CI: clean Key Vault secret retrieval in reusable review workflows

[Mehdi-Bl]

Summary

• replace inline az keyvault secret show calls in reusable Claude/OpenCode review workflows
• keep Azure OIDC login and enable Az PowerShell session (enable-AzPSSession: true)
• fetch Key Vault secrets via azure/powershell@v2 + Get-AzKeyVaultSecret
• keep masking and GITHUB_OUTPUT handoff for downstream steps
• avoid template-injection risk by passing workflow inputs through env and using env vars inside inlineScript

Validation

• actionlint .github/workflows/*.yml
• zizmor .github/workflows/*.yml (clean)
• make sonar is not available in this repository (no Makefile/sonar target)

Risk

• low: functional behavior unchanged (same secrets, same outputs)
• improved security posture for workflow script interpolation

Summary by Sourcery

Introduce centralized reusable workflows for AI-assisted manual PR reviews and organization-wide Poutine scanning, while tightening permissions and documentation for governance workflows.

New Features:

• Add a reusable OpenCode-based manual PR review workflow with Azure OIDC and Key Vault-backed secret retrieval supporting single or multi-model execution.
• Add a reusable Claude-based manual PR review workflow with Azure OIDC and Key Vault-backed secret retrieval for centralized PR reviews.
• Add a required Poutine scanning workflow that runs on pull requests, merge groups, and workflow_call and uploads normalized SARIF results to GitHub code scanning.

Enhancements:

• Document the new reusable review and Poutine workflows in the repository README and their intended usage and capabilities.
• Scope permissions more tightly in the owner-enforcement workflow by moving write permissions to the job level and clarifying the pull_request_target trigger usage comment.

CI:

• Standardize Key Vault secret access in review workflows using azure/login with Az PowerShell sessions and azure/powershell-based secret retrieval instead of inline CLI invocations.

[sourcery-ai]

Reviewer's Guide

Adds reusable AI-powered manual PR review workflows for Claude and OpenCode that retrieve secrets from Azure Key Vault via Azure PowerShell sessions instead of inline az CLI calls, introduces a required poutine security scanning workflow, adjusts permissions scoping for the owner-enforcement workflow, and documents these workflows in the README.

Sequence diagram for reusable OpenCode manual PR review workflow

sequenceDiagram
  actor Developer
  participant CallerRepoWorkflow as Caller_repo_workflow
  participant ReusableOpenCodeWorkflow as Reusable_opencode_review
  participant GitHubAPI as GitHub_API
  participant AzureLogin as Azure_login_action
  participant AzureKeyVault as Azure_Key_Vault
  participant OpenCodeAction as OpenCode_GitHub_action
  participant GitHubPR as GitHub_pull_request

  Developer->>CallerRepoWorkflow: Dispatch workflow_call with pr_number and model inputs
  CallerRepoWorkflow->>ReusableOpenCodeWorkflow: Invoke reusable-opencode-review with inputs

  ReusableOpenCodeWorkflow->>GitHubAPI: Fetch PR metadata via gh api
  GitHubAPI-->>ReusableOpenCodeWorkflow: PR head_sha, title, body, size metrics

  ReusableOpenCodeWorkflow->>ReusableOpenCodeWorkflow: Check allowlist and default branch
  ReusableOpenCodeWorkflow->>ReusableOpenCodeWorkflow: Evaluate size thresholds and force_review
  alt PR below thresholds and not forced
    ReusableOpenCodeWorkflow->>Developer: Log skip message and exit
  else PR meets thresholds or forced
    ReusableOpenCodeWorkflow->>AzureLogin: azure/login OIDC authentication
    AzureLogin-->>ReusableOpenCodeWorkflow: Federated access token and Az PowerShell session

    ReusableOpenCodeWorkflow->>AzureKeyVault: Get-AzKeyVaultSecret for ZHIPU API key
    AzureKeyVault-->>ReusableOpenCodeWorkflow: ZHIPU API key (masked, via GITHUB_OUTPUT)

    ReusableOpenCodeWorkflow->>ReusableOpenCodeWorkflow: Build OpenCode mock issue_comment event
    ReusableOpenCodeWorkflow->>OpenCodeAction: anomalyco/opencode/github with model and MOCK_EVENT
    OpenCodeAction->>GitHubAPI: Read PR diff and files
    OpenCodeAction->>GitHubPR: Post consolidated review comment
    OpenCodeAction-->>ReusableOpenCodeWorkflow: Completion status

    alt OpenCode review step fails
      ReusableOpenCodeWorkflow->>Developer: Emit non-blocking warning in step summary
    else OpenCode review succeeds
      ReusableOpenCodeWorkflow->>Developer: Summarize successful review in logs
    end
  end

Loading

Sequence diagram for reusable Claude manual PR review workflow

sequenceDiagram
  actor Developer
  participant CallerRepoWorkflow as Caller_repo_workflow
  participant ReusableClaudeWorkflow as Reusable_claude_review
  participant GitHubAPI as GitHub_API
  participant AzureLogin as Azure_login_action
  participant AzureKeyVault as Azure_Key_Vault
  participant ClaudeAction as Claude_code_action
  participant GitHubPR as GitHub_pull_request

  Developer->>CallerRepoWorkflow: Dispatch workflow_call with pr_number
  CallerRepoWorkflow->>ReusableClaudeWorkflow: Invoke reusable-claude-review with inputs

  ReusableClaudeWorkflow->>GitHubAPI: Fetch PR metadata via gh api
  GitHubAPI-->>ReusableClaudeWorkflow: PR head_sha, title, body, size metrics

  ReusableClaudeWorkflow->>ReusableClaudeWorkflow: Check allowlist and default branch
  ReusableClaudeWorkflow->>ReusableClaudeWorkflow: Evaluate size thresholds and force_review
  alt PR below thresholds and not forced
    ReusableClaudeWorkflow->>Developer: Log skip message and exit
  else PR meets thresholds or forced
    ReusableClaudeWorkflow->>AzureLogin: azure/login OIDC authentication
    AzureLogin-->>ReusableClaudeWorkflow: Federated access token and Az PowerShell session

    ReusableClaudeWorkflow->>AzureKeyVault: Get-AzKeyVaultSecret for Claude OAuth token
    AzureKeyVault-->>ReusableClaudeWorkflow: Claude OAuth token (masked, via GITHUB_OUTPUT)

    ReusableClaudeWorkflow->>ClaudeAction: anthropics/claude-code-action with token and prompt
    ClaudeAction->>GitHubAPI: Read PR diff and files
    ClaudeAction->>GitHubPR: Post consolidated review comment
    ClaudeAction-->>ReusableClaudeWorkflow: Completion status

    alt Claude review step fails
      ReusableClaudeWorkflow->>Developer: Emit non-blocking warning in step summary
    else Claude review succeeds
      ReusableClaudeWorkflow->>Developer: Summarize successful review in logs
    end
  end

Loading

File-Level Changes

Change	Details	Files
Introduce reusable OpenCode manual PR review workflow with secure Azure Key Vault secret retrieval and model matrix support.	Adds reusable-opencode-review workflow callable via workflow_call with inputs for PR metadata, model selection, Azure and Key Vault configuration, and size thresholds. Implements a prepare-model-matrix job that normalizes single/multi-model inputs into a de-duplicated JSON matrix and exposes count and summary. Uses azure/login with enable-AzPSSession and azure/powershell Get-AzKeyVaultSecret to fetch and mask the ZHIPU API key, exporting it via GITHUB_OUTPUT for later steps. Builds a mock issue_comment event payload to drive anomalyco/opencode/github for manual PR review against the specified model matrix, with non-blocking failure handling and summary warnings. Enforces dispatcher allowlist, default-branch-only execution, and auto-skip behavior for small PRs based on configurable thresholds.	.github/workflows/reusable-opencode-review.yml
Introduce reusable Claude manual PR review workflow using Azure Key Vault via Azure PowerShell instead of inline az CLI.	Adds reusable-claude-review workflow callable via workflow_call with inputs for PR number, Azure and Key Vault configuration, allowlist, and size thresholds. Uses azure/login with enable-AzPSSession and azure/powershell Get-AzKeyVaultSecret to retrieve and mask the Claude OAuth token, exporting it via GITHUB_OUTPUT. Resolves PR metadata via gh api and uses dynamic delimiters to safely pass multi-line title and body through GITHUB_OUTPUT. Runs anthropics/claude-code-action with a structured review prompt and non-blocking failure behavior, gated behind size thresholds and force_review flag. Enforces dispatcher allowlist, default-branch-only execution, and minimal global permissions while granting job-level permissions required for PR comments and OIDC.	.github/workflows/reusable-claude-review.yml
Add required Poutine security scanning workflow for SARIF-based code scanning uploads.	Creates required-poutine workflow runnable on pull_request, merge_group, and workflow_call with minimal global permissions. Runs actions/checkout to pull caller repo, then executes boostsecurityio/poutine-action producing SARIF output. Post-processes SARIF with jq to remove supportedTaxonomies to satisfy GitHub upload requirements and uploads via github/codeql-action/upload-sarif with a dedicated category. Always uploads the SARIF as an artifact with a 14-day retention for debugging/audit.	.github/workflows/required-poutine.yml
Tighten permissions and annotations for the enforce-owner-prs workflow.	Adds a zizmor suppression comment explaining the safe use of pull_request_target trigger since no untrusted code is executed. Moves permissions from a repository-wide block to job-level permissions, explicitly scoping pull-requests: write and contents: read only where needed. Updates the pinned actions/github-script reference comment to the precise v7.0.1 tag while keeping the same commit SHA.	.github/workflows/enforce-owner-prs.yml
Update repository documentation to describe new reusable and required workflows.	Documents the new required-poutine workflow and its role in running poutine scans with SARIF upload. Adds a new Reusable workflows section describing reusable-claude-review and reusable-opencode-review, including Azure OIDC/Key Vault support and OpenCode model selection behavior.	README.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The Authorize dispatcher (allowlist) and PR metadata resolution logic are duplicated between the Claude and OpenCode reusable workflows; consider extracting these into a shared composite action or a called job to keep behavior consistent and reduce future drift.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `Authorize dispatcher (allowlist)` and PR metadata resolution logic are duplicated between the Claude and OpenCode reusable workflows; consider extracting these into a shared composite action or a called job to keep behavior consistent and reduce future drift.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Mehdi-Bl]

Addressing review context: the duplication between Claude/OpenCode workflows is pre-existing and outside the scope of this PR. This change is intentionally limited to replacing inline Key Vault CLI secret retrieval with Azure PowerShell retrieval + secure interpolation hardening. I’ll open a follow-up task for shared composite-action extraction so we can refactor both workflows safely in one dedicated change.