Copilot commented on code in PR #62302:
URL: https://github.com/apache/doris/pull/62302#discussion_r3059163405
##########
.github/workflows/opencode-review-comment.yml:
##########
@@ -0,0 +1,45 @@
+name: Code Review Comment Dispatch
+
+on:
+ issue_comment:
+ types: [created]
+
+permissions:
+ pull-requests: write
+ contents: read
+ issues: write
+
+jobs:
+ resolve-pr:
+ runs-on: ubuntu-latest
+ if: >-
+ github.event.issue.pull_request &&
+ contains(github.event.comment.body, '/review')
+ outputs:
+ pr_number: ${{ steps.pr.outputs.pr_number }}
+ head_sha: ${{ steps.pr.outputs.head_sha }}
+ base_sha: ${{ steps.pr.outputs.base_sha }}
+ steps:
+ - name: Get PR info
+ id: pr
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{
github.event.issue.number }})
+ HEAD_SHA=$(echo "$PR_JSON" | jq -r '.head.sha')
+ BASE_SHA=$(echo "$PR_JSON" | jq -r '.base.sha')
+ echo "pr_number=${{ github.event.issue.number }}" >> "$GITHUB_OUTPUT"
+ echo "head_sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
+ echo "base_sha=$BASE_SHA" >> "$GITHUB_OUTPUT"
+
+ code-review:
+ needs: resolve-pr
+ if: >-
+ github.event.issue.pull_request &&
+ contains(github.event.comment.body, '/review')
+ uses: ./.github/workflows/opencode-review.yml
+ secrets: inherit
Review Comment:
As written, any user who can comment on a PR can trigger `/review`, and
`secrets: inherit` will pass repository secrets into a workflow that checks out
and processes untrusted PR code. This is a privilege-escalation risk
(especially for PRs from forks). Recommended: (1) gate dispatch on
`github.event.comment.author_association` (e.g., OWNER/MEMBER/COLLABORATOR)
and/or an allowlist; (2) fetch PR metadata and refuse to run (or run without
sensitive secrets) when `.head.repo.fork == true` or `.head.repo.full_name !=
github.repository`; and (3) avoid `secrets: inherit`—pass only the minimal
required secrets explicitly.
##########
.github/workflows/opencode-review.yml:
##########
@@ -89,23 +93,23 @@ jobs:
- If issues found, submit a review with inline comments plus a
comprehensive summary body. Use GitHub Reviews API to ensure comments are
inline:
- Inline comment bodies may include GitHub suggested changes
blocks when you can propose a precise patch.
- Prefer suggested changes for small, self-contained fixes (for
example typos, trivial refactors, or narrowly scoped code corrections).
- - Do not force suggested changes for broad, architectural, or
multi-file issues; explain those normally.
- Build a JSON array of comments like: [{ "path": "<file>",
"position": <diff_position>, "body": "..." }]
- Submit via: gh api
repos/PLACEHOLDER_REPO/pulls/PLACEHOLDER_PR_NUMBER/reviews --input <json_file>
- The JSON file should contain:
{"event":"COMMENT","body":"<summary>","comments":[...]}
- - Do not use: gh pr review --approve or --request-changes
+ - MUST clearly state your stance on PRs: execute `gh pr review
--approve` if there are no significant issues, otherwise request changes with
`gh pr review --request-changes`.
Review Comment:
The prompt now instructs the agent to (a) submit a PR review via the Reviews
API with `event: COMMENT` and (b) also run `gh pr review
--approve/--request-changes`. This will create two separate reviews and can
lead to confusing/duplicated outcomes (the API review won’t carry an approval
state, and the CLI review likely won’t contain inline comments). Prefer a
single mechanism: keep the GitHub Reviews API submission and set `event` to
`APPROVE` or `REQUEST_CHANGES` (with inline `comments` included) so stance +
inline comments are in one review.
##########
.github/workflows/opencode-review-comment.yml:
##########
@@ -0,0 +1,45 @@
+name: Code Review Comment Dispatch
+
+on:
+ issue_comment:
+ types: [created]
+
+permissions:
+ pull-requests: write
+ contents: read
+ issues: write
+
+jobs:
+ resolve-pr:
+ runs-on: ubuntu-latest
+ if: >-
+ github.event.issue.pull_request &&
+ contains(github.event.comment.body, '/review')
Review Comment:
As written, any user who can comment on a PR can trigger `/review`, and
`secrets: inherit` will pass repository secrets into a workflow that checks out
and processes untrusted PR code. This is a privilege-escalation risk
(especially for PRs from forks). Recommended: (1) gate dispatch on
`github.event.comment.author_association` (e.g., OWNER/MEMBER/COLLABORATOR)
and/or an allowlist; (2) fetch PR metadata and refuse to run (or run without
sensitive secrets) when `.head.repo.fork == true` or `.head.repo.full_name !=
github.repository`; and (3) avoid `secrets: inherit`—pass only the minimal
required secrets explicitly.
##########
.github/workflows/opencode-review.yml:
##########
@@ -13,31 +24,21 @@ jobs:
code-review:
runs-on: ubuntu-latest
timeout-minutes: 60
- if: >-
- github.event.issue.pull_request &&
- contains(github.event.comment.body, '/review')
steps:
- - name: Get PR info
- id: pr
- env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - name: Keep required check visible on pull requests
+ if: ${{ github.event_name == 'pull_request' }}
run: |
- PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{
github.event.issue.number }})
- HEAD_SHA=$(echo "$PR_JSON" | jq -r '.head.sha')
- BASE_SHA=$(echo "$PR_JSON" | jq -r '.base.sha')
- HEAD_REF=$(echo "$PR_JSON" | jq -r '.head.ref')
- BASE_REF=$(echo "$PR_JSON" | jq -r '.base.ref')
- echo "head_sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
- echo "base_sha=$BASE_SHA" >> "$GITHUB_OUTPUT"
- echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
- echo "base_ref=$BASE_REF" >> "$GITHUB_OUTPUT"
+ echo "Code Review is exposed as a stable required check on pull
requests."
+ echo "The actual automated review still runs only when the comment
dispatcher invokes this workflow."
Review Comment:
On `pull_request` events this job always succeeds after printing messages,
so if branch protection marks “Code Review” as a required check, PRs can merge
without an actual `/review` run. If the intent is gating, consider making the
PR-event run fail/neutral until a dispatcher-run succeeds, or emit a separate
status/check that the dispatcher updates (e.g., a dedicated check name for the
dispatched review) and require that instead.
##########
.github/workflows/opencode-review.yml:
##########
@@ -1,8 +1,19 @@
name: Code Review
on:
- issue_comment:
- types: [created]
+ pull_request:
+ types: [opened, synchronize, reopened, ready_for_review]
Review Comment:
On `pull_request` events this job always succeeds after printing messages,
so if branch protection marks “Code Review” as a required check, PRs can merge
without an actual `/review` run. If the intent is gating, consider making the
PR-event run fail/neutral until a dispatcher-run succeeds, or emit a separate
status/check that the dispatcher updates (e.g., a dedicated check name for the
dispatched review) and require that instead.
##########
.github/workflows/opencode-review.yml:
##########
@@ -1,8 +1,19 @@
name: Code Review
Review Comment:
The PR description focuses on refactoring the code review
workflow/dispatcher, but this PR also deletes
`.github/workflows/pr-approve-status.yml` (Need_2_Approval). If that removal is
intentional, it should be called out in the PR description (and ideally
reference what replaces its functionality, if anything).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
