pull-request.yml

name: Pull Request

on:
  workflow_call:
    inputs:
      internal_app:
        description: "Set true for internal apps where low-risk changes do not require approval"
        type: boolean
        required: false
        default: false
      claude_model:
        description: "Claude model used for automated PR review"
        type: string
        required: false
        default: claude-opus-4-8
      claude_extra_prompt:
        description: "Optional repository-specific Claude review instructions"
        type: string
        required: false
        default: ""
      claude_allowed_bots:
        description: "Comma-separated bot actors allowed to trigger automated Claude PR review"
        type: string
        required: false
        default: "github-actions,github-actions[bot]"
      context_repositories:
        description: "Newline-separated GitHub repositories to clone as read-only review context"
        type: string
        required: false
        default: |
          simpleanalytics/admin
          simpleanalytics/assistant
          simpleanalytics/boardroom
          simpleanalytics/chat
          simpleanalytics/common
          simpleanalytics/compare-node-versions-action
          simpleanalytics/dashboard
          simpleanalytics/docs
          simpleanalytics/dropzone
          simpleanalytics/elasticsearch-api
          simpleanalytics/embed
          simpleanalytics/extension
          simpleanalytics/github-actions
          simpleanalytics/google-tag-manager
          simpleanalytics/infrastructure
          simpleanalytics/intranet
          simpleanalytics/main
          simpleanalytics/marketing-site
          simpleanalytics/news-alerts
          simpleanalytics/notify
          simpleanalytics/online
          simpleanalytics/playground.simpleanalytics.com
          simpleanalytics/queue
          simpleanalytics/recall
          simpleanalytics/screenshot-grabber
          simpleanalytics/scripts
          simpleanalytics/status
          simpleanalytics/strapi
          simpleanalytics/support-reminder
          simpleanalytics/wordpress-plugin
      context_clone_concurrency:
        description: "Maximum number of context repositories to clone in parallel"
        type: number
        required: false
        default: 8
    secrets:
      ANTHROPIC_API_KEY:
        required: true
      SA_PAT_ADRIAAN_READ_REPOS:
        required: false

jobs:
  claude-review:
    runs-on: ubuntu-latest
    if: ${{ !github.event.pull_request.draft && github.event_name == 'pull_request' && contains(fromJson('["opened", "reopened", "synchronize"]'), github.event.action) }}
    permissions:
      contents: write
      pull-requests: write
      issues: write
      actions: read
      id-token: write
    steps:
      - name: Ensure SDLC labels
        uses: actions/github-script@v9
        with:
          script: |
            const labels = [
              {
                name: 'change: needs review',
                color: 'b60205',
                description: 'Changes affecting security, data protection, or system stability.',
              },
              {
                name: 'change: routine',
                color: 'fbca04',
                description: 'Changes to internal tools or low-risk changes (e.g., design updates or content modifications)',
              },
            ];

            for (const label of labels) {
              try {
                await github.rest.issues.getLabel({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  name: label.name,
                });

                await github.rest.issues.updateLabel({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  name: label.name,
                  new_name: label.name,
                  color: label.color,
                  description: label.description,
                });
              } catch (error) {
                if (error.status !== 404) throw error;

                await github.rest.issues.createLabel({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  name: label.name,
                  color: label.color,
                  description: label.description,
                });
              }
            }

      - name: Checkout pull request branch
        uses: actions/checkout@v7
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0

      - name: Fetch base branch
        env:
          BASE_REF: ${{ github.event.pull_request.base.ref }}
        run: |
          git remote add base "https://github.com/${{ github.repository }}.git" 2>/dev/null || git remote set-url base "https://github.com/${{ github.repository }}.git"
          git fetch --no-tags --prune --depth=200 base "$BASE_REF"

      - name: Find previous Claude review checkpoint
        id: previous_review
        uses: actions/github-script@v9
        with:
          script: |
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const nameWithOwner = `${owner}/${repo}`;
            const issueNumber = context.payload.pull_request.number;
            const trustedBotLogins = new Set(['github-actions[bot]']);
            const markerPattern = /<!--\s*simpleanalytics-claude-pr-review-checkpoint\s*([\s\S]*?)\s*-->/g;

            const comments = await github.paginate(github.rest.issues.listComments, {
              owner,
              repo,
              issue_number: issueNumber,
              per_page: 100,
            });

            const checkpoints = [];
            const fallbackClaudeComments = [];

            for (const comment of comments) {
              if (!trustedBotLogins.has(comment.user?.login)) continue;

              const body = comment.body || '';
              let match;
              markerPattern.lastIndex = 0;
              while ((match = markerPattern.exec(body)) !== null) {
                try {
                  const checkpoint = JSON.parse(match[1].trim());

                  if (
                    checkpoint.version === 1 &&
                    checkpoint.repository === nameWithOwner &&
                    Number(checkpoint.pull_request) === Number(issueNumber) &&
                    /^[a-f0-9]{40}$/i.test(checkpoint.head_sha || '')
                  ) {
                    checkpoints.push({
                      headSha: checkpoint.head_sha,
                      reviewedAt: checkpoint.reviewed_at || comment.updated_at || comment.created_at,
                      commentId: comment.id,
                    });
                  }
                } catch (error) {
                  core.warning(`Ignoring invalid Claude review checkpoint in comment ${comment.id}: ${error.message}`);
                }
              }

              if (/\bclaude\b/i.test(body)) {
                fallbackClaudeComments.push({
                  reviewedAt: comment.updated_at || comment.created_at,
                  commentId: comment.id,
                });
              }
            }

            checkpoints.sort((left, right) => new Date(right.reviewedAt) - new Date(left.reviewedAt));
            fallbackClaudeComments.sort((left, right) => new Date(right.reviewedAt) - new Date(left.reviewedAt));

            const checkpoint = checkpoints[0];
            if (checkpoint) {
              core.setOutput('head_sha', checkpoint.headSha);
              core.setOutput('reviewed_at', checkpoint.reviewedAt);
              core.setOutput('source', `checkpoint-comment-${checkpoint.commentId}`);
              core.info(`Found previous Claude review checkpoint ${checkpoint.headSha} from ${checkpoint.reviewedAt}.`);
              return;
            }

            const fallback = fallbackClaudeComments[0];
            if (fallback) {
              core.setOutput('head_sha', '');
              core.setOutput('reviewed_at', fallback.reviewedAt);
              core.setOutput('source', `claude-comment-${fallback.commentId}`);
              core.info(`No checkpoint marker found. Falling back to latest trusted Claude bot comment from ${fallback.reviewedAt}.`);
              return;
            }

            core.setOutput('head_sha', '');
            core.setOutput('reviewed_at', '');
            core.setOutput('source', '');
            core.info('No previous Claude review checkpoint found.');

      - name: Resolve review scope
        id: review_scope
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
          LAST_REVIEWED_SHA: ${{ steps.previous_review.outputs.head_sha }}
          LAST_REVIEWED_AT: ${{ steps.previous_review.outputs.reviewed_at }}
          LAST_REVIEW_SOURCE: ${{ steps.previous_review.outputs.source }}
        run: |
          full_pr_range="$BASE_SHA...$HEAD_SHA"
          mode="full-pr"
          diff_range="$full_pr_range"
          scope_description="Review the full pull request diff: $full_pr_range."
          last_review_note="No previous trusted Claude review checkpoint was found."

          if [[ -n "$LAST_REVIEWED_SHA" ]]; then
            if git cat-file -e "$LAST_REVIEWED_SHA^{commit}" 2>/dev/null && git merge-base --is-ancestor "$LAST_REVIEWED_SHA" "$HEAD_SHA"; then
              mode="since-last-claude-review"
              diff_range="$LAST_REVIEWED_SHA..$HEAD_SHA"
              scope_description="Review current PR changes not checked since Claude last reviewed commit $LAST_REVIEWED_SHA. Use $full_pr_range as the current full PR diff and ignore base-only branch update changes."
              last_review_note="Last trusted Claude checkpoint: $LAST_REVIEWED_SHA from $LAST_REVIEW_SOURCE."
            else
              echo "::warning::Previous Claude checkpoint $LAST_REVIEWED_SHA is not available on the current PR branch. Reviewing the full PR diff instead."
              last_review_note="Previous trusted Claude checkpoint $LAST_REVIEWED_SHA from $LAST_REVIEW_SOURCE is not available on this branch, so the workflow fell back to the full PR diff."
            fi
          elif [[ -n "$LAST_REVIEWED_AT" ]]; then
            checkpoint_sha="$(git rev-list -n 1 --before="$LAST_REVIEWED_AT" "$HEAD_SHA" 2>/dev/null || true)"
            if [[ -n "$checkpoint_sha" ]] && git merge-base --is-ancestor "$checkpoint_sha" "$HEAD_SHA"; then
              mode="since-last-claude-comment"
              diff_range="$checkpoint_sha..$HEAD_SHA"
              scope_description="Review current PR changes not checked since the latest trusted Claude bot comment at $LAST_REVIEWED_AT. Use $full_pr_range as the current full PR diff and ignore base-only branch update changes."
              last_review_note="No checkpoint marker existed. Approximated the last reviewed commit as $checkpoint_sha from trusted Claude bot comment time $LAST_REVIEWED_AT."
            else
              echo "::warning::Could not map the latest trusted Claude bot comment at $LAST_REVIEWED_AT to a commit. Reviewing the full PR diff instead."
              last_review_note="A trusted Claude bot comment existed at $LAST_REVIEWED_AT, but it could not be mapped to a commit, so the workflow fell back to the full PR diff."
            fi
          fi

          {
            echo "mode=$mode"
            echo "diff_range=$diff_range"
            echo "full_pr_diff_range=$full_pr_range"
            echo "scope_description<<EOF"
            echo "$scope_description"
            echo "EOF"
            echo "last_review_note<<EOF"
            echo "$last_review_note"
            echo "EOF"
          } >> "$GITHUB_OUTPUT"

      - name: Checkout Simple Analytics context
        id: checkout_context
        env:
          CONTEXT_REPOSITORIES: ${{ inputs.context_repositories }}
          CONTEXT_CLONE_CONCURRENCY: ${{ inputs.context_clone_concurrency }}
          CURRENT_REPOSITORY: ${{ github.repository }}
          READ_TOKEN: ${{ secrets.SA_PAT_ADRIAAN_READ_REPOS }}
        run: |
          context_dir="$RUNNER_TEMP/simpleanalytics-context"
          echo "context_dir=$context_dir" >> "$GITHUB_OUTPUT"
          mkdir -p "$context_dir"
          status_dir="$RUNNER_TEMP/simpleanalytics-context-status"
          rm -rf "$status_dir"
          mkdir -p "$status_dir"

          if [[ -z "$READ_TOKEN" ]]; then
            message="SA_PAT_ADRIAAN_READ_REPOS is not set. Continuing with current-repo context only. Add this repo or org secret from 1Password by searching for SA_PAT_ADRIAAN_READ_REPOS."
            echo "::warning::$message"
            {
              echo "### Cross-repo context"
              echo "$message"
            } >> "$GITHUB_STEP_SUMMARY"
            exit 0
          fi

          export GIT_TERMINAL_PROMPT=0

          askpass="$RUNNER_TEMP/simpleanalytics-git-askpass.sh"
          cat > "$askpass" <<'EOF'
          #!/usr/bin/env bash
          case "$1" in
            *Username*) echo "x-access-token" ;;
            *Password*) echo "$READ_TOKEN" ;;
            *) echo "" ;;
          esac
          EOF
          chmod 700 "$askpass"
          export GIT_ASKPASS="$askpass"

          github_api_status() {
            local url="$1"
            local output="$2"

            curl --retry 2 --retry-delay 1 --connect-timeout 5 --max-time 20 --silent --show-error \
              --output "$output" \
              --write-out "%{http_code}" \
              --header "Authorization: Bearer $READ_TOKEN" \
              --header "Accept: application/vnd.github+json" \
              --header "X-GitHub-Api-Version: 2022-11-28" \
              "$url" || true
          }

          token_status="$(github_api_status "https://api.github.com/user" "$status_dir/token-user.json")"
          if [[ "$token_status" != "200" ]]; then
            message="SA_PAT_ADRIAAN_READ_REPOS is set, but GitHub rejected it or it is not authorized for API access (HTTP ${token_status:-000}). Continuing with current-repo context only. Update the secret from 1Password, authorize it for the Simple Analytics organization if SSO is required, and grant read access to repository contents."
            echo "::warning::$message"
            {
              echo "### Cross-repo context"
              echo "$message"
            } >> "$GITHUB_STEP_SUMMARY"
            exit 0
          fi

          clone_concurrency="$CONTEXT_CLONE_CONCURRENCY"
          if ! [[ "$clone_concurrency" =~ ^[0-9]+$ ]] || [[ "$clone_concurrency" -lt 1 ]]; then
            clone_concurrency=8
          fi

          diagnose_repo_access() {
            local repo="$1"
            local safe_name="$2"
            local repo_status contents_status

            repo_status="$(github_api_status "https://api.github.com/repos/$repo" "$status_dir/$safe_name.repo.json")"

            case "$repo_status" in
              200)
                contents_status="$(github_api_status "https://api.github.com/repos/$repo/contents" "$status_dir/$safe_name.contents.json")"
                if [[ "$contents_status" == "200" ]]; then
                  echo "SA_PAT_ADRIAAN_READ_REPOS can read this repo via the API, but git clone failed. Confirm the token is authorized for SSO and that checkout credentials are not overriding the read token."
                else
                  echo "SA_PAT_ADRIAAN_READ_REPOS can see this repo, but cannot read repository contents via the API (HTTP ${contents_status:-000}). For a fine-grained PAT, add this repository and grant Contents: Read."
                fi
                ;;
              401)
                echo "SA_PAT_ADRIAAN_READ_REPOS was rejected by GitHub (HTTP 401). Update the secret from 1Password; the token is likely expired, revoked, or invalid."
                ;;
              403)
                echo "SA_PAT_ADRIAAN_READ_REPOS is forbidden from this repo (HTTP 403). Authorize the token for the Simple Analytics organization if SSO is required, add this repository to the token, and grant Contents: Read."
                ;;
              404)
                echo "SA_PAT_ADRIAAN_READ_REPOS cannot see this repo (HTTP 404). Add this repository to the token's selected repositories, grant Contents: Read, or verify the repo name still exists."
                ;;
              *)
                echo "Could not verify SA_PAT_ADRIAAN_READ_REPOS access for this repo via the GitHub API (HTTP ${repo_status:-000}). Check token validity, organization SSO authorization, and network/API availability."
                ;;
            esac
          }

          clone_repo() {
            local repo="$1"
            local safe_name="${repo//\//__}"
            local owner="${repo%%/*}"
            local name="${repo#*/}"
            local target="$context_dir/$owner/$name"
            local log_file="$status_dir/$safe_name.log"
            local diagnosis

            mkdir -p "$(dirname "$target")"

            if (
              cd "$RUNNER_TEMP"
              git -c "http.https://github.com/.extraheader=" -c credential.helper= clone --depth=1 --filter=blob:none "https://github.com/$repo.git" "$target"
            ) >"$log_file" 2>&1; then
              echo "$repo" > "$status_dir/$safe_name.ok"
              printf 'Cloned %s\n' "$repo"
            else
              diagnosis="$(diagnose_repo_access "$repo" "$safe_name")"
              printf '%s\t%s\n' "$repo" "$diagnosis" > "$status_dir/$safe_name.fail"
              cat "$log_file"
              echo "::warning::Could not clone $repo for Claude context. Continuing without it. $diagnosis"
              rm -rf "$target"
            fi
          }

          while IFS= read -r raw_repo; do
            repo="${raw_repo%%#*}"
            repo="$(printf '%s' "$repo" | xargs)"

            if [[ -z "$repo" || "$repo" == "$CURRENT_REPOSITORY" ]]; then
              continue
            fi

            clone_repo "$repo" &

            while [[ "$(jobs -rp | wc -l | xargs)" -ge "$clone_concurrency" ]]; do
              wait -n || true
            done
          done <<< "$CONTEXT_REPOSITORIES"

          wait || true

          cloned="$(find "$status_dir" -name '*.ok' -type f | wc -l | xargs)"
          failed="$(find "$status_dir" -name '*.fail' -type f | wc -l | xargs)"

          {
            echo "### Cross-repo context"
            echo "Cloned $cloned repositories into \`$context_dir\` with concurrency $clone_concurrency."
            if [[ "$failed" != "0" ]]; then
              echo ""
              echo "$failed repositories could not be cloned. The review continued without them."
              echo ""
              find "$status_dir" -name '*.fail' -type f | sort | while IFS=$'\t' read -r repo diagnosis; do
                echo "- \`$repo\`: $diagnosis"
              done
            fi
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Run Claude PR review
        id: claude
        uses: anthropics/claude-code-action@v1
        env:
          GH_TOKEN: ${{ github.token }}
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          track_progress: false
          use_sticky_comment: true
          include_fix_links: true
          allowed_bots: ${{ inputs.claude_allowed_bots }}
          additional_permissions: |
            actions: read
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}
            PR URL: ${{ github.event.pull_request.html_url }}
            INTERNAL APP: ${{ inputs.internal_app }}
            REVIEW MODE: ${{ steps.review_scope.outputs.mode }}
            REVIEW RANGE: ${{ steps.review_scope.outputs.diff_range }}
            FULL PR RANGE: ${{ steps.review_scope.outputs.full_pr_diff_range }}
            REVIEW SCOPE: ${{ steps.review_scope.outputs.scope_description }}
            LAST REVIEW: ${{ steps.review_scope.outputs.last_review_note }}
            CROSS-REPO CONTEXT DIR: ${{ steps.checkout_context.outputs.context_dir }}

            Review this pull request for security vulnerabilities, privacy risks, correctness bugs, data loss, runtime/deployment failures, and high-confidence regressions.

            Scope rules:
            - For full-pr mode, review the full PR diff.
            - For since-last-claude-review and since-last-claude-comment mode, focus findings on current PR changes that were not checked after the last trusted Claude review checkpoint.
            - REVIEW RANGE may include base branch update commits. Use FULL PR RANGE as the current pull request diff and do not report base-only branch update changes.
            - Do not report issues that already existed before the last trusted Claude review checkpoint unless they are critical, exploitable, or made materially worse by the new commits.
            - For SDLC label classification, consider the full pull request, not only the incremental range.
            - Use local git commands such as `git diff ${{ steps.review_scope.outputs.diff_range }}` and `git diff ${{ steps.review_scope.outputs.full_pr_diff_range }}` when helpful.
            - You may inspect read-only cross-repo context under `${{ steps.checkout_context.outputs.context_dir }}`. Do not edit files there.

            SDLC label rules:
            - Apply exactly one of these labels to PR #${{ github.event.pull_request.number }} using `gh issue edit`: `change: needs review` or `change: routine`.
            - Use `change: needs review` when the PR affects customer data, user data, security, privacy, permissions, billing, infrastructure, production behavior, deployment safety, system stability, or critical system functionality.
            - Use `change: routine` for internal tools or low-risk changes, such as design updates or content changes, that do not affect customer/user data, security, privacy, or critical functionality.
            - If INTERNAL APP is true and the PR does not touch customer/user data, security, privacy, or critical functionality, use `change: routine`.
            - If uncertain, use `change: needs review`.
            - Remove the label you did not choose if it is present.

            PR description rules:
            - If you choose `change: needs review`, update PR #${{ github.event.pull_request.number }} with the Simple Analytics PR template before finishing. Use `gh pr edit`.
            - Preserve useful existing body content, but replace generic placeholders.
            - Read the current PR description and commit messages before updating the body.
            - `Summary` must describe what changed and why in concrete terms. Keep manually written context concise; the workflow adds or refreshes a commit-message `Changes` list afterward.
            - `Security implications` must be exactly one of these forms:
              - `No security impact`
              - `Has security impact - described as: <specific impact>`
            - Use `No security impact` only when you are confident the PR does not affect security, privacy, permissions, customer/user data, billing, infrastructure, production behavior, system stability, or critical functionality.
            - `Testing` must include commands/checks you personally ran during this workflow and their result. If you did not run validation, write `Not run by Claude.` and preserve any useful existing testing notes.
            - Do not create or duplicate `Closes ...` issue references. The workflow normalizes a single linked issue reference after labels are finalized.

            Noise control:
            - Ignore style, naming, formatting, minor refactors, low-confidence concerns, and preference-only feedback.
            - Summarize minor observations in at most two sentences, only if useful.
            - Prefer no comment over a speculative comment.
            - Report at most three findings unless there is a critical security or data-loss risk.

            Fix behavior:
            - If a fix is small, obvious, and low-risk, apply it directly to the PR branch and explain the change briefly.
            - If a fix needs maintainer judgment, leave a concise finding with impact and the exact suggested fix.
            - When possible, use Claude Code Action fix links or GitHub suggested changes so a maintainer can apply the fix later.

            Output:
            - If there are no actionable issues and you did not change files, leave one short comment saying the checked scope is OK and include the SDLC label you chose.
            - If you changed files, keep the comment short and list the fix plus any validation you ran.
            - If validation fails or you cannot safely validate, say that plainly without long reasoning.
            - Do not create tracking issues. The workflow handles linked issue creation and final checklist enforcement after labels are finalized.

            Extra repository instructions:
            ${{ inputs.claude_extra_prompt }}
          claude_args: |
            --model ${{ inputs.claude_model }}
            --allowedTools "Read,Edit,MultiEdit,Write,Grep,Glob,LS,mcp__github_inline_comment__create_inline_comment,Bash(git diff:*),Bash(git status:*),Bash(git rev-parse:*),Bash(git log:*),Bash(git show:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr edit:*),Bash(gh issue edit:*),Bash(gh issue view:*),Bash(find:*),Bash(ls:*)"

      - name: Resolve reviewed HEAD
        id: reviewed_head
        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

      - name: Record Claude review checkpoint
        uses: actions/github-script@v9
        env:
          REVIEWED_HEAD_SHA: ${{ steps.reviewed_head.outputs.sha }}
          REVIEW_SCOPE_MODE: ${{ steps.review_scope.outputs.mode }}
          REVIEW_RANGE: ${{ steps.review_scope.outputs.diff_range }}
          FULL_PR_RANGE: ${{ steps.review_scope.outputs.full_pr_diff_range }}
        with:
          script: |
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const nameWithOwner = `${owner}/${repo}`;
            const issueNumber = context.payload.pull_request.number;
            const reviewedHeadSha = process.env.REVIEWED_HEAD_SHA;
            const trustedBotLogin = 'github-actions[bot]';
            const markerName = 'simpleanalytics-claude-pr-review-checkpoint';
            const standaloneName = 'simpleanalytics-claude-pr-review-checkpoint-comment';
            const markerPattern = /<!--\s*simpleanalytics-claude-pr-review-checkpoint\s*([\s\S]*?)\s*-->/;
            const markerGlobalPattern = /<!--\s*simpleanalytics-claude-pr-review-checkpoint\s*[\s\S]*?\s*-->/g;

            if (!/^[a-f0-9]{40}$/i.test(reviewedHeadSha || '')) {
              throw new Error(`Cannot record Claude review checkpoint; invalid reviewed head SHA: ${reviewedHeadSha}`);
            }

            const checkpoint = {
              version: 1,
              repository: nameWithOwner,
              pull_request: issueNumber,
              head_sha: reviewedHeadSha,
              base_sha: context.payload.pull_request.base.sha,
              review_mode: process.env.REVIEW_SCOPE_MODE,
              review_range: process.env.REVIEW_RANGE,
              full_pr_range: process.env.FULL_PR_RANGE,
              reviewed_at: new Date().toISOString(),
              workflow_run_id: String(context.runId),
              workflow_run_attempt: String(context.runAttempt),
            };

            const marker = [
              `<!-- ${markerName}`,
              JSON.stringify(checkpoint, null, 2),
              '-->',
            ].join('\n');

            function checkpointBody() {
              return [
                `<details><summary>Claude review checkpoint</summary>`,
                '',
                `Reviewed commit \`${reviewedHeadSha}\`. This is used to keep later automated reviews focused on changes Claude has not checked yet.`,
                '',
                `<!-- ${standaloneName} -->`,
                marker,
                '',
                '</details>',
              ].join('\n');
            }

            function withMarker(body) {
              if (markerPattern.test(body || '')) {
                return body.replace(markerGlobalPattern, marker);
              }

              return `${(body || '').trim()}\n\n${marker}`.trim();
            }

            const comments = await github.paginate(github.rest.issues.listComments, {
              owner,
              repo,
              issue_number: issueNumber,
              per_page: 100,
            });

            const ownBotComments = comments.filter((comment) => comment.user?.login === trustedBotLogin);
            const newestFirst = (left, right) => new Date(right.updated_at || right.created_at) - new Date(left.updated_at || left.created_at);
            const standaloneCheckpoint = ownBotComments
              .filter((comment) => (comment.body || '').includes(`<!-- ${standaloneName} -->`))
              .sort(newestFirst)[0];
            const markedComment = ownBotComments
              .filter((comment) => markerPattern.test(comment.body || ''))
              .sort(newestFirst)[0];
            const claudeComment = ownBotComments
              .filter((comment) => /\bclaude\b/i.test(comment.body || ''))
              .sort(newestFirst)[0];

            const target = standaloneCheckpoint || markedComment || claudeComment;
            if (target) {
              await github.rest.issues.updateComment({
                owner,
                repo,
                comment_id: target.id,
                body: standaloneCheckpoint ? checkpointBody() : withMarker(target.body || ''),
              });
              core.info(`Updated Claude review checkpoint in comment ${target.id}.`);
            } else {
              const { data: comment } = await github.rest.issues.createComment({
                owner,
                repo,
                issue_number: issueNumber,
                body: checkpointBody(),
              });
              core.info(`Created Claude review checkpoint comment ${comment.id}.`);
            }

      - name: Finalize SDLC label
        id: sdlc_label
        uses: actions/github-script@v9
        with:
          script: |
            const needsReview = 'change: needs review';
            const routine = 'change: routine';
            const issueNumber = context.payload.pull_request.number;

            const { data: issue } = await github.rest.issues.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: issueNumber,
            });

            const labels = issue.labels.map((label) => typeof label === 'string' ? label : label.name);
            const hasNeedsReview = labels.includes(needsReview);
            const hasRoutine = labels.includes(routine);
            let finalLabel;

            if (hasNeedsReview && hasRoutine) {
              await github.rest.issues.removeLabel({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: issueNumber,
                name: routine,
              }).catch((error) => {
                if (error.status !== 404) throw error;
              });
              finalLabel = needsReview;
              core.warning(`Both SDLC labels were present. Kept '${needsReview}' and removed '${routine}'.`);
            } else if (hasNeedsReview) {
              finalLabel = needsReview;
            } else if (hasRoutine) {
              finalLabel = routine;
            } else {
              await github.rest.issues.addLabels({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: issueNumber,
                labels: [needsReview],
              });
              finalLabel = needsReview;
              core.warning(`No SDLC label was present after Claude review. Added '${needsReview}'.`);
            }

            core.setOutput('label', finalLabel);
            core.setOutput('requires_review', String(finalLabel === needsReview));

      - name: Enforce review-required PR template
        if: ${{ steps.sdlc_label.outputs.requires_review == 'true' }}
        uses: actions/github-script@v9
        with:
          script: |
            const needsReview = 'change: needs review';
            const eventPullRequest = context.payload.pull_request;
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const prNumber = eventPullRequest.number;
            const nameWithOwner = `${owner}/${repo}`;
            const changeSummaryStart = '<!-- simpleanalytics:changes-start -->';
            const changeSummaryEnd = '<!-- simpleanalytics:changes-end -->';

            const { data: pullRequest } = await github.rest.pulls.get({
              owner,
              repo,
              pull_number: prNumber,
            });

            async function closingIssueRefsFromGraphql() {
              try {
                const result = await github.graphql(`
                  query($owner: String!, $repo: String!, $number: Int!) {
                    repository(owner: $owner, name: $repo) {
                      pullRequest(number: $number) {
                        closingIssuesReferences(first: 20) {
                          nodes {
                            number
                            url
                            repository {
                              nameWithOwner
                            }
                          }
                        }
                      }
                    }
                  }
                `, { owner, repo, number: prNumber });

                return result.repository.pullRequest.closingIssuesReferences.nodes.map((issue) => ({
                  ref: issue.repository.nameWithOwner === nameWithOwner ? `#${issue.number}` : `${issue.repository.nameWithOwner}#${issue.number}`,
                  url: issue.url,
                }));
              } catch (error) {
                core.warning(`Could not read closingIssuesReferences via GraphQL: ${error.message}`);
                return [];
              }
            }

            function closingIssueRefsFromBody(body) {
              const refs = [];
              const pattern = /\b(?:close[sd]?|fix(?:e[sd])?|resolve[sd]?)\s+((?:[\w.-]+\/[\w.-]+)?#\d+)/gi;
              let match;

              while ((match = pattern.exec(body || '')) !== null) {
                refs.push({ ref: match[1], url: '' });
              }

              return refs;
            }

            function uniqueRefs(refs) {
              const seen = new Set();
              return refs.filter((item) => {
                if (!item.ref || seen.has(item.ref)) return false;
                seen.add(item.ref);
                return true;
              });
            }

            function escapeRegExp(value) {
              return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
            }

            function extractSection(body, title) {
              const escapedTitle = escapeRegExp(title);
              const expression = new RegExp(`(?:^|\\n)##\\s+${escapedTitle}\\s*\\n([\\s\\S]*?)(?=\\n##\\s+|$)`, 'i');
              const match = expression.exec(body || '');
              return match ? match[1].trim() : '';
            }

            function checked(existingChecklist, label) {
              const expression = new RegExp(`-\\s*\\[[xX]\\]\\s*${escapeRegExp(label)}`, 'i');
              return expression.test(existingChecklist || '');
            }

            function stripGeneratedChangeSummary(value) {
              const expression = new RegExp(`${escapeRegExp(changeSummaryStart)}[\\s\\S]*?${escapeRegExp(changeSummaryEnd)}`, 'g');
              return (value || '').replace(expression, '').trim();
            }

            function cleanSummaryText(value) {
              return stripGeneratedChangeSummary(value)
                .replace(/^\s*(?:close[sd]?|fix(?:e[sd])?|resolve[sd]?)\s+((?:[\w.-]+\/[\w.-]+)?#\d+)\s*$/gim, '')
                .replace(/^\s*No linked issue was created automatically\.\s*$/gim, '')
                .replace(/\bDescribe the change\.\s*/gi, '')
                .trim();
            }

            function visibleMarkdown(value) {
              return (value || '').replace(/<!--[\s\S]*?-->/g, '').trim();
            }

            function compactWhitespace(value) {
              return (value || '').replace(/\s+/g, ' ').trim();
            }

            function truncate(value, maxLength) {
              const text = compactWhitespace(value);
              if (text.length <= maxLength) return text;
              return `${text.slice(0, Math.max(0, maxLength - 1)).trimEnd()}...`;
            }

            function firstBodyParagraph(message) {
              return (message || '')
                .split(/\r?\n\r?\n/)
                .map((paragraph) => paragraph
                  .split(/\r?\n/)
                  .map((line) => line.trim())
                  .filter((line) =>
                    line &&
                    !/^Signed-off-by:/i.test(line) &&
                    !/^Co-authored-by:/i.test(line)
                  )
                  .join(' ')
                )
                .find(Boolean) || '';
            }

            function parseCommitMessage(message) {
              const lines = (message || '').split(/\r?\n/);
              const subject = compactWhitespace(lines.shift() || '');
              const body = lines.join('\n').trim();
              return {
                subject,
                reason: firstBodyParagraph(body),
              };
            }

            function isBranchUpdateCommit(subject) {
              return /^(merge (branch|remote-tracking branch|pull request)|update branch|sync (main|master)|chore:?\s*(merge|sync)\b)/i.test(subject || '');
            }

            async function buildCommitChangeSummary() {
              try {
                const commits = await github.paginate(github.rest.pulls.listCommits, {
                  owner,
                  repo,
                  pull_number: prNumber,
                  per_page: 100,
                });

                const parsedCommits = commits
                  .map((commit) => parseCommitMessage(commit.commit?.message || ''))
                  .filter((commit) => commit.subject);
                const reviewCommits = parsedCommits.filter((commit) => !isBranchUpdateCommit(commit.subject));
                const sourceCommits = reviewCommits.length ? reviewCommits : parsedCommits;
                const selectedCommits = sourceCommits.slice(-6);
                const omittedCount = sourceCommits.length - selectedCommits.length;

                if (!selectedCommits.length) return '';

                const bullets = selectedCommits.map((commit) => {
                  const subject = truncate(commit.subject, 140);
                  const reason = truncate(commit.reason, 180);
                  return reason ? `- ${subject} - ${reason}` : `- ${subject}`;
                });

                if (omittedCount > 0) {
                  bullets.push(`- ...and ${omittedCount} earlier commit(s).`);
                }

                return [
                  changeSummaryStart,
                  'Changes:',
                  ...bullets,
                  changeSummaryEnd,
                ].join('\n');
              } catch (error) {
                core.warning(`Could not build commit-based PR summary: ${error.message}`);
                return '';
              }
            }

            async function buildFallbackSummary() {
              const cleanedBody = cleanSummaryText(currentBody);
              if (cleanedBody) return cleanedBody;

              try {
                const files = await github.paginate(github.rest.pulls.listFiles, {
                  owner,
                  repo,
                  pull_number: prNumber,
                  per_page: 100,
                });
                const paths = files.slice(0, 8).map((file) => `- \`${file.filename}\``);
                const omitted = files.length > paths.length ? `\n- ...and ${files.length - paths.length} more file(s)` : '';

                return [
                  pullRequest.title,
                  '',
                  'Changed files:',
                  ...paths,
                  omitted,
                ].filter(Boolean).join('\n');
              } catch (error) {
                core.warning(`Could not list PR files for fallback summary: ${error.message}`);
                return pullRequest.title;
              }
            }

            function fallbackSecurityImplications() {
              return 'Has security impact - described as: This PR is labeled `change: needs review`, but Claude did not provide specific security implications. Reviewers should confirm the actual impact on security, privacy, customer/user data, system stability, or critical functionality.';
            }

            function normalizeSecurityImplications(value) {
              const raw = (value || '').trim();
              if (!raw) return fallbackSecurityImplications();

              const lines = raw.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
              const checkedNoImpact = lines.some((line) => /^-\s*\[[xX]\]\s*No security impact\.?$/i.test(line));
              const checkedImpact = lines
                .map((line) => line.match(/^-\s*\[[xX]\]\s*Has security impact - described as:\s*(.+)$/i))
                .find(Boolean);

              if (checkedImpact?.[1]?.trim()) {
                return `Has security impact - described as: ${checkedImpact[1].trim()}`;
              }

              if (checkedNoImpact && !checkedImpact) return 'No security impact';
              if (/^No security impact\.?$/i.test(raw)) return 'No security impact';

              const impact = raw.match(/^Has security impact - described as:\s*([\s\S]+)$/i);
              if (impact?.[1]?.trim()) {
                return `Has security impact - described as: ${impact[1].trim()}`;
              }

              const withoutCheckboxes = raw.replace(/^-\s*\[[ xX]\]\s*/gm, '').trim();
              const isPlaceholder = (
                !withoutCheckboxes ||
                /^Has security impact - described as:\s*$/i.test(withoutCheckboxes) ||
                (/No security impact/i.test(withoutCheckboxes) && /Has security impact - described as:\s*$/i.test(withoutCheckboxes))
              );
              if (isPlaceholder) return fallbackSecurityImplications();

              return `Has security impact - described as: ${raw}`;
            }

            function normalizeTesting(value) {
              const raw = (value || '').trim();
              if (!raw || /^Describe how this was tested\.?$/i.test(raw)) {
                return 'Not run by Claude.';
              }

              return raw;
            }

            function testingWasFilled(value) {
              const raw = (value || '').trim();
              return Boolean(raw && !/^Not run by Claude\.?$/i.test(raw) && !/^Describe how this was tested\.?$/i.test(raw));
            }

            function buildIssueContent(problemSummary) {
              const title = `Track: ${pullRequest.title}`;
              const body = [
                '## Problem',
                '',
                problemSummary || pullRequest.title,
                '',
                '## Pull request',
                '',
                `- Repository: ${nameWithOwner}`,
                `- Pull request: ${pullRequest.html_url}`,
                `- Author: @${pullRequest.user.login}`,
                `- SDLC label: \`${needsReview}\``,
                '',
                '## Fix',
                '',
                'This pull request is expected to address the problem above. Review the linked PR for the exact implementation, validation, and approval discussion.',
              ].join('\n');

              return { title, body };
            }

            async function createTrackingIssue(targetOwner, targetRepo, issueContent) {
              const { data: issue } = await github.rest.issues.create({
                owner: targetOwner,
                repo: targetRepo,
                title: issueContent.title,
                body: issueContent.body,
              });

              return {
                ref: `${targetOwner}/${targetRepo}` === nameWithOwner ? `#${issue.number}` : `${targetOwner}/${targetRepo}#${issue.number}`,
                url: issue.html_url,
              };
            }

            const currentBody = pullRequest.body || '';
            const existingSummary = extractSection(currentBody, 'Summary');
            const existingSecurity = extractSection(currentBody, 'Security implications');
            const existingTesting = extractSection(currentBody, 'Testing');
            const existingChecklist = extractSection(currentBody, 'Checklist');
            const manualSummary = cleanSummaryText(existingSummary);
            const fallbackSummary = manualSummary ? '' : await buildFallbackSummary();
            const commitChangeSummary = await buildCommitChangeSummary();
            const summary = [
              manualSummary || fallbackSummary,
              commitChangeSummary,
            ].filter(Boolean).join('\n\n').trim();
            const issueContent = buildIssueContent(visibleMarkdown(summary));
            const linkedIssues = uniqueRefs([
              ...(await closingIssueRefsFromGraphql()),
              ...closingIssueRefsFromBody(currentBody),
            ]);

            let issueRef = linkedIssues[0]?.ref || '';

            if (!issueRef) {
              const targets = [
                { owner: 'simpleanalytics', repo: 'dashboard' },
                { owner, repo },
              ].filter((target, index, targets) =>
                targets.findIndex((item) => item.owner === target.owner && item.repo === target.repo) === index
              );

              const failures = [];
              for (const target of targets) {
                try {
                  const createdIssue = await createTrackingIssue(target.owner, target.repo, issueContent);
                  issueRef = createdIssue.ref;
                  core.info(`Created review tracking issue ${createdIssue.ref}: ${createdIssue.url}`);
                  break;
                } catch (error) {
                  failures.push(`${target.owner}/${target.repo}: ${error.message}`);
                  core.warning(`Could not create review tracking issue in ${target.owner}/${target.repo}: ${error.message}`);
                }
              }

              if (!issueRef) {
                const suggestedIssue = `# ${issueContent.title}\n\n${issueContent.body}`;
                const comment = [
                  'Could not create a linked tracking issue automatically. Continuing without a linked issue.',
                  '',
                  `<details><summary>Suggested issue content</summary>`,
                  '',
                  '```markdown',
                  suggestedIssue.replace(/```/g, "'''"),
                  '```',
                  '',
                  '</details>',
                  '',
                  `Issue creation failures: ${failures.join('; ')}`,
                ].join('\n');

                try {
                  await github.rest.issues.createComment({
                    owner,
                    repo,
                    issue_number: prNumber,
                    body: comment,
                  });
                } catch (error) {
                  core.warning(`Could not add suggested issue content as a PR comment: ${error.message}`);
                }

                core.warning(`Could not create a linked review tracking issue. Continuing without issue reference. Failures: ${failures.join('; ')}`);
              }
            }

            const security = normalizeSecurityImplications(existingSecurity);
            const testing = normalizeTesting(existingTesting);
            const tested = checked(existingChecklist, 'Tested') || testingWasFilled(testing) ? 'x' : ' ';
            const askedForReview = checked(existingChecklist, 'Asked for a review') ? 'x' : ' ';
            const closingLine = issueRef ? `Closes ${issueRef}` : 'No linked issue was created automatically.';
            const linkedIssueCheck = issueRef ? 'x' : ' ';

            const nextBody = [
              '## Summary',
              '',
              closingLine,
              '',
              summary,
              '',
              '## Security implications',
              '',
              security,
              '',
              '## Testing',
              '',
              testing,
              '',
              '## Checklist',
              '',
              `- [${linkedIssueCheck}] Linked to an issue`,
              `- [${tested}] Tested`,
              `- [${askedForReview}] Asked for a review`,
              '',
            ].join('\n');

            if (nextBody.trim() !== currentBody.trim()) {
              await github.rest.pulls.update({
                owner,
                repo,
                pull_number: prNumber,
                body: nextBody,
              });
              core.info(`Updated PR body with the Simple Analytics PR template and issue reference ${issueRef}.`);
            } else {
              core.info('PR body already matches the Simple Analytics PR template.');
            }