scality · bert-e · Jun 19, 2026 · Jun 18, 2026 · Jun 19, 2026
diff --git a/.claude/skills/review-pr/SKILL.md b/.claude/skills/review-pr/SKILL.md
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,20 @@
+<!-- markdownlint-disable MD013 -->
+
+# Code review instructions
+
+Repo context lives in [CLAUDE.md](../CLAUDE.md) — read it first.
+
+When reviewing a PR, analyze the changes against these criteria:
+
+| Area                  | What to check                                                                                                                                                                                                                                                                                                                                                                      |
+| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Async error handling  | uncaught promise rejections, missing error callbacks, swallowed errors in streams. Double callbacks in try/catch blocks (callback called in try then again in catch).                                                                                                                                                                                                              |
+| Async/await migration | when code is migrated from callbacks to async/await, verify: no leftover `callback` or `next` params, no mixed callback + promise patterns, proper try/catch around awaited calls, errors are re-thrown or handled (not silently swallowed). Watch for the anti-pattern: `try { cb(); } catch(err) { cb(err); }` where an exception after the first `cb()` triggers a second call. |
+| S3/API contract       | breaking changes to request/response formats, new error codes, header handling, missing XML response fields.                                                                                                                                                                                                                                                                       |
+| Dependency pinning    | git-based deps (arsenal, vaultclient, bucketclient, werelogs, utapi, scubaclient) must pin to a tag, not a branch.                                                                                                                                                                                                                                                                 |
+| Logging               | proper use of werelogs logger, no `console.log` in production code, log levels match severity.                                                                                                                                                                                                                                                                                     |
+| Stream handling       | backpressure, proper cleanup on error (`.destroy()`), no leaked file descriptors, missing error event handlers.                                                                                                                                                                                                                                                                    |
+| Config changes        | backward compatibility with existing env vars and `config.json`, default values.                                                                                                                                                                                                                                                                                                   |
+| Security              | command injection, header injection, XML external entity attacks, path traversal, SSRF in multi-backend requests.                                                                                                                                                                                                                                                                  |
+| Breaking changes      | changes to public S3 API behavior, metadata schema changes, env var renames without backward compat.                                                                                                                                                                                                                                                                               |
+| Test quality          | no `.only()` tests (eslint enforces this), assertions match the behavior being tested, `require()`/`import` at top of file (never inside `describe` or functions).                                                                                                                                                                                                                 |
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -1,29 +1,31 @@
 name: Code Review
+# yamllint disable rule:line-length
+run-name: "Code Review for #${{ github.event.pull_request.number || inputs.pr_number }}${{ github.event.pull_request.title && format(' : {0}', github.event.pull_request.title) }}"
+# yamllint enable rule:line-length
 
 on:
-  pull_request:
-    types: [opened, synchronize, labeled, unlabeled]
-  pull_request_target:
-    types: [opened, synchronize]
+    pull_request:
+        types: [opened, synchronize, labeled, unlabeled]
+    pull_request_target:
+        types: [opened, synchronize]
+    workflow_dispatch:
+        inputs:
+            pr_number:
+                description: Pull Request number to review
+                required: true
 
 jobs:
-  review:
-    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
-    uses: scality/workflows/.github/workflows/claude-code-review.yml@v2
-    secrets:
-      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-      ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
-      CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
+    review:
+        if: github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]'
+        uses: scality/workflows/.github/workflows/claude-code-review.yml@v2
+        with:
+            allowed-tools: >-
+                ${{ github.event_name == 'workflow_dispatch' && '"Bash(gh api repos/*/contents)"' || '' }}
+        secrets: inherit
 
-  review-dependency-bump:
-    if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
-    uses: scality/workflows/.github/workflows/claude-code-dependency-review.yml@v2
-    with:
-      ACTIONS_APP_ID: ${{ vars.ACTIONS_APP_ID }}
-    secrets:
-      GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-      GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-      ANTHROPIC_VERTEX_PROJECT_ID: ${{ secrets.ANTHROPIC_VERTEX_PROJECT_ID }}
-      CLOUD_ML_REGION: ${{ secrets.CLOUD_ML_REGION }}
-      ACTIONS_APP_PRIVATE_KEY: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+    review-dependency-bump:
+        if: github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]'
+        uses: scality/workflows/.github/workflows/claude-code-dependency-review.yml@v2
+        with:
+            ACTIONS_APP_ID: ${{ vars.ACTIONS_APP_ID }}
+        secrets: inherit