From cbb2e0c453188d5c0811b5f3a1fc862df2a71d19 Mon Sep 17 00:00:00 2001 From: Derek Misler Date: Wed, 29 Apr 2026 10:15:54 -0400 Subject: [PATCH] update PR review workflow with fork-supporting trigger Signed-off-by: Derek Misler --- .github/workflows/pr-review-trigger.yml | 33 +++++++++++++++++++++++++ .github/workflows/pr-review.yml | 29 +++++++++++----------- 2 files changed, 48 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/pr-review-trigger.yml diff --git a/.github/workflows/pr-review-trigger.yml b/.github/workflows/pr-review-trigger.yml new file mode 100644 index 000000000..8ceb7044f --- /dev/null +++ b/.github/workflows/pr-review-trigger.yml @@ -0,0 +1,33 @@ +name: PR Review - Trigger +on: + pull_request: + types: [ready_for_review, opened] + pull_request_review_comment: + types: [created] + +permissions: {} + +jobs: + save-context: + runs-on: ubuntu-latest + steps: + - name: Save event context + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + COMMENT_JSON: ${{ toJSON(github.event.comment) }} + run: | + mkdir -p context + printf '%s' "${{ github.event_name }}" > context/event_name.txt + printf '%s' "$PR_NUMBER" > context/pr_number.txt + printf '%s' "$PR_HEAD_SHA" > context/pr_head_sha.txt + if [ "${{ github.event_name }}" = "pull_request_review_comment" ]; then + printf '%s' "$COMMENT_JSON" > context/comment.json + fi + + - name: Upload context + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: pr-review-context + path: context/ + retention-days: 1 diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml index 12db45e87..047a562d0 100644 --- a/.github/workflows/pr-review.yml +++ b/.github/workflows/pr-review.yml @@ -1,27 +1,28 @@ name: PR Review on: - issue_comment: # Enables /review command in PR comments + issue_comment: types: [created] - pull_request_review_comment: # Captures feedback on review comments for learning - types: [created] - pull_request: # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review) - types: [ready_for_review, opened] + workflow_run: + workflows: ["PR Review - Trigger"] + types: [completed] permissions: contents: read # Required at top-level to give `issue_comment` events access to the secrets below. jobs: review: - uses: docker/cagent-action/.github/workflows/review-pr.yml@d98096f432f2aea5091c811852c4da804e60623a # v1.4.1 + if: | + github.event_name == 'issue_comment' || + github.event.workflow_run.conclusion == 'success' + uses: docker/cagent-action/.github/workflows/review-pr.yml@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3 # Scoped to the job so other jobs in this workflow aren't over-permissioned permissions: contents: read # Read repository files and PR diffs - pull-requests: write # Post review comments and approve/request changes - issues: write # Create security incident issues if secrets are detected in output - checks: write # (Optional) Show review progress as a check run on the PR + pull-requests: write # Post review comments + issues: write # Create security incident issues if secrets detected + checks: write # (Optional) Show review progress as a check run id-token: write # Required for OIDC authentication to AWS Secrets Manager - secrets: - ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - CAGENT_ORG_MEMBERSHIP_TOKEN: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }} # PAT with read:org scope; gates auto-reviews to org members only - CAGENT_REVIEWER_APP_ID: ${{ secrets.CAGENT_REVIEWER_APP_ID }} # GitHub App ID; reviews appear as your app instead of github-actions[bot] - CAGENT_REVIEWER_APP_PRIVATE_KEY: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }} # GitHub App private key; paired with App ID above + actions: read # Download artifacts from trigger workflow + with: + trigger-run-id: ${{ github.event_name == 'workflow_run' && format('{0}', github.event.workflow_run.id) || '' }} +