Skip to content

801: run /ai after first pr push #828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
naanci wants to merge 2 commits into from
Closed

801: run /ai after first pr push #828

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0202783
801: run /ai after first pr push
naanci Mar 4, 2026
b210be7
801: security fixes
naanci Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/ai-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,12 @@ jobs:
- name: Get PR head SHA
id: pr-head
uses: actions/github-script@v7
env:
PR_ID: ${{ inputs.prId }}
with:
result-encoding: string
script: |
const prId = ${{ inputs.prId }};
const prId = process.env.PR_ID;
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
Expand Down
43 changes: 40 additions & 3 deletions .github/workflows/ai-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,21 @@

on:
pull_request:
types: [opened, reopened, ready_for_review, synchronize]
types: [reopened, ready_for_review, synchronize]
Comment on lines 4 to +6
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The pull_request trigger no longer includes the opened type, meaning the AI review will not run when a PR is initially created. To align with the PR title "run /ai after first pr push" and ensure immediate review upon PR creation, re-add the opened type to the trigger. [general, importance: 8]

Suggested change
on:
pull_request:
types: [opened, reopened, ready_for_review, synchronize]
types: [reopened, ready_for_review, synchronize]
on:
pull_request:
types: [opened, reopened, ready_for_review, synchronize]

workflow_dispatch:
inputs:
prId:
description: "PR to deploy"
required: false
repository:
description: "The repository from which the slash command was dispatched"
required: false
comment-id:
description: "The comment-id of the slash command"
required: false
author:
description: "The author that triggered this actions"
required: false
issue_comment:
types: [created]

Expand All @@ -13,7 +27,7 @@
pull-requests: write

concurrency:
group: pr-ai-${{ github.event.number || github.event.issue.number }}-${{ github.event.comment.body || 'pr' }}
group: ai-command-${{ github.event.number || github.event.issue.number }}
cancel-in-progress: true

jobs:
Expand All @@ -28,10 +42,12 @@
- name: Get PR head SHA
id: pr-head
uses: actions/github-script@v7
env:
PR_ID: ${{ github.event.number || github.event.issue.number }}
with:
result-encoding: string
script: |
const prId = ${{ github.event.number || github.event.issue.number }};
const prId = process.env.PR_ID;
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
Expand Down Expand Up @@ -63,7 +79,28 @@
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
UNLOAD_ENVIRONMENTS: ci

- name: Post /review command
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/review"
token: ${{ env.GH_PAT }}

- name: Post /describe command
Comment on lines +82 to +89

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
issue_comment
Loading
)
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/describe"
token: ${{ env.GH_PAT }}

- name: Post /improve command
Comment on lines +89 to +96

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
issue_comment
Loading
)
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/improve"
token: ${{ env.GH_PAT }}
Comment on lines +82 to +101
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The new steps for posting AI commands can lead to an infinite recursive loop. When these commands are posted as comments, they will re-trigger the same workflow via the issue_comment event. Add an if condition to these steps to ensure they only run when the workflow is triggered by a pull_request event. [possible issue, importance: 9]

Suggested change
- name: Post /review command
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/review"
token: ${{ env.GH_PAT }}
- name: Post /describe command
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/describe"
token: ${{ env.GH_PAT }}
- name: Post /improve command
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/improve"
token: ${{ env.GH_PAT }}
- name: Post /review command
if: github.event_name == 'pull_request'
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/review"
token: ${{ env.GH_PAT }}
- name: Post /describe command
if: github.event_name == 'pull_request'
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/describe"
token: ${{ env.GH_PAT }}
- name: Post /improve command
if: github.event_name == 'pull_request'
uses: ./.github/composite/send-message
with:
prId: ${{ needs.getPRHead.outputs.prId }}
message: "/improve"
token: ${{ env.GH_PAT }}


- name: Run composite workflow

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
issue_comment
Loading
)
uses: ./.github/composite/notion-checks
id: notion_check
with:
Expand Down
Loading