chore(claude): add hooks, skills, and agents for Claude Code

Add auto-formatting hooks (ruff, shfmt, prettier, actionlint), rules.yml edit blocker, 5 skills (/release, /test-action, /new-action, /validate, /check-pins), and 2 subagents (action-validator, test-coverage-reviewer). Update CLAUDE.md with hook documentation.
2026-03-08 01:56:32 +00:00 · 2026-03-07 20:54:37 +02:00
parent 242ecca8f0
commit df3e034d42
11 changed files with 393 additions and 0 deletions
--- a/.claude/agents/action-validator.md
+++ b/.claude/agents/action-validator.md
@@ -0,0 +1,30 @@
+You review action.yml files against the repository's critical prevention rules.
+
+Check each action.yml file for these violations:
+
+1. All external action refs are SHA-pinned (not @main/@v1)
+2. All internal action refs use `ivuorinen/actions/name@SHA` format
+3. Shell scripts use `set -eu` (POSIX, not bash)
+4. Steps with referenced outputs have `id:` fields
+5. Tool availability checked before use (`command -v`)
+6. Variables properly quoted (`"$var"`)
+7. `$GITHUB_OUTPUT` uses `printf`, not `echo`
+8. No nested `${{ }}` in quoted YAML strings
+9. Token inputs use `${{ github.token }}` default
+10. Fallbacks provided for tools not on all runners
+
+Run `actionlint` on each file. Report violations with file path, line, and fix suggestion.
+
+To find all action.yml files:
+
+```bash
+find . -name "action.yml" -not -path "./.git/*"
+```
+
+For each file, read it and check against all 10 rules. Then run:
+
+```bash
+actionlint <file>
+```
+
+Output a summary table of violations found, grouped by action.
--- a/.claude/agents/test-coverage-reviewer.md
+++ b/.claude/agents/test-coverage-reviewer.md
@@ -0,0 +1,33 @@
+You review test coverage for GitHub Actions in this monorepo.
+
+For each action:
+
+1. Read the action.yml to understand inputs, outputs, and steps
+2. Read the corresponding test files in `_tests/unit/<action-name>/`
+3. Check if all inputs have validation tests
+4. Check if error paths are tested (missing required inputs, invalid values)
+5. Check if shell scripts have edge case tests (spaces in paths, empty strings, special chars)
+6. Report coverage gaps with specific test suggestions
+
+To find all actions and their tests:
+
+```bash
+ls -d */action.yml | sed 's|/action.yml||'
+ls -d _tests/unit/*/
+```
+
+Compare the two lists to find actions without any tests.
+
+For each action with tests, check coverage of:
+
+- All required inputs validated
+- All optional inputs with defaults tested
+- Error conditions (missing inputs, invalid formats)
+- Edge cases in shell logic (empty strings, special characters, spaces in paths)
+- Output values verified
+
+Output a coverage report with:
+
+- Actions with no tests (critical)
+- Actions with partial coverage (list missing test cases)
+- Actions with good coverage (brief confirmation)
--- a/.claude/hooks/block-rules-yml.sh
+++ b/.claude/hooks/block-rules-yml.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+set -eu
+
+# Read JSON input from stdin to get the file path
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty')
+
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+case "$FILE_PATH" in
+  */rules.yml)
+    echo '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"rules.yml files are auto-generated. Run make update-validators instead."}}'
+    ;;
+esac
--- a/.claude/hooks/post-edit-write.sh
+++ b/.claude/hooks/post-edit-write.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+set -eu
+
+# Read JSON input from stdin to get the file path
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.filePath // empty')
+
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+case "$FILE_PATH" in
+  */rules.yml)
+    # rules.yml should not be reached here (blocked by PreToolUse),
+    # but skip formatting just in case
+    exit 0
+    ;;
+  *.py)
+    ruff format --quiet "$FILE_PATH" 2>/dev/null || true
+    ruff check --fix --quiet "$FILE_PATH" 2>/dev/null || true
+    ;;
+  *.sh)
+    shfmt -w "$FILE_PATH" 2>/dev/null || true
+    shellcheck "$FILE_PATH" 2>&1 || true
+    ;;
+  *.yml|*.yaml|*.json)
+    npx prettier --write "$FILE_PATH" 2>/dev/null || true
+    ;;
+  *.md)
+    npx prettier --write "$FILE_PATH" 2>/dev/null || true
+    ;;
+esac
+
+# Run actionlint on action.yml files
+case "$FILE_PATH" in
+  */action.yml)
+    actionlint "$FILE_PATH" 2>&1 || true
+    ;;
+esac
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -0,0 +1,26 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/block-rules-yml.sh"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/post-edit-write.sh"
+          }
+        ]
+      }
+    ]
+  }
+}
--- a/.claude/skills/check-pins/SKILL.md
+++ b/.claude/skills/check-pins/SKILL.md
@@ -0,0 +1,39 @@
+---
+name: check-pins
+description: Verify all action references are properly SHA-pinned
+disable-model-invocation: true
+---
+
+# Check SHA-Pinned Action References
+
+## 1. Check version references
+
+```bash
+make check-version-refs
+```
+
+This verifies that all `ivuorinen/actions/*` references in `action.yml` files use SHA-pinned commits.
+
+## 2. Check local references
+
+```bash
+make check-local-refs
+```
+
+This verifies that test workflows use `./action-name` format (local references are allowed in tests).
+
+## 3. Interpret results
+
+**Violations to fix:**
+
+- `@main` or `@v*` references in `action.yml` files must be replaced with full SHA commits
+- `./action-name` in `action.yml` (non-test) files must use `ivuorinen/actions/action-name@<SHA>`
+- External actions must be pinned to SHA commits, not version tags
+
+**How to get the current SHA:**
+
+```bash
+git rev-parse HEAD
+```
+
+Use this SHA when pinning internal action references after committing changes.
--- a/.claude/skills/new-action/SKILL.md
+++ b/.claude/skills/new-action/SKILL.md
@@ -0,0 +1,60 @@
+---
+name: new-action
+description: Scaffold a new GitHub Action with all required files
+disable-model-invocation: true
+---
+
+# Scaffold a New GitHub Action
+
+## 1. Gather information
+
+Ask the user for:
+
+- **Action name** (kebab-case, e.g. `my-new-action`)
+- **Description** (one line)
+- **Category** (setup, linting, testing, build, publishing, repository, utility)
+- **Inputs** (name, description, required, default for each)
+- **What it does** (shell commands, composite steps, etc.)
+
+## 2. Create directory and action.yml
+
+Create `<action-name>/action.yml` following the existing action patterns:
+
+- Use `composite` runs type
+- Include `set -eu` in shell scripts (POSIX sh, not bash)
+- Use `${{ github.token }}` for token defaults
+- Pin all external action references to SHA commits
+- Pin internal action references using `ivuorinen/actions/action-name@<SHA>`
+- Add `id:` to steps whose outputs are referenced
+
+## 3. Generate validation rules
+
+```bash
+make update-validators
+```
+
+This generates `<action-name>/rules.yml` from the action's inputs.
+
+## 4. Generate test scaffolding
+
+```bash
+make generate-tests
+```
+
+## 5. Generate README
+
+```bash
+make docs
+```
+
+## 6. Run validation
+
+```bash
+make all
+```
+
+Fix any issues before considering the action complete.
+
+## 7. Update repository overview
+
+Remind the user to update the Serena memory `repository_overview` if they use Serena.
--- a/.claude/skills/release/SKILL.md
+++ b/.claude/skills/release/SKILL.md
@@ -0,0 +1,57 @@
+---
+name: release
+description: Create a new CalVer release with validation checks
+disable-model-invocation: true
+---
+
+# Release Workflow
+
+Follow these steps to create a new CalVer release:
+
+## 1. Pre-flight checks
+
+Run the full validation pipeline:
+
+```bash
+make all
+```
+
+If any step fails, fix the issues before proceeding.
+
+## 2. Check version references
+
+Verify all action references are properly pinned:
+
+```bash
+make check-version-refs
+make check-local-refs
+```
+
+## 3. Prepare the release
+
+Run release preparation (updates version references):
+
+```bash
+make release-prep
+```
+
+Review the changes with `git diff`.
+
+## 4. Confirm with user
+
+Ask the user to confirm:
+
+- The version number (defaults to `vYYYY.MM.DD` based on today's date)
+- That all changes look correct
+
+## 5. Create the release
+
+```bash
+make release VERSION=vYYYY.MM.DD
+```
+
+Replace `vYYYY.MM.DD` with the confirmed version.
+
+## 6. Verify
+
+Show the user the created tag and any output from the release process.
--- a/.claude/skills/test-action/SKILL.md
+++ b/.claude/skills/test-action/SKILL.md
@@ -0,0 +1,34 @@
+---
+name: test-action
+description: Run tests for a specific GitHub Action by name
+disable-model-invocation: true
+---
+
+# Test a Specific Action
+
+## 1. Identify the action
+
+Ask the user which action to test if not already specified.
+List available actions if needed:
+
+```bash
+ls -d */action.yml | sed 's|/action.yml||'
+```
+
+## 2. Run tests
+
+```bash
+make test-action ACTION=<action-name>
+```
+
+## 3. Display results
+
+Show the test output. If tests fail, read the relevant test files in `_tests/unit/<action-name>/` and the action's `action.yml` to help diagnose the issue.
+
+## 4. Coverage (optional)
+
+If the user wants coverage information:
+
+```bash
+make test-coverage
+```
--- a/.claude/skills/validate/SKILL.md
+++ b/.claude/skills/validate/SKILL.md
@@ -0,0 +1,49 @@
+---
+name: validate
+description: Run full validation pipeline (docs, format, lint, test)
+disable-model-invocation: true
+---
+
+# Full Validation Pipeline
+
+Run the complete validation pipeline:
+
+```bash
+make all
+```
+
+This runs in order: `docs` -> `format` -> `lint` -> `test`
+
+## If validation fails
+
+### Formatting issues
+
+```bash
+make format
+```
+
+Then re-run `make all`.
+
+### Linting issues
+
+- **actionlint**: Check action.yml syntax, step IDs, expression usage
+- **shellcheck**: POSIX compliance, quoting, variable usage
+- **ruff**: Python style and errors
+- **markdownlint**: Markdown formatting
+- **prettier**: YAML/JSON/MD formatting
+
+### Test failures
+
+```bash
+make test
+```
+
+Read the failing test output and fix the underlying action or test.
+
+### Documentation drift
+
+```bash
+make docs
+```
+
+Regenerates READMEs from action.yml files.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -25,12 +25,22 @@
 ### Folders

 - `.serena/` – Internal config (do not edit)
+- `.claude/hooks/` – Claude Code hook scripts (auto-format, lint, block rules.yml edits)
+- `.claude/skills/` – Claude Code skills (`/release`, `/test-action`, `/new-action`, `/validate`, `/check-pins`)
+- `.claude/agents/` – Claude Code subagents (action-validator, test-coverage-reviewer)
 - `.github/` – Workflows/templates
 - `_tests/` – ShellSpec tests
 - `_tools/` – Helper tools
 - `validate-inputs/` – Python validation system + tests
 - `*/rules.yml` – Auto-generated validation rules

+### Claude Code Hooks
+
+**Auto-formatting**: PostToolUse hooks auto-format files on Edit/Write (ruff for .py, shfmt for .sh, prettier for .yml/.yaml/.json/.md, actionlint for action.yml)
+**Blocked edits**: PreToolUse hook blocks direct edits to `rules.yml` (auto-generated, use `make update-validators`)
+**Hook schema**: `matcher` is a regex string matching tool names (e.g. `"Edit|Write"`), not an object. File filtering done in hook scripts via stdin JSON (`jq -r '.tool_input.file_path'`)
+**Reference**: `$CLAUDE_PROJECT_DIR` for project-relative paths in hook commands
+
 ### Memory System

 **Location**: `.serena/memories/` (9 consolidated memories for context)