今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#githubaction

找到 23 篇相关文章

AI 资讯

You're Not Doing GitOps (You're Doing CI/CD With Extra Steps)

The Uncomfortable Truth Here's a test: when your deployment fails in production, what happens to your main branch? If the answer is "the broken code is already merged" — congratulations, you're doing CI/CD with a Git trigger. That's not GitOps. It's a pipeline that happens to watch a branch. I've spent years building platform engineering systems at enterprise scale — identity management frameworks, infrastructure-as-code pipelines, AI agent platforms that manage operational code. And I keep seeing the same mistake: teams adopt "GitOps" by adding a deployment step after merge, then wonder why they get drift. True GitOps has one non-negotiable rule: main always equals production. If a deployment fails, main doesn't change. Period. This isn't just my opinion — it's the logical extension of OpenGitOps principles : declarative desired state, versioned in Git, automatically reconciled. The enforcement mechanism I'm describing is how you make those principles real rather than aspirational. The Anti-Pattern Everyone Runs The most common "GitOps" setup I see in enterprise teams looks like this: Developer opens PR CI runs tests Reviewer approves PR merges to main Deployment triggers from main ❌ Deployment fails main now contains code that isn't in production This is merge-then-deploy . It's standard CI/CD with extra steps. The moment you merge before confirming a successful deployment, you've broken the core GitOps contract: Git as the single source of truth for what's actually running. The result? Drift. Stale state in main . A branch that lies about what's deployed. Every subsequent PR is now based on a broken foundation. The Enforcement Pattern: Deploy Before Merge The fix isn't philosophical — it's mechanical. GitHub's Merge Queue gives you exactly the right primitive: Developer opens PR CI runs tests (standard checks) Reviewer approves → PR enters the merge queue Merge queue trigger runs a dry-run deployment against the target environment If dry-run passes → queue trigge

2026-06-06 原文 →
AI 资讯

Running Claude in CI: A GitHub Actions + Claude Code SDK Auto-PR-Reviewer That Costs $0.03 per Review

⚠️ この記事はアフィリエイト広告(プロモーション)を含みます。リンク先で発生した収益の一部が運営者に支払われますが、読者の購入価格には一切影響ありません。 By the end of this article you will have a GitHub Actions workflow that, on every pull_request , runs the Claude Code SDK headlessly, reads only the diff, and posts inline review comments via the GitHub API. I'll show the exact YAML and Python that run in my own repos, the token math that keeps each review at roughly $0.03, and the three failures that cost me a weekend before it worked. Why I stopped piping the full repo into Claude on GitHub Actions My first version did the obvious thing: clone the repo, concatenate every changed file in full, and ask Claude to "review this PR." It worked on toy PRs and exploded on real ones. A 9-file refactor sent ~48,000 input tokens and the review drifted into commentary about code the PR didn't touch. The fix that changed the economics: feed Claude the unified diff with 3 lines of context , not the files. A git diff against the merge base is typically 5–15x smaller than the files it touches. On claude-haiku-4-5 , a median PR in my projects now costs about $0.028 per review (measured across 60 PRs: 4,100 input tokens + 900 output tokens average). The expensive version was hitting $0.40+ on Sonnet because file context dominated. The other lesson: the diff alone is not enough context to judge correctness, but it is enough to catch the 80% of review nits that humans waste time on — unhandled errors, missing null checks, off-by-one, leftover debug prints, secrets in code. So I scoped the prompt to exactly that, and told it to stay silent when unsure. Silence is a feature; a reviewer that comments on everything gets muted by the team within a week. The GitHub Actions workflow YAML that triggers Claude on pull_request This is the full .github/workflows/claude-review.yml . It runs on every PR, restores a uv-cached venv, and calls a Python entrypoint. Note the permissions block — without pull-requests: write the comment-posting step fails with a 403 that GitH

2026-06-02 原文 →