From 8061dc245fd4f9f5e47793b4bec29bbdaec7ccb3 Mon Sep 17 00:00:00 2001 From: Patrick Russell Date: Fri, 17 Apr 2026 13:15:17 -0700 Subject: [PATCH 1/3] ci: add PR review workflow for GitHub review bot Adds the pr-review.yml workflow so the GitHub review bot can be enabled for this repo, mirroring adobe/aio-cli-plugin-app-dev#163. --- .github/workflows/pr-review.yml | 62 +++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/pr-review.yml diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml new file mode 100644 index 0000000..df219b4 --- /dev/null +++ b/.github/workflows/pr-review.yml @@ -0,0 +1,62 @@ +name: PR Review + +on: + pull_request: + types: [opened, reopened, synchronize] + issue_comment: + types: [created] + +jobs: + check: + # NOTE: comment body matching is exact — /review or /pr-reviewer with no trailing spaces, newlines, or mixed case + # This does not fail the workflow; non-matching comments simply do not trigger the job + if: | + (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) || + (github.event_name == 'issue_comment' && github.event.issue.pull_request != null && + (github.event.comment.body == '/review' || github.event.comment.body == '/pr-reviewer')) + runs-on: ubuntu-latest + outputs: + allowed: ${{ steps.gate.outputs.allowed }} + pr_number: ${{ steps.gate.outputs.pr_number }} + head_sha: ${{ steps.gate.outputs.head_sha }} + steps: + - name: Gate check + id: gate + run: | + set -euo pipefail + if [ "$EVENT_NAME" = "pull_request" ]; then + echo "allowed=true" >> $GITHUB_OUTPUT + echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT + echo "head_sha=$HEAD_SHA" >> $GITHUB_OUTPUT + else + # Fall back to "none" if user is not a collaborator (gh api returns 404) so allowed=false is output cleanly + PERM=$(gh api repos/$GITHUB_REPOSITORY/collaborators/$COMMENT_USER_LOGIN/permission --jq '.permission' 2>/dev/null || echo "none") + # Intentionally require admin or maintain; write collaborators are excluded to + # limit who can trigger potentially expensive/sensitive review automation. + if [ "$PERM" = "admin" ] || [ "$PERM" = "maintain" ]; then + DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) + echo "allowed=true" >> $GITHUB_OUTPUT + echo "pr_number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT + echo "head_sha=$(echo "$DATA" | jq -r '.head.sha')" >> $GITHUB_OUTPUT + else + echo "allowed=false" >> $GITHUB_OUTPUT + fi + fi + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + EVENT_NAME: ${{ github.event_name }} + PR_NUMBER: ${{ github.event.pull_request.number }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + COMMENT_USER_LOGIN: ${{ github.event.comment.user.login }} + ISSUE_NUMBER: ${{ github.event.issue.number }} + # GITHUB_REPOSITORY is set automatically by GitHub Actions (owner/repo) + + review: + needs: check + if: needs.check.outputs.allowed == 'true' + uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main + with: + pr_number: ${{ needs.check.outputs.pr_number }} + head_sha: ${{ needs.check.outputs.head_sha }} + secrets: + AWS_BEARER_TOKEN_BEDROCK: ${{ secrets.APP_BUILDER_AWS_BEARER_TOKEN_BEDROCK }} From 18791f7b06c81c2674cd808516093797d01abe5a Mon Sep 17 00:00:00 2001 From: Patrick Russell Date: Fri, 17 Apr 2026 13:26:16 -0700 Subject: [PATCH 2/3] ci: harden gh api call in PR review gate If the gh api call fetching PR data fails (network error, rate limit), fall through to allowed=false instead of letting an empty DATA produce a null head_sha. --- .github/workflows/pr-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml index df219b4..613f37d 100644 --- a/.github/workflows/pr-review.yml +++ b/.github/workflows/pr-review.yml @@ -34,7 +34,7 @@ jobs: # Intentionally require admin or maintain; write collaborators are excluded to # limit who can trigger potentially expensive/sensitive review automation. if [ "$PERM" = "admin" ] || [ "$PERM" = "maintain" ]; then - DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) + DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) || { echo "allowed=false" >> $GITHUB_OUTPUT; exit 0; } echo "allowed=true" >> $GITHUB_OUTPUT echo "pr_number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT echo "head_sha=$(echo "$DATA" | jq -r '.head.sha')" >> $GITHUB_OUTPUT From ce713a1749f29637de4253fbeb0b921754783708 Mon Sep 17 00:00:00 2001 From: Patrick Russell Date: Fri, 17 Apr 2026 13:28:56 -0700 Subject: [PATCH 3/3] ci: validate head_sha before passing to review job If the PR API response is missing .head.sha, jq -r emits the string "null". Bail out with allowed=false in that case rather than forwarding a bogus head_sha to the reusable workflow. --- .github/workflows/pr-review.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml index 613f37d..2f973b1 100644 --- a/.github/workflows/pr-review.yml +++ b/.github/workflows/pr-review.yml @@ -35,9 +35,11 @@ jobs: # limit who can trigger potentially expensive/sensitive review automation. if [ "$PERM" = "admin" ] || [ "$PERM" = "maintain" ]; then DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) || { echo "allowed=false" >> $GITHUB_OUTPUT; exit 0; } + HEAD_SHA_VALUE=$(echo "$DATA" | jq -r '.head.sha') + if [ -z "$HEAD_SHA_VALUE" ] || [ "$HEAD_SHA_VALUE" = "null" ]; then echo "allowed=false" >> $GITHUB_OUTPUT; exit 0; fi echo "allowed=true" >> $GITHUB_OUTPUT echo "pr_number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT - echo "head_sha=$(echo "$DATA" | jq -r '.head.sha')" >> $GITHUB_OUTPUT + echo "head_sha=$HEAD_SHA_VALUE" >> $GITHUB_OUTPUT else echo "allowed=false" >> $GITHUB_OUTPUT fi