UID2-7022: add Azure OpenAI automated PR code review (MVP)

[sunnywu]

Summary

Adds an MVP workflow that posts a single, idempotently-updated PR comment containing an Azure OpenAI–generated code review.

• .github/scripts/review_pr_diff.py — reads the unified PR diff from stdin, calls the configured Azure OpenAI deployment with a code-review system prompt (correctness / security / error handling / test coverage), and writes a base64-encoded markdown comment body to $GITHUB_OUTPUT. Truncates diffs above 60k chars; exits cleanly when the diff is empty or required env vars are missing.
• .github/actions/comment_ai_review/action.yml — composite action that creates, updates, or deletes a single PR comment keyed by the header marker ## Azure OpenAI Code Review.
• .github/workflows/ai-code-review.yaml — pull_request (opened, synchronize, reopened) + workflow_dispatch trigger. Skips draft PRs and PRs from forks (forks don't get the secrets anyway). Concurrency group cancels superseded runs.

Prerequisite — secret provisioning

Two repository (or org-level) secrets must be added to IABTechLab/uid2-admin before the workflow can call Azure OpenAI:

• AZURE_OPENAI_API_KEY
• AZURE_OPENAI_ENDPOINT

The model deployment name defaults to gpt-5 and can be overridden via the optional AZURE_OPENAI_DEPLOYMENT env var if a different deployment is preferred.

Until both secrets are provisioned, the workflow runs, logs No review produced: AZURE_OPENAI_API_KEY is not set (or similar for the endpoint), and exits cleanly without posting a comment.

Out of scope (intentionally deferred)

• Inline review comments via POST /repos/{owner}/{repo}/pulls/{pr}/reviews — needs hunk parsing and structured model output. Will revisit if the summary form earns its keep.
• Per-file chunking for very large PRs — current approach truncates to 60k chars.
• Path / label gating to control spend — every non-draft, non-fork PR is reviewed today.

Test plan

• Verify the workflow runs against this PR after merge — should currently log the missing-secret message and post no comment.
• Once the secrets are provisioned, manually re-trigger via workflow_dispatch against an open PR and confirm a single ## Azure OpenAI Code Review comment is created.
• Push another commit to the same PR and confirm the existing comment is updated (not duplicated).
• Open a draft PR — workflow should skip.
• Open a PR from a fork — workflow should skip.
• Open a PR with no real diff (e.g. only file mode changes) — any prior AI review comment should be deleted.

Related

• Jira: UID2-7022