801: AI Review

[naanci]

801

Description of changes

Checklist before review

• I have done a thorough self-review of the PR
• Copilot has reviewed my latest changes, and all comments have been fixed and/or closed.
• If I have made database changes, I have made sure I followed all the db repo rules listed in the wiki here. (check if no db changes)
• All tests have passed
• I have successfully deployed this PR to staging
• I have done manual QA in both dev (and staging if possible) and attached screenshots below.

Screenshots

Dev

Staging

[github-actions]

Available PR Commands

• /ai - Triggers all AI review commands at once
• /review - AI review of the PR changes
• /describe - AI-powered description of the PR
• /improve - AI-powered suggestions
• /deploy - Deploy to staging

See: https://github.com/tahminator/codebloom/wiki/CI-Commands

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ No major issues detected

[tahminator]

/review

[tahminator]

/describe

[tahminator]

/improve

[github-actions]

Preparing PR description...

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The workflow uses a GH_PAT (GitHub Personal Access Token) to post comments. It is crucial to ensure that the GH_PAT secret (${{ env.GH_PAT }}) has the absolute minimum necessary permissions. If this token has broad repo scope permissions, it could pose a significant security risk if compromised, allowing unauthorized access to the repository. Verify that the token's scope is restricted to only what is needed for posting PR comments (e.g., pull_requests: write).

⚡ Recommended focus areas for review Workflow Behavior The workflow is configured to automatically post /review, /describe, and /improve commands on pull_request events such as opened, reopened, ready_for_review, and synchronize. This means that every time a PR is updated (e.g., new commits are pushed), three separate AI commands will be triggered and post comments. This could lead to a large number of comments on the PR timeline, potentially spamming it or generating redundant feedback for minor changes. Consider if a single, consolidated AI review command would be more appropriate, or if these commands should be triggered more selectively (e.g., only on ready_for_review or via a single manual trigger). - name: Post /review command uses: ./.github/composite/send-message with: prId: ${{ inputs.prId || github.event.pull_request.number }} message: "/review" token: ${{ env.GH_PAT }} - name: Post /describe command uses: ./.github/composite/send-message with: prId: ${{ inputs.prId || github.event.pull_request.number }} message: "/describe" token: ${{ env.GH_PAT }} - name: Post /improve command uses: ./.github/composite/send-message with: prId: ${{ inputs.prId || github.event.pull_request.number }} message: "/improve" token: ${{ env.GH_PAT }}

[github-actions]

Suggestion: The prId input for the workflow_dispatch trigger is currently optional, but it is critical for the workflow to identify the target Pull Request. Without a prId, subsequent jobs and steps that rely on this identifier will fail to operate on the correct PR. Make this input required to ensure the workflow always has the necessary context. [possible issue, importance: 8]

Suggested change

	workflow_dispatch:
	inputs:
	prId:
	description: "PR to deploy"
	required: false
	workflow_dispatch:
	inputs:
	prId:
	description: "PR to deploy"
	required: true

[github-actions]

Suggestion: The getPRHead job's script incorrectly assumes github.event.number or github.event.issue.number will be available for workflow_dispatch events. For workflow_dispatch, the PR ID must be retrieved from inputs.prId. Update the script to correctly use inputs.prId when triggered by workflow_dispatch to prevent failures. [possible issue, importance: 9]

New proposed code:

 ...
         script: |
-          const prId = ${{ github.event.number ||  github.event.issue.number }};
+          let prId;
+          if (context.eventName === 'workflow_dispatch') {
+              prId = `${{ inputs.prId }}`;
+          } else {
+              prId = `${{ github.event.number || github.event.issue.number }}`;
+          }
+          if (!prId || isNaN(parseInt(prId, 10))) {
+              throw new Error("PR ID is missing or invalid.");
+          }
           const { data: pr } = await github.rest.pulls.get({
               owner: context.repo.owner,
               repo: context.repo.repo,
               pull_number: parseInt(prId, 10)
           });
           return pr.head.sha;

[angelayu0530]

/ai

[tahminator]

/review

[tahminator]

/describe

[tahminator]

/improve

[github-actions]

Preparing PR description...

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Workflow Logic The workflow now posts AI commands (/review, /describe, /improve) to the PR rather than directly performing an AI code review. This implies a shift in architecture where another system or workflow is expected to listen for and process these commands. Please confirm this architectural change and ensure the downstream system is correctly configured to handle these new comment-based triggers. - name: Post /review command uses: ./.github/composite/send-message with: prId: ${{ inputs.prId || github.event.pull_request.number }} message: "/review" token: ${{ env.GH_PAT }} - name: Post /describe command uses: ./.github/composite/send-message with: prId: ${{ inputs.prId || github.event.pull_request.number }} message: "/describe" token: ${{ env.GH_PAT }} - name: Post /improve command uses: ./.github/composite/send-message with: prId: ${{ inputs.prId || github.event.pull_request.number }} message: "/improve" token: ${{ env.GH_PAT }} Manual Triggering The issue_comment trigger has been removed, meaning users can no longer manually trigger AI reviews by commenting slash commands (e.g., /review) directly on the PR. While workflow_dispatch allows manual triggering via the GitHub UI, consider if the ability to trigger reviews via PR comments is a desired feature that should be retained. pull_request: types: [opened, reopened, ready_for_review, synchronize]

[github-actions]

Suggestion: The workflow is named AI Command Handler but unconditionally posts all three /review, /describe, and /improve commands. To truly act as a handler, add a command input to workflow_dispatch and make these steps conditional based on the provided input, allowing specific commands to be triggered. If no command is specified (e.g., on pull_request events), a default set of commands could be posted. [general, importance: 9]

Suggested change

	- name: Post /review command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ inputs.prId || github.event.pull_request.number }}
	message: "/review"
	token: ${{ env.GH_PAT }}
	- name: Post /describe command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ inputs.prId || github.event.pull_request.number }}
	message: "/describe"
	token: ${{ env.GH_PAT }}
	- name: Post /improve command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ inputs.prId || github.event.pull_request.number }}
	message: "/improve"
	token: ${{ env.GH_PAT }}
	on:
	pull_request:
	types: [opened, reopened, ready_for_review, synchronize]
	workflow_dispatch:
	inputs:
	prId:
	description: "PR to deploy"
	required: false
	repository:
	description: "The repository from which the slash command was dispatched"
	required: false
	comment-id:
	description: "The comment-id of the slash command"
	required: false
	author:
	description: "The author that triggered this actions"
	required: false
	command:
	description: "The specific AI command to execute (e.g., /review, /describe, /improve)"
	required: false
	...
	- name: Post /review command
	if: ${{ inputs.command == '/review' || (github.event_name == 'pull_request' && inputs.command == '') }}
	uses: ./.github/composite/send-message
	with:
	prId: ${{ inputs.prId || github.event.pull_request.number }}
	message: "/review"
	token: ${{ env.GH_PAT }}

[github-actions]

Suggestion: The getPRHead job's script for retrieving the PR ID does not account for workflow_dispatch events. When triggered by workflow_dispatch, github.event.number and github.event.issue.number are typically null, causing the PR lookup to fail. Update the script to use inputs.prId when available to ensure correct PR identification. [possible issue, importance: 10]

New proposed code:

-              const prId = ${{ github.event.number ||  github.event.issue.number }};
+              const prId = ${{ inputs.prId || github.event.pull_request.number || github.event.number || github.event.issue.number }};
+              if (!prId) {
+                throw new Error('PR ID not found for workflow run.');
+              }
               const { data: pr } = await github.rest.pulls.get({
                   owner: context.repo.owner,
                   repo: context.repo.repo,
                   pull_number: parseInt(prId, 10)
               });