Skip to content

Commit 7b62998

Browse files
feat(bots): onboard reviewer-bot to pinned databricks-bot-engine
Replace the vendored reviewer-bot (scripts/reviewer_bot + scripts/shared) with thin callers of the databricks-bot-engine reusable workflows, pinned to engine SHA d780b2da60bb1ac68bb5cd1acb7cabf495b3ff2d and installed in REF mode. The engine is now the single source of truth. - reviewer-bot.yml / reviewer-bot-followup.yml: rewritten as on/uses/secrets callers of reviewer-bot.reusable.yml / reviewer-bot-followup.reusable.yml. The engine owns the fork/open-PR security gate, App-token mint, engine install, MODEL_ENDPOINT construction, and loop-prevention. - Trigger policy unchanged: every non-fork PR (no label gate). - .bot/prompts/review/system.md: repo-specific ADDITIVE guidance appended to the engine-owned reviewer base prompt (verified against the engine source at the pinned SHA: additive/optional, not the whole prompt). - Remove vendored bot code (scripts/reviewer_bot, scripts/shared, scripts/__init__.py, scripts/requirements-sdk.txt), the reviewer-bot unit tests workflow (tests import the deleted modules), the setup-claude-sdk action and sdk-smoke.yml (its only consumer). setup-jfrog is kept (used by kernel-e2e + setup-poetry). New secrets required before enabling: DATABRICKS_HOST (replaces MODEL_ENDPOINT) and BOT_ENGINE_PAT (read access to the private engine repo). Co-authored-by: Isaac
1 parent e900527 commit 7b62998

52 files changed

Lines changed: 89 additions & 14085 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.bot/prompts/review/system.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
Repo-specific review guidance for `databricks-sql-python` (the Databricks SQL
2+
connector for Python). This is ADDITIVE context appended to the engine-owned
3+
reviewer base prompt — it does not change the output contract, severity scale,
4+
or anchoring/dedup rules the base already defines.
5+
6+
You are reviewing the Databricks SQL connector for Python. Work through each
7+
review axis against the changed code — a clean-looking diff still warrants
8+
checking every one; don't stop at the first pass or finalize with "looks good"
9+
until you've actually considered these:
10+
11+
- **Correctness & logic:** off-by-one, inverted/incorrect conditionals, wrong
12+
parameter passing, broken control flow, state left inconsistent, resource
13+
leaks, results silently dropped.
14+
- **Error handling:** swallowed or over-broad exceptions, silent failures,
15+
fallbacks that hide errors, missing propagation, unchecked return values.
16+
- **Tests & coverage:** behavior changed without a test; assertions removed or
17+
weakened; tests that can't actually fail; missing edge-case coverage for the
18+
new/changed behavior.
19+
- **Edge cases & inputs:** null / empty / boundary values, ordering and
20+
concurrency, encoding, large inputs, partial failure.
21+
- **Contracts & API:** signature or behavior changes that break callers;
22+
comments / docstrings that no longer match the code; documented invariants
23+
violated. This is a widely-consumed connector — public-API stability matters.
24+
- **Security:** injection, credential handling, path traversal, unsafe
25+
deserialization.
26+
- **Repo conventions:** PEP 8 with a **100-char** line limit (per
27+
`CONTRIBUTING.md`, not 79), type hints, and the patterns in `CONTRIBUTING.md`
28+
/ `README.md`.
29+
30+
Landmarks for this repo:
31+
- Conventions live in `CONTRIBUTING.md` (coding style: PEP 8 with a 100-char
32+
line limit; DCO sign-off requirement) and `README.md`. When a finding is
33+
convention-anchored, cite the exact rule line.
34+
- The connector package is under `src/databricks/`; tests are pytest-based under
35+
`tests/unit` (fast, mocked) and `tests/e2e` (integration against a warehouse).
36+
New or changed behavior under `src/` should carry corresponding `tests/unit`
37+
coverage.

.github/actions/setup-claude-sdk/action.yml

Lines changed: 0 additions & 54 deletions
This file was deleted.
Lines changed: 27 additions & 106 deletions
Original file line numberDiff line numberDiff line change
@@ -1,117 +1,38 @@
1+
# Reviewer Bot — follow-up on review-comment replies.
2+
#
3+
# Thin caller of the databricks-bot-engine reusable workflow. The engine owns
4+
# the security + correctness floor (fork==false, PR open), token mint, engine
5+
# install, and the agent invocation; loop-prevention (skip own reply / reconcile
6+
# / non-reply comments) lives in the engine's followup.py post-checkout. This
7+
# file is just `on:` + `uses:` + `secrets:`.
8+
#
9+
# Enablement policy: NO `if:` gate — engage every non-fork open PR, matching this
10+
# repo's prior behavior. (To restrict later, add a caller-job `if:`, e.g. a
11+
# `review-bot` label gate; it ANDs with the engine's security floor.)
12+
#
13+
# Engine pin: the SHA below is used in BOTH the `uses:` ref AND `engine-ref:`.
14+
# Bump both in lockstep with reviewer-bot.yml; never use @main.
115
name: Reviewer Bot — Follow-up
216

317
on:
418
pull_request_review_comment:
519
types: [created]
20+
pull_request:
21+
types: [synchronize]
622

723
permissions:
8-
# The workflow GITHUB_TOKEN is not used to interact with the PR — we mint a
9-
# dedicated peco-review-bot App installation token and use that everywhere.
10-
# Required App permissions on the installation (NOT this workflow):
11-
# Pull requests: Read & Write — posting inline replies
12-
# Issues: Read & Write — comment plumbing
13-
# Contents: Read & Write — resolveReviewThread mutation
14-
# (Pull-requests:write is NOT sufficient for the resolve mutation;
15-
# GitHub gates it behind Contents.)
1624
contents: read
17-
id-token: write # JFrog OIDC exchange for the SDK/CLI install (setup-claude-sdk)
25+
pull-requests: write
26+
id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install
1827

1928
jobs:
2029
followup:
21-
# SECURITY: skip fork PRs — keep DATABRICKS_TOKEN out of untrusted code's
22-
# reach. Mirrors the guard in reviewer-bot.yml.
23-
if: github.event.pull_request.head.repo.fork == false && github.event.pull_request.state == 'open'
24-
runs-on:
25-
group: databricks-protected-runner-group
26-
labels: [linux-ubuntu-latest]
27-
timeout-minutes: 10
28-
steps:
29-
- name: Mint review-bot App token
30-
id: app-token
31-
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
32-
with:
33-
app-id: ${{ secrets.REVIEW_BOT_APP_ID }}
34-
private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }}
35-
36-
- name: Cheap pre-checkout filter
37-
id: filter
38-
env:
39-
GH_TOKEN: ${{ steps.app-token.outputs.token }}
40-
REPO: ${{ github.repository }}
41-
TRIGGER_ID: ${{ github.event.comment.id }}
42-
IN_REPLY_TO: ${{ github.event.comment.in_reply_to_id }}
43-
COMMENT_USER: ${{ github.event.comment.user.login }}
44-
COMMENT_BODY: ${{ github.event.comment.body }}
45-
run: |
46-
# Cheap filters first — skip the expensive checkout / python setup
47-
# when the event is already known to be irrelevant. The Python entry
48-
# point repeats these checks (defense in depth), so being slightly
49-
# over-permissive here is safe.
50-
#
51-
# Filter 1: must be a reply to another inline comment.
52-
if [ -z "$IN_REPLY_TO" ] || [ "$IN_REPLY_TO" = "null" ]; then
53-
echo "skip=true" >> "$GITHUB_OUTPUT"
54-
echo "reason=no in_reply_to_id (top-level review comment, not a thread reply)" >> "$GITHUB_OUTPUT"
55-
exit 0
56-
fi
57-
# Filter 2: skip our own follow-up AND reconcile replies (loop
58-
# prevention). MARKER-based — never login-based.
59-
if printf '%s' "$COMMENT_BODY" | grep -q '<!-- pr-review-bot:v1 followup'; then
60-
echo "skip=true" >> "$GITHUB_OUTPUT"
61-
echo "reason=trigger comment is itself a bot follow-up (loop prevention)" >> "$GITHUB_OUTPUT"
62-
exit 0
63-
fi
64-
if printf '%s' "$COMMENT_BODY" | grep -q '<!-- pr-review-bot:v1 reconcile -->'; then
65-
echo "skip=true" >> "$GITHUB_OUTPUT"
66-
echo "reason=trigger comment is itself a bot reconcile reply (loop prevention)" >> "$GITHUB_OUTPUT"
67-
exit 0
68-
fi
69-
echo "skip=false" >> "$GITHUB_OUTPUT"
70-
71-
- name: Announce skip in step summary
72-
if: steps.filter.outputs.skip == 'true'
73-
run: |
74-
{
75-
echo "## Reviewer Bot — Follow-up"
76-
echo ""
77-
echo "**Skipped:** ${{ steps.filter.outputs.reason }}"
78-
} >> "$GITHUB_STEP_SUMMARY"
79-
80-
- name: Checkout
81-
if: steps.filter.outputs.skip != 'true'
82-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
83-
with:
84-
fetch-depth: 0
85-
ref: ${{ github.event.pull_request.head.sha }}
86-
# The followup reads this checkout via read_paths/grep, so the
87-
# persisted GITHUB_TOKEN must NOT sit in .git/config. The followup
88-
# only POSTS replies via the minted App token.
89-
persist-credentials: false
90-
91-
- name: Setup Python
92-
if: steps.filter.outputs.skip != 'true'
93-
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
94-
with:
95-
python-version: '3.11'
96-
97-
- name: Setup Claude Agent SDK + CLI
98-
if: steps.filter.outputs.skip != 'true'
99-
uses: ./.github/actions/setup-claude-sdk
100-
101-
- name: Run follow-up agent
102-
if: steps.filter.outputs.skip != 'true'
103-
env:
104-
GH_TOKEN: ${{ steps.app-token.outputs.token }}
105-
GITHUB_REPOSITORY: ${{ github.repository }}
106-
PR_NUMBER: ${{ github.event.pull_request.number }}
107-
TRIGGER_COMMENT_ID: ${{ github.event.comment.id }}
108-
# PR SHA range — used by followup.py to restrict `git show` to commits
109-
# actually in this PR (allowlist for SHA-diff verification).
110-
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
111-
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
112-
DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }}
113-
MODEL_ENDPOINT: ${{ secrets.MODEL_ENDPOINT }}
114-
DRY_RUN: 'false'
115-
RUNNER_TEMP: ${{ runner.temp }}
116-
run: |
117-
python -m scripts.reviewer_bot.followup
30+
uses: databricks/databricks-bot-engine/.github/workflows/reviewer-bot-followup.reusable.yml@d780b2da60bb1ac68bb5cd1acb7cabf495b3ff2d
31+
with:
32+
engine-ref: d780b2da60bb1ac68bb5cd1acb7cabf495b3ff2d
33+
secrets:
34+
review-bot-app-id: ${{ secrets.REVIEW_BOT_APP_ID }}
35+
review-bot-app-private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }}
36+
databricks-token: ${{ secrets.DATABRICKS_TOKEN }}
37+
databricks-host: ${{ secrets.DATABRICKS_HOST }}
38+
engine-pat: ${{ secrets.BOT_ENGINE_PAT }}

.github/workflows/reviewer-bot-unit-tests.yml

Lines changed: 0 additions & 34 deletions
This file was deleted.

0 commit comments

Comments
 (0)