801: ai

[naanci]

801

Description of changes

Checklist before review

• I have done a thorough self-review of the PR
• Copilot has reviewed my latest changes, and all comments have been fixed and/or closed.
• If I have made database changes, I have made sure I followed all the db repo rules listed in the wiki here. (check if no db changes)
• All tests have passed
• I have successfully deployed this PR to staging
• I have done manual QA in both dev (and staging if possible) and attached screenshots below.

Screenshots

Dev

Staging

[github-actions]

Available PR Commands

• /ai - Triggers all AI review commands at once
• /review - AI review of the PR changes
• /describe - AI-powered description of the PR
• /improve - AI-powered suggestions
• /deploy - Deploy to staging

See: https://github.com/tahminator/codebloom/wiki/CI-Commands

[tahminator]

/review

[tahminator]

/describe

[tahminator]

/improve

[github-actions]

Preparing PR description...

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The GH_PAT is used to post comments. While it's loaded via a load-secrets composite action, the security of this token depends on the implementation of that action and the permissions granted to the GH_PAT. Ensure the token is not exposed in logs and has only the necessary scope.

⚡ Recommended focus areas for review GH_PAT Permissions The workflow uses a GH_PAT to post commands. It's crucial to ensure this Personal Access Token has the minimum necessary permissions (e.g., issues:write or pull_requests:write to comment) and is securely stored and handled by the load-secrets composite action. token: ${{ env.GH_PAT }} - name: Post /describe command if: github.event_name == 'pull_request' uses: ./.github/composite/send-message with: prId: ${{ needs.getPRHead.outputs.prId }} message: "/describe" token: ${{ env.GH_PAT }} - name: Post /improve command if: github.event_name == 'pull_request' uses: ./.github/composite/send-message with: prId: ${{ needs.getPRHead.outputs.prId }} message: "/improve" token: ${{ env.GH_PAT }} Workflow Trigger Logic The workflow posts commands (/review, /describe, /improve) on pull_request events, but the actual AI agent (Qodo PR-Agent) and related steps are conditioned on issue_comment events. This implies a re-triggering mechanism. Verify that this re-triggering is correctly configured (e.g., a separate workflow or the same workflow listening for issue_comment events) and that it doesn't lead to infinite loops or unintended duplicate runs. - name: Post /review command if: github.event_name == 'pull_request' uses: ./.github/composite/send-message with: prId: ${{ needs.getPRHead.outputs.prId }} message: "/review" token: ${{ env.GH_PAT }} - name: Post /describe command if: github.event_name == 'pull_request' uses: ./.github/composite/send-message with: prId: ${{ needs.getPRHead.outputs.prId }} message: "/describe" token: ${{ env.GH_PAT }} - name: Post /improve command if: github.event_name == 'pull_request' uses: ./.github/composite/send-message with: prId: ${{ needs.getPRHead.outputs.prId }} message: "/improve" token: ${{ env.GH_PAT }} - name: Run composite workflow if: github.event_name == 'issue_comment' uses: ./.github/composite/notion-checks id: notion_check with: PR_ID: ${{ github.event.number || github.event.issue.number }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GET_GHA_OUTPUT: "true" - name: Load STYLEGUIDE.md if: github.event_name == 'issue_comment' id: styleguide run: | echo "context<<EOF" >> $GITHUB_OUTPUT cat ./STYLEGUIDE.md >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT - name: Qodo PR-Agent if: github.event_name == 'issue_comment' uses: qodo-ai/pr-agent@v0.32 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} config.model: "gemini/gemini-2.5-flash" config.fallback_models: '["gemini/gemini-2.5-flash"]'

[github-actions]

Suggestion: Remove the intermediate environment variable PR_ID and directly use the GitHub expression github.event.number || github.event.issue.number within the script for clarity and conciseness. This avoids an unnecessary indirection. [general, importance: 6]

New proposed code:

-env:
-  PR_ID: ${{ github.event.number || github.event.issue.number }}
 with:
   result-encoding: string
   script: |
-    const prId = process.env.PR_ID;
+    const prId = ${{ github.event.number || github.event.issue.number }};
     const { data: pr } = await github.rest.pulls.get({
         owner: context.repo.owner,
         repo: context.repo.repo,
         pull_number: parseInt(prId, 10)

[github-actions]

Suggestion: For consistency and to utilize the already determined PR ID, pass needs.getPRHead.outputs.prId to the notion-checks composite workflow instead of re-evaluating the expression. This ensures all steps use the same PR identifier. [general, importance: 7]

New proposed code:

 - name: Run composite workflow
   if: github.event_name == 'issue_comment'
   uses: ./.github/composite/notion-checks
   id: notion_check
   with:
-    PR_ID: ${{ github.event.number || github.event.issue.number  }}
+    PR_ID: ${{ needs.getPRHead.outputs.prId }}