HYPERFLEET-1030: add GitHub Actions workflow for daily /open-prs

[rafabene]

Summary

• Adds .github/workflows/open-prs-digest.yml — runs /open-prs --slack every weekday at 9am UTC via claude-code-action@v1 with Vertex AI, posts prioritized PR queue to Slack
• Adds .github/workflows/README.md — setup guide with secrets, GCP service account, GitHub PAT, Slack webhooks, and troubleshooting

Prerequisites

All required secrets have been configured in the repo:

• GCP_SA_KEY — GCP service account key (from openshift-ci-github-action SA)
• ANTHROPIC_VERTEX_PROJECT_ID — itpc-gcp-hcm-pe-eng-claude
• GH_TOKEN_ORG_READ — GitHub fine-grained PAT with repo read access across openshift-hyperfleet
• JIRA_API_TOKEN — JIRA Personal Access Token
• JIRA_AUTH_LOGIN — JIRA account email
• SLACK_WEBHOOK_URL — Team channel webhook
• SLACK_WEBHOOK_URL_ERRORS — Personal error notification webhook

Test plan

• Merge PR so workflow_dispatch is available in the Actions tab
• Trigger manually via workflow_dispatch
• Verify Slack message renders correctly with tiered PR list
• Verify error notification posts to personal webhook on deliberate failure

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mischulee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ec0d9cbf-103c-4642-9a5f-c7686662f54e

📥 Commits

Reviewing files that changed from the base of the PR and between da6dfad and 7b696b9.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/open-prs-digest.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/open-prs-digest.yml

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added an automated weekday PR digest (with manual run) that generates formatted PR summaries and posts them to Slack; failures are sent to a separate error webhook.

• Documentation

  • Expanded setup and troubleshooting: prerequisites, list of required repo secrets, manual-run instructions, and guidance for common failure scenarios (auth, API, and webhook errors).

Walkthrough

This PR adds a new GitHub Actions workflow (open-prs-digest.yml) and updates the workflows README. The workflow runs on weekdays and via manual dispatch, checks out the repo, installs/configures jira-cli, authenticates to GCP with a service account key, runs anthropics/claude-code-action against Vertex to generate a Slack-formatted /open-prs digest, validates and posts the output to a Slack webhook, and posts an error message to a separate Slack webhook on failure.

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler as GitHub Actions (cron/dispatch)
  participant Runner as Job Runner
  participant JiraCli as jira-cli
  participant GCP as Vertex AI (GCP)
  participant Claude as anthropics/claude-code-action
  participant Slack as Slack Incoming Webhook
  participant ErrorSlack as Slack Error Webhook

  Scheduler->>Runner: start workflow (checkout)
  Runner->>JiraCli: install & write config (JIRA_AUTH_LOGIN, JIRA_API_TOKEN)
  Runner->>GCP: authenticate (GCP_SA_KEY)
  Runner->>Claude: invoke /open-prs (Vertex enabled)
  Claude->>GCP: execute model
  Claude->>Runner: write output file with mrkdwn
  Runner->>Slack: POST mrkdwn to SLACK_WEBHOOK_URL
  Slack-->>Runner: HTTP 200 / non-200
  alt on workflow failure
    Runner->>ErrorSlack: POST error message with UTC timestamp and run URL
    ErrorSlack-->>Runner: HTTP 200 / non-200
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly references the ticket (HYPERFLEET-1030) and clearly summarizes the main change: adding a GitHub Actions workflow for daily /open-prs execution.
Description check	✅ Passed	Description is well-structured with summary, prerequisites, and test plan; it directly relates to the changeset (new workflow + documentation files).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	All log statements (7 echo/printf calls) output only non-sensitive data: static messages, HTTP status codes, timestamps, and public workflow URLs. Secrets are never interpolated into logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

.github/workflows/open-prs-digest.yml (2)

18-35: ⚡ Quick win

Harden the jira-cli download. The curl | tar pipe has no pipefail, and curl lacks --fail, so a 404/HTML error page is piped to tar and the real failure can be masked. The sed substitution also breaks if JIRA_AUTH_LOGIN ever contains / or &.

♻️ Suggested change

       - name: Install and configure jira-cli
         run: |
+          set -euo pipefail
           JIRA_CLI_VERSION="1.5.2"
-          curl -sL "https://github.com/ankitpokhrel/jira-cli/releases/download/v${JIRA_CLI_VERSION}/jira_${JIRA_CLI_VERSION}_linux_x86_64.tar.gz" \
+          curl -sSfL "https://github.com/ankitpokhrel/jira-cli/releases/download/v${JIRA_CLI_VERSION}/jira_${JIRA_CLI_VERSION}_linux_x86_64.tar.gz" \
             | tar xz -C /usr/local/bin --strip-components=1 "jira_${JIRA_CLI_VERSION}_linux_x86_64/bin/jira"

For the login, prefer injecting via the heredoc/env over sed to avoid metacharacter issues.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/open-prs-digest.yml around lines 18 - 35, The download
pipeline is fragile: add shell safety and fail-fast to the curl|tar sequence by
enabling pipefail and using curl --fail -sL so HTTP errors don't get piped into
tar (apply around the JIRA_CLI_VERSION curl | tar command), and avoid sed-based
token replacement for the login by emitting the login value directly into the
heredoc (use the existing ~/.config/.jira/.config.yml heredoc and inject
JIRA_AUTH_LOGIN via the environment/heredoc instead of running sed on the file)
to prevent breaking on metacharacters like / or &.

---

39-42: Consider Workload Identity Federation over a long-lived SA key. GCP_SA_KEY is a long-lived JSON credential stored as a secret — higher blast radius and requires manual rotation. google-github-actions/auth@v2 supports keyless WIF via OIDC, which removes the exported key file entirely. Not blocking, but it's the recommended posture.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/open-prs-digest.yml around lines 39 - 42, The workflow
currently uses a long-lived JSON key via the "Authenticate to GCP" step which
passes secrets.GCP_SA_KEY to google-github-actions/auth@v2; replace this with
Workload Identity Federation (OIDC) by removing credentials_json usage and
configuring the action to use the workload_identity_provider and service_account
inputs instead. Set up a GCP Workload Identity Pool and Provider, grant the
GitHub OIDC provider permission to impersonate the target service account, then
update the workflow's "Authenticate to GCP" step to reference the created
workload_identity_provider and service_account (and remove the GCP_SA_KEY
secret), ensuring the service account has the minimal IAM roles required for the
job.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/open-prs-digest.yml:
- Around line 44-60: The Vertex execution step using
anthropics/claude-code-action with use_vertex: "true" sets
ANTHROPIC_VERTEX_PROJECT_ID but omits the required region, so add a
CLOUD_ML_REGION environment variable (and any model-specific VERTEX_REGION_* if
required) to the claude step’s env block to ensure the Vertex client is created
with an explicit region; update the step that references
anthropics/claude-code-action, use_vertex, and ANTHROPIC_VERTEX_PROJECT_ID to
include CLOUD_ML_REGION (and VERTEX_REGION_* as needed).
- Around line 62-78: The workflow is posting the raw Claude execution_file
instead of the assistant's mrkdwn message; update the Post to Slack step to read
the execution file path and Slack webhook via env (use env: OUTPUT_FILE="${{
steps.claude.outputs.execution_file }}" and SLACK_WEBHOOK_URL="${{
secrets.SLACK_WEBHOOK_URL }}"), then parse the JSON execution file to extract
the final assistant message text/markdown (use jq on $OUTPUT_FILE to select the
assistant's last response field rather than cat the whole file) and set CONTENT
to that extracted mrkdwn before building PAYLOAD='{"text": ...}'; finally POST
to $SLACK_WEBHOOK_URL using the constructed payload.
- Around line 15-16: Update the workflow to pin actions and fix
checkout/auth/Claude usage: replace unpinned uses actions/checkout,
google-github-actions/auth and anthropics/claude-code-action with the provided
SHAs (actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5,
google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed,
anthropics/claude-code-action@537ffff2eff706bd7e3e1c3daf2d4b39067a9f85), set
actions/checkout with with: persist-credentials: false and contents: read, add
CLOUD_ML_REGION (or VERTEX_REGION_CLAUDE_<MODEL> as required by the Claude
action) when use_vertex: "true", and change how
steps.claude.outputs.execution_file is posted to Slack by extracting the final
mrkdwn string from the JSON (e.g., pipe the execution_file through jq to pull
the mrkdwn field) so Slack receives only the rendered markdown.

In @.github/workflows/README.md:
- Line 7: The README text currently says "Runs the `/open-prs --slack` skill
daily via `claude-code-action`" but the workflow cron `0 9 * * 1-5` schedules
Mon–Fri only; update the sentence to accurately reflect weekdays-only scheduling
(e.g., "Runs the `/open-prs --slack` skill on weekdays (Mon–Fri) via
`claude-code-action`") and ensure any adjacent description references the cron
`0 9 * * 1-5` to avoid the "daily" wording.

---

Nitpick comments:
In @.github/workflows/open-prs-digest.yml:
- Around line 18-35: The download pipeline is fragile: add shell safety and
fail-fast to the curl|tar sequence by enabling pipefail and using curl --fail
-sL so HTTP errors don't get piped into tar (apply around the JIRA_CLI_VERSION
curl | tar command), and avoid sed-based token replacement for the login by
emitting the login value directly into the heredoc (use the existing
~/.config/.jira/.config.yml heredoc and inject JIRA_AUTH_LOGIN via the
environment/heredoc instead of running sed on the file) to prevent breaking on
metacharacters like / or &.
- Around line 39-42: The workflow currently uses a long-lived JSON key via the
"Authenticate to GCP" step which passes secrets.GCP_SA_KEY to
google-github-actions/auth@v2; replace this with Workload Identity Federation
(OIDC) by removing credentials_json usage and configuring the action to use the
workload_identity_provider and service_account inputs instead. Set up a GCP
Workload Identity Pool and Provider, grant the GitHub OIDC provider permission
to impersonate the target service account, then update the workflow's
"Authenticate to GCP" step to reference the created workload_identity_provider
and service_account (and remove the GCP_SA_KEY secret), ensuring the service
account has the minimal IAM roles required for the job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d7a55900-c635-4143-8a90-d4a7d2950c77

📥 Commits

Reviewing files that changed from the base of the PR and between 87e089c and 8886802.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/open-prs-digest.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/open-prs-digest.yml (1)

8-13: ⚡ Quick win

Serialize runs before the Slack side effect.

workflow_dispatch can overlap the weekday cron, and both runs will post the same digest. Add a concurrency group so only one digest run can reach Slack at a time.

Suggested change

+concurrency:
+  group: open-prs-digest
+  cancel-in-progress: true
+
 jobs:
   open-prs:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/open-prs-digest.yml around lines 8 - 13, Add a concurrency
block to the open-prs job so overlapping runs are serialized before the Slack
side effect: inside the jobs.open-prs definition add a concurrency key with a
stable group name (e.g., "open-prs-digest" or use github.workflow + job
identifier) and set cancel-in-progress to false so only one digest run posts to
Slack at a time; update the job named open-prs accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/open-prs-digest.yml:
- Around line 101-111: The "Notify Slack on failure" step currently posts to
SLACK_WEBHOOK_URL_ERRORS using curl but ignores HTTP errors; modify the step to
capture curl's HTTP response and exit non‑zero on non‑2xx like the success path:
after constructing MESSAGE (using RUN_URL and SLACK_WEBHOOK_URL_ERRORS), run
curl with options to output HTTP status (e.g., --write-out '%{http_code}'
--silent --output /dev/stderr), capture that status into a variable, and if the
status is not 200/201/2xx then echo the response and exit 1 so the workflow
fails; reference the step name "Notify Slack on failure" and variables MESSAGE,
SLACK_WEBHOOK_URL_ERRORS, and RUN_URL to locate the code to change.

---

Nitpick comments:
In @.github/workflows/open-prs-digest.yml:
- Around line 8-13: Add a concurrency block to the open-prs job so overlapping
runs are serialized before the Slack side effect: inside the jobs.open-prs
definition add a concurrency key with a stable group name (e.g.,
"open-prs-digest" or use github.workflow + job identifier) and set
cancel-in-progress to false so only one digest run posts to Slack at a time;
update the job named open-prs accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a19b01bb-043d-4b13-bcea-e2888db5b432

📥 Commits

Reviewing files that changed from the base of the PR and between 8886802 and a0a7f14.

📒 Files selected for processing (2)

• .github/workflows/README.md
• .github/workflows/open-prs-digest.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/README.md

[tirthct]

The PR title doesn't follow the commit standards format. Maybe we should change it to something like this?

HYPERFLEET-1030 - feat: add GitHub Actions workflow for daily /open-prs digest

[pnguyen44]

Consider pinning model explicitly so the workflow stays predictable if the action's default model changes:

with:
  use_vertex: "true"
  model: "claude-sonnet-4-20250514"

[pnguyen44]

Consider pinning model explicitly so the workflow stays predictable if the action's default model changes:

with:
  use_vertex: "true"
  model: "claude-sonnet-4-20250514"

[rafabene]

Indeed. Furthermore we don't need more than Sonnet here. Thank you. I'll update

[pnguyen44]

Suggestion on README structure

[pnguyen44]

Suggestion: Some sections (schedule, architecture paragraph) restate the YAML and could drift. Consider trimming to just: what it does, secrets table, setup steps, manual trigger, and troubleshooting.