|
| 1 | +# Reviewer Bot — follow-up on review-comment replies. |
| 2 | +# |
| 3 | +# Thin caller of the databricks-bot-engine reusable workflow. The engine owns |
| 4 | +# the security + correctness floor (fork==false, PR open), token mint, engine |
| 5 | +# install, and the agent invocation; loop-prevention (skip own reply / reconcile |
| 6 | +# / non-reply comments) lives in the engine's followup.py post-checkout. This |
| 7 | +# file is just `on:` + `uses:` + `secrets:`. |
| 8 | +# |
| 9 | +# Enablement policy: NO `if:` gate — engage every non-fork open PR, matching this |
| 10 | +# repo's prior behavior. (To restrict later, add a caller-job `if:`, e.g. a |
| 11 | +# `review-bot` label gate; it ANDs with the engine's security floor.) |
| 12 | +# |
| 13 | +# Engine pin: the SHA below is used in BOTH the `uses:` ref AND `engine-ref:`. |
| 14 | +# Bump both in lockstep with reviewer-bot.yml; never use @main. |
1 | 15 | name: Reviewer Bot — Follow-up |
2 | 16 |
|
3 | 17 | on: |
4 | 18 | pull_request_review_comment: |
5 | 19 | types: [created] |
| 20 | + pull_request: |
| 21 | + types: [synchronize] |
6 | 22 |
|
7 | 23 | permissions: |
8 | | - # The workflow GITHUB_TOKEN is not used to interact with the PR — we mint a |
9 | | - # dedicated peco-review-bot App installation token and use that everywhere. |
10 | | - # Required App permissions on the installation (NOT this workflow): |
11 | | - # Pull requests: Read & Write — posting inline replies |
12 | | - # Issues: Read & Write — comment plumbing |
13 | | - # Contents: Read & Write — resolveReviewThread mutation |
14 | | - # (Pull-requests:write is NOT sufficient for the resolve mutation; |
15 | | - # GitHub gates it behind Contents.) |
16 | 24 | contents: read |
17 | | - id-token: write # JFrog OIDC exchange for the SDK/CLI install (setup-claude-sdk) |
| 25 | + pull-requests: write |
| 26 | + id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install |
18 | 27 |
|
19 | 28 | jobs: |
20 | 29 | followup: |
21 | | - # SECURITY: skip fork PRs — keep DATABRICKS_TOKEN out of untrusted code's |
22 | | - # reach. Mirrors the guard in reviewer-bot.yml. |
23 | | - if: github.event.pull_request.head.repo.fork == false && github.event.pull_request.state == 'open' |
24 | | - runs-on: |
25 | | - group: databricks-protected-runner-group |
26 | | - labels: [linux-ubuntu-latest] |
27 | | - timeout-minutes: 10 |
28 | | - steps: |
29 | | - - name: Mint review-bot App token |
30 | | - id: app-token |
31 | | - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 |
32 | | - with: |
33 | | - app-id: ${{ secrets.REVIEW_BOT_APP_ID }} |
34 | | - private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }} |
35 | | - |
36 | | - - name: Cheap pre-checkout filter |
37 | | - id: filter |
38 | | - env: |
39 | | - GH_TOKEN: ${{ steps.app-token.outputs.token }} |
40 | | - REPO: ${{ github.repository }} |
41 | | - TRIGGER_ID: ${{ github.event.comment.id }} |
42 | | - IN_REPLY_TO: ${{ github.event.comment.in_reply_to_id }} |
43 | | - COMMENT_USER: ${{ github.event.comment.user.login }} |
44 | | - COMMENT_BODY: ${{ github.event.comment.body }} |
45 | | - run: | |
46 | | - # Cheap filters first — skip the expensive checkout / python setup |
47 | | - # when the event is already known to be irrelevant. The Python entry |
48 | | - # point repeats these checks (defense in depth), so being slightly |
49 | | - # over-permissive here is safe. |
50 | | - # |
51 | | - # Filter 1: must be a reply to another inline comment. |
52 | | - if [ -z "$IN_REPLY_TO" ] || [ "$IN_REPLY_TO" = "null" ]; then |
53 | | - echo "skip=true" >> "$GITHUB_OUTPUT" |
54 | | - echo "reason=no in_reply_to_id (top-level review comment, not a thread reply)" >> "$GITHUB_OUTPUT" |
55 | | - exit 0 |
56 | | - fi |
57 | | - # Filter 2: skip our own follow-up AND reconcile replies (loop |
58 | | - # prevention). MARKER-based — never login-based. |
59 | | - if printf '%s' "$COMMENT_BODY" | grep -q '<!-- pr-review-bot:v1 followup'; then |
60 | | - echo "skip=true" >> "$GITHUB_OUTPUT" |
61 | | - echo "reason=trigger comment is itself a bot follow-up (loop prevention)" >> "$GITHUB_OUTPUT" |
62 | | - exit 0 |
63 | | - fi |
64 | | - if printf '%s' "$COMMENT_BODY" | grep -q '<!-- pr-review-bot:v1 reconcile -->'; then |
65 | | - echo "skip=true" >> "$GITHUB_OUTPUT" |
66 | | - echo "reason=trigger comment is itself a bot reconcile reply (loop prevention)" >> "$GITHUB_OUTPUT" |
67 | | - exit 0 |
68 | | - fi |
69 | | - echo "skip=false" >> "$GITHUB_OUTPUT" |
70 | | -
|
71 | | - - name: Announce skip in step summary |
72 | | - if: steps.filter.outputs.skip == 'true' |
73 | | - run: | |
74 | | - { |
75 | | - echo "## Reviewer Bot — Follow-up" |
76 | | - echo "" |
77 | | - echo "**Skipped:** ${{ steps.filter.outputs.reason }}" |
78 | | - } >> "$GITHUB_STEP_SUMMARY" |
79 | | -
|
80 | | - - name: Checkout |
81 | | - if: steps.filter.outputs.skip != 'true' |
82 | | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
83 | | - with: |
84 | | - fetch-depth: 0 |
85 | | - ref: ${{ github.event.pull_request.head.sha }} |
86 | | - # The followup reads this checkout via read_paths/grep, so the |
87 | | - # persisted GITHUB_TOKEN must NOT sit in .git/config. The followup |
88 | | - # only POSTS replies via the minted App token. |
89 | | - persist-credentials: false |
90 | | - |
91 | | - - name: Setup Python |
92 | | - if: steps.filter.outputs.skip != 'true' |
93 | | - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 |
94 | | - with: |
95 | | - python-version: '3.11' |
96 | | - |
97 | | - - name: Setup Claude Agent SDK + CLI |
98 | | - if: steps.filter.outputs.skip != 'true' |
99 | | - uses: ./.github/actions/setup-claude-sdk |
100 | | - |
101 | | - - name: Run follow-up agent |
102 | | - if: steps.filter.outputs.skip != 'true' |
103 | | - env: |
104 | | - GH_TOKEN: ${{ steps.app-token.outputs.token }} |
105 | | - GITHUB_REPOSITORY: ${{ github.repository }} |
106 | | - PR_NUMBER: ${{ github.event.pull_request.number }} |
107 | | - TRIGGER_COMMENT_ID: ${{ github.event.comment.id }} |
108 | | - # PR SHA range — used by followup.py to restrict `git show` to commits |
109 | | - # actually in this PR (allowlist for SHA-diff verification). |
110 | | - PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} |
111 | | - HEAD_SHA: ${{ github.event.pull_request.head.sha }} |
112 | | - DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} |
113 | | - MODEL_ENDPOINT: ${{ secrets.MODEL_ENDPOINT }} |
114 | | - DRY_RUN: 'false' |
115 | | - RUNNER_TEMP: ${{ runner.temp }} |
116 | | - run: | |
117 | | - python -m scripts.reviewer_bot.followup |
| 30 | + uses: databricks/databricks-bot-engine/.github/workflows/reviewer-bot-followup.reusable.yml@d780b2da60bb1ac68bb5cd1acb7cabf495b3ff2d |
| 31 | + with: |
| 32 | + engine-ref: d780b2da60bb1ac68bb5cd1acb7cabf495b3ff2d |
| 33 | + secrets: |
| 34 | + review-bot-app-id: ${{ secrets.REVIEW_BOT_APP_ID }} |
| 35 | + review-bot-app-private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }} |
| 36 | + databricks-token: ${{ secrets.DATABRICKS_TOKEN }} |
| 37 | + databricks-host: ${{ secrets.DATABRICKS_HOST }} |
| 38 | + engine-pat: ${{ secrets.BOT_ENGINE_PAT }} |
0 commit comments