Skip to content

801: /ai review runs every push #827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
naanci wants to merge 1 commit into from
Closed

801: /ai review runs every push #827

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 36 additions & 1 deletion .github/workflows/ai-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,20 @@
on:
pull_request:
types: [opened, reopened, ready_for_review, synchronize]
workflow_dispatch:
inputs:
prId:
description: "PR to deploy"
required: false
Comment on lines +9 to +11
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The prId input for workflow_dispatch is marked as required: false. If the workflow is manually dispatched without providing a prId, the send-message action's prId parameter will resolve to an empty value, as github.event.pull_request.number is not available for workflow_dispatch events. This could lead to the action failing or targeting an incorrect PR. Consider making prId required: true for workflow_dispatch to ensure a valid PR context. [possible issue, importance: 8]

Suggested change
prId:
description: "PR to deploy"
required: false
prId:
description: "PR to deploy"
required: true

repository:
description: "The repository from which the slash command was dispatched"
required: false
comment-id:
description: "The comment-id of the slash command"
required: false
author:
description: "The author that triggered this actions"
required: false
Comment on lines +7 to +20
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The workflow_dispatch inputs repository, comment-id, and author are defined but not utilized in the newly added steps. If these inputs are not intended for use by the send-message composite action or other parts of this workflow, they should be removed to maintain clarity and avoid unnecessary complexity. [general, importance: 5]

Suggested change
workflow_dispatch:
inputs:
prId:
description: "PR to deploy"
required: false
repository:
description: "The repository from which the slash command was dispatched"
required: false
comment-id:
description: "The comment-id of the slash command"
required: false
author:
description: "The author that triggered this actions"
required: false
workflow_dispatch:
inputs:
prId:
description: "PR to deploy"
required: false

issue_comment:
types: [created]

Expand All @@ -13,7 +27,7 @@
pull-requests: write

concurrency:
group: pr-ai-${{ github.event.number || github.event.issue.number }}-${{ github.event.comment.body || 'pr' }}
group: ai-command-${{ github.event.number || github.event.issue.number }}
cancel-in-progress: true

jobs:
Expand Down Expand Up @@ -63,7 +77,28 @@
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
UNLOAD_ENVIRONMENTS: ci

- name: Post /review command
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/review"
token: ${{ env.GH_PAT }}
Comment on lines +80 to +85
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The newly added steps, including Post /review command and similar steps for /describe and /improve, are configured to run unconditionally on all pull_request and issue_comment events. This will lead to repetitive and excessive comment spam on the PR. These steps should be made conditional to execute only when explicitly intended, such as when triggered by workflow_dispatch or a specific slash command. [possible issue, importance: 9]

Suggested change
- name: Post /review command
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/review"
token: ${{ env.GH_PAT }}
- name: Post /review command
if: github.event_name == 'workflow_dispatch' # Or other specific conditions
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/review"
token: ${{ env.GH_PAT }}


- name: Post /describe command
Comment on lines +80 to +87

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
issue_comment
Loading
)
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/describe"
token: ${{ env.GH_PAT }}

- name: Post /improve command
Comment on lines +87 to +94

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
issue_comment
Loading
)
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/improve"
token: ${{ env.GH_PAT }}
Comment on lines +80 to +99
Copy link
Contributor

@github-actions github-actions bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The new steps that post /review, /describe, and /improve commands are likely to create an infinite loop if the send-message composite action posts comments to the PR, as this workflow is also triggered by issue_comment events. Additionally, allowing any issue_comment to trigger these steps using a GH_PAT could lead to abuse. To prevent both issues, these steps should only execute when explicitly triggered by workflow_dispatch or by a trusted user's issue_comment, and not by the bot itself. [possible issue, importance: 10]

Suggested change
- name: Post /review command
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/review"
token: ${{ env.GH_PAT }}
- name: Post /describe command
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/describe"
token: ${{ env.GH_PAT }}
- name: Post /improve command
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.prId || github.event.pull_request.number }}
message: "/improve"
token: ${{ env.GH_PAT }}
- name: Post /review command
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.comment.author_association == 'MEMBER' && github.actor != 'github-actions[bot]')
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.inputs.prId || github.event.pull_request.number }}
message: "/review"
token: ${{ env.GH_PAT }}
- name: Post /describe command
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.comment.author_association == 'MEMBER' && github.actor != 'github-actions[bot]')
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.inputs.prId || github.event.pull_request.number }}
message: "/describe"
token: ${{ env.GH_PAT }}
- name: Post /improve command
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.comment.author_association == 'MEMBER' && github.actor != 'github-actions[bot]')
uses: ./.github/composite/send-message
with:
prId: ${{ github.event.inputs.prId || github.event.pull_request.number }}
message: "/improve"
token: ${{ env.GH_PAT }}


- name: Run composite workflow

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
issue_comment
Loading
)
uses: ./.github/composite/notion-checks
id: notion_check
with:
Expand Down
Loading