4 reusable workflow callers with self-contained inline workflows. SHA-pinned actions, timeout controls, and org-owner guards preserved. Resolves MonumentalSystems/.github-private#28 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,7 +13,33 @@ on:
       - 'global.json'
 
 jobs:
-  ci:
-    uses: MonumentalSystems/.github-private/.github/workflows/ci.yml@main
-    with:
-      dotnet-version: '10.0.x'
+  build:
+    name: Build
+    # No org-owner guard — CI uses no secrets and should run for fork PRs
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4
+        with:
+          dotnet-version: '10.0.x'
+
+      - name: Cache NuGet packages
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/Directory.Packages.props') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Restore dependencies
+        run: dotnet restore
+
+      - name: Build
+        run: dotnet build --no-restore
+
+      - name: Test
+        run: dotnet test --no-build
diff --git a/.github/workflows/claude-ci-auto-fix.yml b/.github/workflows/claude-ci-auto-fix.yml
@@ -16,10 +16,101 @@ permissions:
 
 jobs:
   auto-fix:
-    # Security: only run in MonumentalSystems org — see docs/PIPELINE-SECURITY.md
-    if: github.repository_owner == 'MonumentalSystems'
-    uses: MonumentalSystems/.github-private/.github/workflows/claude-ci-auto-fix.yml@main
-    secrets: inherit
-    with:
-      ci-workflow-name: 'CI'
-      project-description: 'MercuryBank API helper library — .NET NuGet package'
+    # Security: only run in MonumentalSystems org + only fix Claude's branches
+    if: |
+      github.repository_owner == 'MonumentalSystems' &&
+      github.event.workflow_run.conclusion == 'failure' &&
+      github.event.workflow_run.pull_requests[0] &&
+      startsWith(github.event.workflow_run.head_branch, 'claude/')
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event.workflow_run.head_branch }}
+          fetch-depth: 0
+
+      - name: Get CI failure details
+        id: failure_details
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        with:
+          script: |
+            const run = await github.rest.actions.getWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{ github.event.workflow_run.id }}
+            });
+
+            const jobs = await github.rest.actions.listJobsForWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{ github.event.workflow_run.id }}
+            });
+
+            const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure');
+
+            let errorLogs = [];
+            for (const job of failedJobs) {
+              try {
+                const logs = await github.rest.actions.downloadJobLogsForWorkflowRun({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  job_id: job.id
+                });
+                const logText = typeof logs.data === 'string' ? logs.data : String(logs.data);
+                errorLogs.push({
+                  jobName: job.name,
+                  logs: logText.slice(-3000)
+                });
+              } catch (e) {
+                errorLogs.push({
+                  jobName: job.name,
+                  logs: `Failed to retrieve logs: ${e.message}`
+                });
+              }
+            }
+
+            return {
+              runUrl: run.data.html_url,
+              prNumber: run.data.pull_requests[0]?.number,
+              failedJobs: failedJobs.map(j => j.name),
+              errorLogs: errorLogs
+            };
+
+      - name: Fix CI failures with Claude
+        id: claude
+        uses: anthropics/claude-code-action@f669191d7d1e67f08a54b0c11cf5683a9a391951 # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          github_token: ${{ secrets.ORG_PAT || github.token }}
+          use_commit_signing: true
+          track_progress: true
+          plugin_marketplaces: |
+            https://github.com/richlander/dotnet-skills.git
+          plugins: |
+            dotnet-skills@richlander-dotnet-skills
+          prompt: |
+            The CI build/test failed on this branch. Analyze the error logs and fix the code.
+
+            Failed CI Run: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
+            PR: #${{ fromJSON(steps.failure_details.outputs.result).prNumber }}
+            Failed Jobs: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs, ', ') }}
+            Branch: ${{ github.event.workflow_run.head_branch }}
+            Repository: ${{ github.repository }}
+
+            Error logs:
+            ${{ toJSON(fromJSON(steps.failure_details.outputs.result).errorLogs) }}
+
+            Instructions:
+            - This is a MercuryBank API helper library — .NET NuGet package
+            - Read CLAUDE.md for project conventions if it exists
+            - Run `dotnet build` to verify your fix compiles
+            - Run `dotnet test --filter "Category!=Integration&Category!=Skipped"` to verify tests pass
+            - Commit the fix and push to the same branch
+            - Comment on the PR explaining what was wrong and how you fixed it
+          claude_args: |
+            --model claude-opus-4-6
+            --max-turns 30
+            --allowedTools "Bash(git:*)" "Bash(dotnet:*)" "Bash(gh:*)" "Read" "Edit" "Write" "Glob" "Grep" "WebFetch" "WebSearch"
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -11,8 +11,38 @@ permissions:
   id-token: write
 
 jobs:
-  review:
-    # Security: only run in MonumentalSystems org — see docs/PIPELINE-SECURITY.md
+  claude-review:
+    # Security: only run in MonumentalSystems org — see PIPELINE-SECURITY.md
     if: github.repository_owner == 'MonumentalSystems'
-    uses: MonumentalSystems/.github-private/.github/workflows/claude-code-review.yml@main
-    secrets: inherit
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@f669191d7d1e67f08a54b0c11cf5683a9a391951 # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          use_sticky_comment: true
+          plugin_marketplaces: |
+            https://github.com/anthropics/claude-code.git
+            https://github.com/richlander/dotnet-skills.git
+          plugins: |
+            code-review@claude-code-plugins
+            dotnet-skills@richlander-dotnet-skills
+          prompt: |
+            /code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}
+
+            IMPORTANT: After completing your review, you MUST post your findings as a comment on the PR using:
+            gh pr comment ${{ github.event.pull_request.number }} --body "<your review in markdown>"
+
+            Do NOT rely on sticky comments to post your review — post your review directly via gh pr comment.
+            If you need to verify compilation or tests, use dotnet build and dotnet test.
+          claude_args: |
+            --max-turns 15
+            --allowedTools "Bash(gh pr review:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr comment:*),Bash(gh api:*),Bash(dotnet build*),Bash(dotnet test*)"
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -19,7 +19,45 @@ permissions:
 
 jobs:
   claude:
-    # Security: only run in MonumentalSystems org — see docs/PIPELINE-SECURITY.md
-    if: github.repository_owner == 'MonumentalSystems'
-    uses: MonumentalSystems/.github-private/.github/workflows/claude-assistant.yml@main
-    secrets: inherit
+    # Security: only run in MonumentalSystems org — see PIPELINE-SECURITY.md
+    if: |
+      github.repository_owner == 'MonumentalSystems' && (
+        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+        (github.event_name == 'issues' && (
+          contains(github.event.issue.body, '@claude') ||
+          contains(github.event.issue.title, '@claude') ||
+          github.event.action == 'assigned' ||
+          github.event.action == 'labeled'
+        ))
+      )
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@f669191d7d1e67f08a54b0c11cf5683a9a391951 # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          github_token: ${{ secrets.ORG_PAT || github.token }}
+          use_commit_signing: true
+          assignee_trigger: 'claude'
+          label_trigger: 'claude'
+          track_progress: true
+          additional_permissions: |
+            actions: read
+          plugin_marketplaces: |
+            https://github.com/richlander/dotnet-skills.git
+          plugins: |
+            dotnet-skills@richlander-dotnet-skills
+          claude_args: |
+            --model claude-opus-4-6
+            --max-turns 50
+            --allowedTools "Bash(git:*)" "Bash(dotnet:*)" "Bash(gh:*)" "WebFetch" "WebSearch"
