feat: ACNA-4515 add pr-reviewer workflow#143
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 PR Reviewer
The workflow is well-structured with clear security gating. The permission check is sensible, and using environment variables to pass context values (rather than interpolating directly into shell) is a good practice. One moderate concern exists around the gh api call for PR data being susceptible to injection if the issue number were ever attacker-controlled, though in this context it's sourced from the GitHub event payload and is numeric, making exploitation very unlikely. Overall the file is clean and approvable with minor suggestions.
✅ LGTM! This PR looks good to merge.
💡 How to re-trigger
Comment /review or /pr-reviewer on this PR
| # Intentionally require admin or maintain; write collaborators are excluded to | ||
| # limit who can trigger potentially expensive/sensitive review automation. | ||
| if [ "$PERM" = "admin" ] || [ "$PERM" = "maintain" ]; then | ||
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) |
There was a problem hiding this comment.
The gh api call result is stored without validating that it's valid JSON or that .head.sha is non-empty. If the API call fails and 2>/dev/null suppresses the error, DATA could be empty and head_sha would be set to 'null' (the string), which could cause subtle failures downstream. Consider adding a check.
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) | |
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) || { echo "allowed=false" >> $GITHUB_OUTPUT; exit 0; } | |
| HEAD=$(echo "$DATA" | jq -r '.head.sha') | |
| if [ -z "$HEAD" ] || [ "$HEAD" = "null" ]; then echo "allowed=false" >> $GITHUB_OUTPUT; exit 0; fi |
| review: | ||
| needs: check | ||
| if: needs.check.outputs.allowed == 'true' | ||
| uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main |
There was a problem hiding this comment.
Pinning the reusable workflow to @main means any future breaking change or malicious commit to that branch will immediately affect this workflow. Consider pinning to a specific SHA or a version tag for supply-chain safety.
| uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main | |
| uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@<commit-sha-or-tag> |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
2 participants
Description
Adds an AI-powered PR reviewer workflow that automatically reviews pull requests using Claude via AWS Bedrock. Triggers on PR open/reopen/synchronize and on
/reviewor/pr-reviewercomments by admins or maintainers.Related Issue
ACNA-4515
Motivation and Context
Reduces code review toil by providing automated first-pass reviews with inline suggestions. Part of a broader rollout across App Builder repos.
How Has This Been Tested?
Tested end-to-end in
adobe/generator-aio-app— workflow triggers correctly on PR events and/reviewcomments, posts inline suggestions and summary reviews viagithub-actions[bot].Screenshots (if appropriate):
N/A
Types of changes
Checklist: