|
1 | 1 | name: PR Review |
2 | 2 | on: |
3 | | - issue_comment: # Enables /review command in PR comments |
| 3 | + issue_comment: # Enables /review command in PR comments |
4 | 4 | types: [created] |
5 | 5 | pull_request_review_comment: # Captures feedback on review comments for learning |
6 | 6 | types: [created] |
7 | | - pull_request: # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review) |
8 | | - types: [ready_for_review, opened] |
| 7 | + workflow_run: # Auto-review for all PRs via artifact handoff (fork and non-fork) |
| 8 | + workflows: ["PR Review - Trigger"] |
| 9 | + types: [completed] |
9 | 10 |
|
10 | 11 | permissions: |
11 | | - contents: read # Required at top level so `GITHUB_TOKEN` for `issue_comment` events can read repository contents. |
| 12 | + contents: read # Required at top-level so `issue_comment` events can read repository contents. |
| 13 | + actions: read # Required to download artifacts from the PR Review - Trigger workflow run. |
12 | 14 |
|
13 | 15 | jobs: |
14 | | - review: |
15 | | - if: >- |
16 | | - github.event_name == 'issue_comment' || |
17 | | - github.event_name == 'pull_request_review_comment' || |
18 | | - github.event.pull_request.user.login != 'dependabot[bot]' |
19 | | - uses: docker/cagent-action/.github/workflows/review-pr.yml@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1 |
| 16 | + get-pr-context: |
| 17 | + if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' |
| 18 | + runs-on: ubuntu-latest |
| 19 | + outputs: |
| 20 | + pr-number: ${{ steps.pr.outputs.number }} |
| 21 | + steps: |
| 22 | + - name: Download PR context |
| 23 | + if: github.event_name == 'workflow_run' |
| 24 | + continue-on-error: true |
| 25 | + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 |
| 26 | + with: |
| 27 | + name: pr-review-context |
| 28 | + run-id: ${{ github.event.workflow_run.id }} |
| 29 | + github-token: ${{ github.token }} |
| 30 | + |
| 31 | + - name: Read PR number |
| 32 | + id: pr |
| 33 | + if: github.event_name == 'workflow_run' |
| 34 | + run: echo "number=$(cat pr_number.txt)" >> $GITHUB_OUTPUT |
| 35 | + |
| 36 | + run-docker-agent: |
| 37 | + needs: [get-pr-context] |
| 38 | + if: | |
| 39 | + always() && ( |
| 40 | + github.event_name == 'issue_comment' || |
| 41 | + github.event_name == 'pull_request_review_comment' || |
| 42 | + needs.get-pr-context.result == 'success' |
| 43 | + ) |
| 44 | + uses: docker/cagent-action/.github/workflows/review-pr.yml@d98096f432f2aea5091c811852c4da804e60623a # v1.4.1 |
20 | 45 | # Scoped to the job so other jobs in this workflow aren't over-permissioned |
21 | 46 | permissions: |
22 | | - contents: read # Read repository files and PR diffs |
| 47 | + contents: read # Read repository files and PR diffs |
23 | 48 | pull-requests: write # Post review comments and approve/request changes |
24 | | - issues: write # Create security incident issues if secrets are detected in output |
25 | | - checks: write # (Optional) Show review progress as a check run on the PR |
26 | | - secrets: |
27 | | - ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} |
28 | | - CAGENT_ORG_MEMBERSHIP_TOKEN: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }} # PAT with read:org scope; gates auto-reviews to org members only |
29 | | - CAGENT_REVIEWER_APP_ID: ${{ secrets.CAGENT_REVIEWER_APP_ID }} # GitHub App ID; reviews appear as your app instead of github-actions[bot] |
30 | | - CAGENT_REVIEWER_APP_PRIVATE_KEY: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }} # GitHub App private key; paired with App ID above |
| 49 | + issues: write # Create security incident issues if secrets are detected in output |
| 50 | + checks: write # (Optional) Show review progress as a check run on the PR |
| 51 | + id-token: write # Required for OIDC authentication to AWS Secrets Manager |
| 52 | + with: |
| 53 | + pr-number: ${{ needs.get-pr-context.outputs.pr-number }} |
0 commit comments