801: /ai review runs every push

[naanci]

801

Description of changes

Checklist before review

• I have done a thorough self-review of the PR
• Copilot has reviewed my latest changes, and all comments have been fixed and/or closed.
• If I have made database changes, I have made sure I followed all the db repo rules listed in the wiki here. (check if no db changes)
• All tests have passed
• I have successfully deployed this PR to staging
• I have done manual QA in both dev (and staging if possible) and attached screenshots below.

Screenshots

Dev

Staging

[github-actions]

Available PR Commands

• /ai - Triggers all AI review commands at once
• /review - AI review of the PR changes
• /describe - AI-powered description of the PR
• /improve - AI-powered suggestions
• /deploy - Deploy to staging

See: https://github.com/tahminator/codebloom/wiki/CI-Commands

[tahminator]

/review

[tahminator]

/describe

[tahminator]

/improve

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The workflow uses GH_PAT for posting comments. Ensure that the Personal Access Token (GH_PAT) has the minimum necessary permissions (e.g., pull_requests: write for comments) and is stored securely as a GitHub secret. Overly broad permissions for this token could pose a security risk.

⚡ Recommended focus areas for review Command Redundancy The workflow now posts /review, /describe, and /improve commands on every pull_request event (opened, reopened, ready_for_review, synchronize). This might lead to a high volume of repetitive comments on a PR, especially if a developer pushes multiple times. Consider if this is the desired user experience or if these commands should be triggered more selectively (e.g., /review on synchronize, and /describe once on opened). - name: Post /review command uses: ./.github/composite/send-message with: prId: ${{ github.event.prId || github.event.pull_request.number }} message: "/review" token: ${{ env.GH_PAT }} - name: Post /describe command uses: ./.github/composite/send-message with: prId: ${{ github.event.prId || github.event.pull_request.number }} message: "/describe" token: ${{ env.GH_PAT }} - name: Post /improve command uses: ./.github/composite/send-message with: prId: ${{ github.event.prId || github.event.pull_request.number }} message: "/improve" token: ${{ env.GH_PAT }}

[github-actions]

Preparing PR description...

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure / Permissions: The workflow utilizes a GH_PAT (GitHub Personal Access Token) with write permissions for contents, issues, and pull-requests. While these permissions are necessary for the workflow's functionality (e.g., posting comments), it is critical to ensure that the GH_PAT has the minimum required scope to prevent over-privileged access. The reviewer should verify the actual permissions granted to the GH_PAT used by the env.GH_PAT secret to adhere to the principle of least privilege.

⚡ Recommended focus areas for review Repetitive AI Comments The workflow is configured to post /review, /describe, and /improve commands on every pull_request event, including synchronize (which occurs on every push to a PR branch). This could lead to a high volume of repetitive comments on a single PR, potentially cluttering the discussion. The reviewer should validate if this level of verbosity is the desired behavior for the "auto AI review for every commit" requirement. - name: Post /review command uses: ./.github/composite/send-message with: prId: ${{ github.event.prId || github.event.pull_request.number }} message: "/review" token: ${{ env.GH_PAT }} - name: Post /describe command uses: ./.github/composite/send-message with: prId: ${{ github.event.prId || github.event.pull_request.number }} message: "/describe" token: ${{ env.GH_PAT }} - name: Post /improve command uses: ./.github/composite/send-message with: prId: ${{ github.event.prId || github.event.pull_request.number }} message: "/improve" token: ${{ env.GH_PAT }} Concurrency Behavior The concurrency.group has been updated to ai-command-${{ github.event.number || github.event.issue.number }}. This means that for a given PR, any new run of this workflow will cancel a previously running one. This ensures only the latest AI review process is active, but it's a change in behavior from potentially allowing different AI commands (e.g., /review and /describe) to run concurrently for the same PR if triggered by separate comments. The reviewer should confirm if this "latest run wins" concurrency model is the intended behavior. group: ai-command-${{ github.event.number || github.event.issue.number }}

[github-actions]

Suggestion: The newly added steps, including Post /review command and similar steps for /describe and /improve, are configured to run unconditionally on all pull_request and issue_comment events. This will lead to repetitive and excessive comment spam on the PR. These steps should be made conditional to execute only when explicitly intended, such as when triggered by workflow_dispatch or a specific slash command. [possible issue, importance: 9]

Suggested change

	- name: Post /review command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.prId || github.event.pull_request.number }}
	message: "/review"
	token: ${{ env.GH_PAT }}
	- name: Post /review command
	if: github.event_name == 'workflow_dispatch' # Or other specific conditions
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.prId || github.event.pull_request.number }}
	message: "/review"
	token: ${{ env.GH_PAT }}

[github-actions]

Suggestion: The prId input for workflow_dispatch is marked as required: false. If the workflow is manually dispatched without providing a prId, the send-message action's prId parameter will resolve to an empty value, as github.event.pull_request.number is not available for workflow_dispatch events. This could lead to the action failing or targeting an incorrect PR. Consider making prId required: true for workflow_dispatch to ensure a valid PR context. [possible issue, importance: 8]

Suggested change

	prId:
	description: "PR to deploy"
	required: false
	prId:
	description: "PR to deploy"
	required: true

[github-actions]

Suggestion: The new steps that post /review, /describe, and /improve commands are likely to create an infinite loop if the send-message composite action posts comments to the PR, as this workflow is also triggered by issue_comment events. Additionally, allowing any issue_comment to trigger these steps using a GH_PAT could lead to abuse. To prevent both issues, these steps should only execute when explicitly triggered by workflow_dispatch or by a trusted user's issue_comment, and not by the bot itself. [possible issue, importance: 10]

Suggested change

	- name: Post /review command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.prId || github.event.pull_request.number }}
	message: "/review"
	token: ${{ env.GH_PAT }}
	- name: Post /describe command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.prId || github.event.pull_request.number }}
	message: "/describe"
	token: ${{ env.GH_PAT }}
	- name: Post /improve command
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.prId || github.event.pull_request.number }}
	message: "/improve"
	token: ${{ env.GH_PAT }}
	- name: Post /review command
	if: github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.comment.author_association == 'MEMBER' && github.actor != 'github-actions[bot]')
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.inputs.prId || github.event.pull_request.number }}
	message: "/review"
	token: ${{ env.GH_PAT }}
	- name: Post /describe command
	if: github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.comment.author_association == 'MEMBER' && github.actor != 'github-actions[bot]')
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.inputs.prId || github.event.pull_request.number }}
	message: "/describe"
	token: ${{ env.GH_PAT }}
	- name: Post /improve command
	if: github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.comment.author_association == 'MEMBER' && github.actor != 'github-actions[bot]')
	uses: ./.github/composite/send-message
	with:
	prId: ${{ github.event.inputs.prId || github.event.pull_request.number }}
	message: "/improve"
	token: ${{ env.GH_PAT }}

[github-actions]

Suggestion: The workflow_dispatch inputs repository, comment-id, and author are defined but not utilized in the newly added steps. If these inputs are not intended for use by the send-message composite action or other parts of this workflow, they should be removed to maintain clarity and avoid unnecessary complexity. [general, importance: 5]

Suggested change

	workflow_dispatch:
	inputs:
	prId:
	description: "PR to deploy"
	required: false
	repository:
	description: "The repository from which the slash command was dispatched"
	required: false
	comment-id:
	description: "The comment-id of the slash command"
	required: false
	author:
	description: "The author that triggered this actions"
	required: false
	workflow_dispatch:
	inputs:
	prId:
	description: "PR to deploy"
	required: false