Skip to content

ci: advisory AI failure-investigation workflow (optional, needs ANTHROPIC_API_KEY)#1351

Open
SharedQA wants to merge 8 commits into
constructorfabric:mainfrom
SharedQA:claude/ai-investigate-failure
Open

ci: advisory AI failure-investigation workflow (optional, needs ANTHROPIC_API_KEY)#1351
SharedQA wants to merge 8 commits into
constructorfabric:mainfrom
SharedQA:claude/ai-investigate-failure

Conversation

@SharedQA

@SharedQA SharedQA commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Split out of #1317 so the key/funding decision doesn't hold up the real gates.

What it is: advisory only — on a same-repo CI gate failure it reads the logs + co-located specs and posts a root-cause comment on the PR. Never a merge gate. Forks can't trigger it (secret-exfiltration guard). Capped at --max-turns 30 / 15 min.

What it needs: an Anthropic API key (console.anthropic.com) as the ANTHROPIC_API_KEY Actions secret (repo or org-level). Billed as metered API usage to whichever Anthropic org owns the key; small since it only runs on failures.

Parked as draft until Constructor decides whether to fund/use it. None of the real quality gates depend on this. Can add a skip-guard so it cleanly no-ops when the secret is unset — say the word.

Summary by CodeRabbit

  • New Features
    • Introduced an AI-powered workflow that automatically investigates failed mandatory CI/CD workflows. When failures occur, it collects failure logs and posts results as a single PR comment (or opens a “CI failure investigation” issue if no PR exists), helping teams diagnose issues faster.

Split out of constructorfabric#1317 so the ANTHROPIC_API_KEY funding/ownership decision doesn't
block the real quality gates. This workflow is advisory only (never a merge
gate): on a same-repo gate failure it reads the logs + co-located specs and
posts a root-cause comment. Needs an Anthropic API key as the ANTHROPIC_API_KEY
Actions secret; until that's set (and funded), this PR stays parked.

Signed-off-by: Kenan Salim <kenan.salim@rolos.com>
@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 92c82cf5-bdf9-4644-8883-dd9903d0c71d

📥 Commits

Reviewing files that changed from the base of the PR and between 8451483 and 767a3e1.

📒 Files selected for processing (1)
  • .github/workflows/ai-investigate.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/ai-investigate.yml

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file is added that listens for the completion of specified gate workflows with a failure conclusion. It gates execution to the same repository to prevent fork-based secret exfiltration, conditionally skips when ANTHROPIC_API_KEY is absent, collects failed job logs and metadata via the gh CLI, then invokes anthropics/claude-code-action@v1 to post a root-cause analysis as a PR comment or issue.

Changes

AI Failure Investigation Workflow

Layer / File(s) Summary
Trigger wiring and fork-safety guard
.github/workflows/ai-investigate.yml
Defines workflow_run triggers on configured gate workflows with failure conclusion, guards execution to the same repository to prevent fork secret exposure, establishes minimal read-only workflow permissions, and gates AI execution via environment variable based on ANTHROPIC_API_KEY presence.
Failed job log and metadata collection
.github/workflows/ai-investigate.yml
Checks out the failing commit SHA and collects failed job logs from the workflow run using gh run view, storing them in /tmp/failure/failed-jobs.log with best-effort fallback; writes workflow name, branch, and commit metadata to /tmp/failure/meta.txt for Claude context.
Claude code action invocation and result posting
.github/workflows/ai-investigate.yml
Invokes anthropics/claude-code-action@v1 with a detailed root-cause investigation prompt instructing Claude to reference co-located code, design docs, and schemas; configures tool restrictions and turn limits; orchestrates posting of exactly one PR comment via gh pr comment or opening a "CI failure investigation" issue when no PR exists.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A workflow awakes when the red lights appear,
It gathers the logs and the clues far and near,
🐇 "No fork shall steal secrets!" the rabbit declares,
Then Claude reads the code with the greatest of cares,
A comment is posted — root cause crystal clear! 🔍

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding an optional AI failure-investigation workflow that requires ANTHROPIC_API_KEY, matching the changeset's new GitHub Actions workflow file.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread .github/workflows/ai-investigate.yml

@cyberantonz cyberantonz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need work

SharedQA and others added 2 commits June 16, 2026 14:22
Review feedback on constructorfabric#1351 (cyberantonz): if the secret is not present the
action would error. Gate the work on the key:
- job-level env HAS_ANTHROPIC_KEY = (secrets.ANTHROPIC_API_KEY != '')
- "Collect failing job logs" and "AI investigation" steps run only when the
  key is set; otherwise a note step logs the skip and the job passes.
The workflow is advisory and never a gate, so a missing key must not fail CI.

Signed-off-by: Kenan Salim <kenan.salim@rolos.com>
@SharedQA SharedQA marked this pull request as ready for review June 23, 2026 06:38
@SharedQA SharedQA requested a review from a team as a code owner June 23, 2026 06:38

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/ai-investigate.yml (2)

84-88: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Unpinned action reference conflicts with the repo's hash-pin policy. zizmor flags anthropics/claude-code-action@v1 as unpinned; actions/checkout on Line 50 is correctly pinned to a SHA. The inline rationale (moving tag for security fixes) is reasonable, but to satisfy the blanket policy consider pinning to a commit SHA with the # v1.x comment and relying on Dependabot/Renovate to bump it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-investigate.yml around lines 84 - 88, The
anthropics/claude-code-action@v1 reference uses a moving tag instead of a pinned
commit SHA, which conflicts with the repository's hash-pin policy for actions.
Replace the `@v1` tag with a specific commit SHA (following the pattern used by
actions/checkout elsewhere in the workflow) and add an inline comment like #
v1.x to document which version the SHA corresponds to. This allows Dependabot or
similar tools to manage updates while maintaining the security benefit of pinned
references.

Source: Linters/SAST tools


72-75: 🩺 Stability & Availability | 🔵 Trivial | 💤 Low value

Log-collection fallback can fail the step under pipefail. With set -euo pipefail, if the fallback gh run view ... --log exits non-zero, the | tail -800 pipeline returns failure and set -e aborts the step, which (via implicit success()) skips the AI step entirely. For an advisory workflow you likely want best-effort collection.

🩹 Make log collection best-effort
           gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" \
             --log-failed > /tmp/failure/failed-jobs.log 2>/dev/null || \
             gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --log 2>/dev/null \
-            | tail -800 > /tmp/failure/failed-jobs.log
+            | tail -800 > /tmp/failure/failed-jobs.log || \
+            echo "log collection failed" > /tmp/failure/failed-jobs.log
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-investigate.yml around lines 72 - 75, The log
collection fallback starting with the `gh run view` command with `--log-failed`
flag can cause the entire step to fail under `pipefail` if the fallback command
exits non-zero. Since this is a best-effort log collection for an advisory
workflow, make the log collection command non-fatal by adding appropriate error
handling (such as appending `|| true`) to the end of the entire fallback
sequence so that failure to collect logs does not abort the step and prevent the
AI investigation from proceeding.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ai-investigate.yml:
- Around line 36-53: The ANTHROPIC_API_KEY secret could be exposed to Bash
subprocesses when passed to the anthropics/claude-code-action action without
environment scrubbing. Add CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: '1' to the
job-level env section (alongside the existing HAS_ANTHROPIC_KEY environment
variable) to enable best-effort removal of the API key from subprocess
environments spawned by the Bash tool, mitigating the risk of credential
exfiltration from a same-repo compromised branch.

---

Nitpick comments:
In @.github/workflows/ai-investigate.yml:
- Around line 84-88: The anthropics/claude-code-action@v1 reference uses a
moving tag instead of a pinned commit SHA, which conflicts with the repository's
hash-pin policy for actions. Replace the `@v1` tag with a specific commit SHA
(following the pattern used by actions/checkout elsewhere in the workflow) and
add an inline comment like # v1.x to document which version the SHA corresponds
to. This allows Dependabot or similar tools to manage updates while maintaining
the security benefit of pinned references.
- Around line 72-75: The log collection fallback starting with the `gh run view`
command with `--log-failed` flag can cause the entire step to fail under
`pipefail` if the fallback command exits non-zero. Since this is a best-effort
log collection for an advisory workflow, make the log collection command
non-fatal by adding appropriate error handling (such as appending `|| true`) to
the end of the entire fallback sequence so that failure to collect logs does not
abort the step and prevent the AI investigation from proceeding.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f3d2809f-5d72-4288-b9f4-ccb816c457a5

📥 Commits

Reviewing files that changed from the base of the PR and between e2c0388 and 8451483.

📒 Files selected for processing (1)
  • .github/workflows/ai-investigate.yml

Comment thread .github/workflows/ai-investigate.yml
SharedQA added 4 commits June 23, 2026 12:19
…on, best-effort logs

Address review on constructorfabric#1351:
- Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 so claude-code-action's Bash tool
  can't leak ANTHROPIC_API_KEY to subprocesses (defense-in-depth on the
  same-repo path; forks are already gated).
- SHA-pin anthropics/claude-code-action to the v1 commit per the repo's
  hash-pin policy (matches actions/checkout), '# v1' for Dependabot bumps.
- Make failing-log collection best-effort so a non-zero gh call can't abort
  this advisory job under 'set -euo pipefail' (which would skip the AI step).

Signed-off-by: SharedQA <122366558+SharedQA@users.noreply.github.com>
…ands

Public-repo hardening. The agent runs with an API key on CI failures, so a
prompt-injection planted in the failing logs/code could abuse a general shell
to exfiltrate ANTHROPIC_API_KEY. Replace '--allowedTools Bash' with read tools
(Read/Grep/Glob) plus only the commands the prompt actually needs:
  Bash(git log:*), Bash(gh pr list|view|comment:*), Bash(gh issue create|list:*)
No arbitrary shell. Layered with CLAUDE_CODE_SUBPROCESS_ENV_SCRUB + same-repo gate.

Signed-off-by: SharedQA <122366558+SharedQA@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants