feat: ACNA-4515 add pr-reviewer workflow#80
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 PR Reviewer
The workflow is well-structured with a clear gate/review separation. There are two minor issues: the gh api call for PR data is not protected against injection via environment variables (low risk here since ISSUE_NUMBER comes from GitHub context), and the @main pin on the reusable workflow is mutable and could introduce supply-chain risk. Overall the logic is sound and the permission gating is appropriately conservative.
📝 2 suggestion(s) - Please review inline comments below.
💡 How to re-trigger
Comment /review or /pr-reviewer on this PR
| # Intentionally require admin or maintain; write collaborators are excluded to | ||
| # limit who can trigger potentially expensive/sensitive review automation. | ||
| if [ "$PERM" = "admin" ] || [ "$PERM" = "maintain" ]; then | ||
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) |
There was a problem hiding this comment.
The gh api call interpolates $GITHUB_REPOSITORY and $ISSUE_NUMBER directly into the shell command string. While these values come from GitHub Actions context (not user input), it is safer and more idiomatic to pass them as path parameters using the --field flag or use the pre-set env var. More critically, $ISSUE_NUMBER is derived from github.event.issue.number which is an integer and safe, but for consistency and future-proofing the call should be quoted.
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) | |
| DATA=$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${ISSUE_NUMBER}") |
| review: | ||
| needs: check | ||
| if: needs.check.outputs.allowed == 'true' | ||
| uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main |
There was a problem hiding this comment.
Pinning a reusable workflow to @main means any update to that branch (including potentially malicious ones) is immediately picked up. For supply-chain security, pin to a specific commit SHA or a tagged release instead.
| uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main | |
| uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@<commit-sha-or-tag> |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
chsrimanaswi
dismissed
github-actions[bot]’s stale review
Proposed changes not required
3 participants
Description
Adds an AI-powered PR reviewer workflow that automatically reviews pull requests using Claude via AWS Bedrock. Triggers on PR open/reopen/synchronize and on
/reviewor/pr-reviewercomments by admins or maintainers.Related Issue
ACNA-4515
Motivation and Context
Reduces code review toil by providing automated first-pass reviews with inline suggestions. Part of a broader rollout across App Builder repos.
How Has This Been Tested?
Tested end-to-end in
adobe/generator-aio-app— workflow triggers correctly on PR events and/reviewcomments, posts inline suggestions and summary reviews viagithub-actions[bot].Screenshots (if appropriate):
N/A
Types of changes
Checklist: