ci: add PR review workflow for GitHub review bot#255
Conversation
Adds the pr-review.yml workflow so the GitHub review bot can be enabled for this repo, mirroring adobe/aio-cli-plugin-app-dev#163.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 PR Reviewer
The workflow is well-structured with clear gating logic and good use of environment variables to avoid injection. Two moderate issues exist: the reusable workflow is pinned to a mutable @main ref (supply-chain risk), and the gh api call for PR data is not validated before extracting the SHA, which could silently produce an empty value if the API call fails.
📝 2 suggestion(s) - Please review inline comments below.
💡 How to re-trigger
Comment /review or /pr-reviewer on this PR
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
If the gh api call fetching PR data fails (network error, rate limit), fall through to allowed=false instead of letting an empty DATA produce a null head_sha.
There was a problem hiding this comment.
🤖 PR Reviewer
The diff addresses the previously raised suggestion about gh api error handling for the DATA command (now fixed with || { echo "allowed=false" >> $GITHUB_OUTPUT; exit 0; }). However, the workflow is still pinned to @main for the reusable workflow, which remains a supply-chain security risk. One additional minor issue: jq -r '.head.sha' could output null if the API response is malformed, which would silently pass through.
📝 2 suggestion(s) (1 new, 1 re-raised)
💡 How to re-trigger
Comment /review or /pr-reviewer on this PR
If the PR API response is missing .head.sha, jq -r emits the string "null". Bail out with allowed=false in that case rather than forwarding a bogus head_sha to the reusable workflow.
There was a problem hiding this comment.
🤖 PR Reviewer
The SHA validation fix from the previous review has been correctly applied. One previous suggestion (SHA validation) is now resolved, but the reusable workflow is still pinned to @main which remains a supply-chain security risk.
🔄 1 re-raised suggestion(s) from previous review
💡 How to re-trigger
Comment /review or /pr-reviewer on this PR
2 participants
Summary
.github/workflows/pr-review.ymlso the GitHub review bot can be enabled for this repo.Note: the one-time per-repo manual setup is still required to enable the bot, and the
APP_BUILDER_AWS_BEARER_TOKEN_BEDROCKsecret is already added to this repo.Test plan
/reviewor/pr-reviewercomments from authorized users.