scality · bert-e · Jun 17, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 17, 2026
diff --git a/.claude/skills/review-pr/SKILL.md b/.claude/skills/review-pr/SKILL.md
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,17 @@
+# Code Review Criteria
+
+When reviewing pull requests in this repository, check the following areas:
+
+| Area | What to check |
+| ---- | ------------- |
+| Async error handling | Uncaught promise rejections, missing error callbacks, swallowed errors in streams, missing `.on('error')` handlers |
+| Stream handling | Backpressure issues, proper cleanup on error, no leaked file descriptors, correct use of transform/pipeline |
+| Dependency pinning | Git-based deps (`arsenal`, `vaultclient`, `bucketclient`, `werelogs`, `httpagent`) must pin to a tag, not a branch |
+| Logging | Proper use of `werelogs` — no `console.log` in production code, log levels match severity |
+| Async/await usage | Prefer `async`/`await` over raw promise chains (`.then`/`.catch`) and callbacks for new code; ensure `await` is not missing on async calls |
+| Import placement | All `require()` statements must be at the top of the file, never inside functions, blocks, or `describe` scopes |
+| Config & env vars | Backward compatibility of environment variables, sensible defaults, documented new variables |
+| Production safety | Dry-run support preserved, resumption markers (`KEY_MARKER`, `VERSION_ID_MARKER`) handled correctly, batch limits respected |
+| Security | No credentials or secrets in code, safe handling of user-supplied input, OWASP-relevant issues |
+| Breaking changes | Changes to script CLI arguments, environment variable contracts, or client interfaces |
+| Test coverage | New logic should have corresponding unit tests, mocks should be realistic |
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -1,14 +1,29 @@
 name: Code Review
+run-name: "Code Review for #${{ github.event.pull_request.number || inputs.pr_number }}${{ github.event.pull_request.title && format(' : {0}', github.event.pull_request.title) }}"
 
 on:
   pull_request:
     types: [opened, synchronize]
+  pull_request_target:
+    types: [opened, synchronize]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull Request number to review
+        required: true
 
 jobs:
   review:
+    if: github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]'
     uses: scality/workflows/.github/workflows/claude-code-review.yml@v2
-    secrets:
-      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-      ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
-      CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
+    with:
+      allowed-tools: >-
+        ${{ github.event_name == 'workflow_dispatch' && '"Bash(gh api repos/*/contents)"' || '' }}
+    secrets: inherit
+
+  review-dependency-bump:
+    if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
+    uses: scality/workflows/.github/workflows/claude-code-dependency-review.yml@v2
+    with:
+      ACTIONS_APP_ID: ${{ vars.ACTIONS_APP_ID }}
+    secrets: inherit