This is an automated email from the ASF dual-hosted git repository.
zclllyybb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 9673a500366 [fix](ci) Generate local review context and randomize
Codex auth (#65626)
9673a500366 is described below
commit 9673a5003666b858f755188ce293c7ab5cc3d1c5
Author: zclllyybb <[email protected]>
AuthorDate: Wed Jul 15 15:25:18 2026 +0800
[fix](ci) Generate local review context and randomize Codex auth (#65626)
### What problem does this PR solve?
Issue Number: None
Related PR: #65178
The review runner previously obtained the aggregate pull-request diff
through the GitHub API. GitHub rejects aggregate diffs larger than
20,000 lines, causing large pull requests to fail before Codex could
review them. The runner now checks out complete history and locally
generates the changed-file list and the verified three-dot diff from the
live base and head SHAs. The review prompt also states those diff
semantics, and context-preparation failures are reported separately from
Codex failures.
Each run now randomly selects
`oss://doris-community-ci/codex/auth.json.1` or
`oss://doris-community-ci/codex/auth.json.2`, downloads it locally as
`auth.json`, and syncs refreshed credentials back to that same selected
object.
---
.github/workflows/code-review-runner.yml | 88 ++++++++++++++++++--------------
1 file changed, 50 insertions(+), 38 deletions(-)
diff --git a/.github/workflows/code-review-runner.yml
b/.github/workflows/code-review-runner.yml
index 2eaa302d054..c6d8bcae657 100644
--- a/.github/workflows/code-review-runner.yml
+++ b/.github/workflows/code-review-runner.yml
@@ -46,6 +46,7 @@ jobs:
uses: actions/checkout@v4
with:
ref: ${{ inputs.head_sha }}
+ fetch-depth: 0
- name: Install ripgrep
run: |
@@ -104,7 +105,13 @@ jobs:
install -m 700 -d "$RUNNER_TEMP/codex-home"
printf 'CODEX_HOME=%s\n' "$RUNNER_TEMP/codex-home" >> "$GITHUB_ENV"
- ossutil -i "$OSS_AK" -k "$OSS_SK" -e "$OSS_ENDPOINT" cp -f
"$OSS_CODEX_AUTH_OBJECT" "$RUNNER_TEMP/codex-home/auth.json"
+ auth_object="$(printf '%s\n' \
+ 'oss://doris-community-ci/codex/auth.json.1' \
+ 'oss://doris-community-ci/codex/auth.json.2' \
+ | shuf -n 1)"
+ printf 'CODEX_AUTH_OSS_OBJECT=%s\n' "$auth_object" >> "$GITHUB_ENV"
+ echo "Selected Codex auth object: ${auth_object##*/}"
+ ossutil -i "$OSS_AK" -k "$OSS_SK" -e "$OSS_ENDPOINT" cp -f
"$auth_object" "$RUNNER_TEMP/codex-home/auth.json"
chmod 600 "$RUNNER_TEMP/codex-home/auth.json"
test -s "$RUNNER_TEMP/codex-home/auth.json"
jq -e '
@@ -138,7 +145,6 @@ jobs:
OSS_AK: ${{ secrets.OSS_AK }}
OSS_SK: ${{ secrets.OSS_SK }}
OSS_ENDPOINT: oss-cn-hongkong.aliyuncs.com
- OSS_CODEX_AUTH_OBJECT: oss://doris-community-ci/codex/auth.json
- name: Sync Codex memories from OSS
run: |
@@ -251,6 +257,7 @@ jobs:
fi
- name: Prepare authoritative PR context and required AGENTS guides
+ id: review_context
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
@@ -265,35 +272,6 @@ jobs:
exit 1
fi
- retry_to_file() {
- local output_file="$1"
- shift
- local attempt delay=2 tmp_file
- tmp_file="$(mktemp "${output_file}.tmp.XXXXXX")"
-
- for attempt in 1 2 3 4; do
- if "$@" > "$tmp_file"; then
- mv "$tmp_file" "$output_file"
- return 0
- fi
-
- if [ "$attempt" -lt 4 ]; then
- echo "Attempt ${attempt}/4 failed while preparing
${output_file}; retrying in ${delay}s..."
- sleep "$delay"
- delay=$((delay * 2))
- fi
- done
-
- rm -f "$tmp_file"
- return 1
- }
-
- retry_to_file "$REVIEW_CONTEXT_DIR/pr_changed_files.txt" \
- gh api --paginate
"repos/${REPO}/pulls/${PR_NUMBER}/files?per_page=100" \
- --jq '.[].filename'
- retry_to_file "$REVIEW_CONTEXT_DIR/pr.diff" \
- gh pr diff "$PR_NUMBER" --repo "$REPO" --color=never
-
live_pr="$(gh api "repos/${REPO}/pulls/${PR_NUMBER}")"
live_head_sha="$(jq -r '.head.sha' <<<"$live_pr")"
live_base_sha="$(jq -r '.base.sha' <<<"$live_pr")"
@@ -304,6 +282,25 @@ jobs:
exit 1
fi
+ if [ "$(git rev-parse --is-shallow-repository)" != "false" ]; then
+ echo "Full history is required to generate an authoritative
three-dot PR diff"
+ exit 1
+ fi
+
+ diff_range="${BASE_SHA}...${HEAD_SHA}"
+ merge_base_sha="$(git merge-base "$BASE_SHA" "$HEAD_SHA")"
+ echo "Generating review context from $diff_range (merge base:
$merge_base_sha)"
+ git rev-list --count "${merge_base_sha}..${HEAD_SHA}"
+
+ changed_files_tmp="$(mktemp
"$REVIEW_CONTEXT_DIR/pr_changed_files.txt.tmp.XXXXXX")"
+ git diff --name-only --no-ext-diff "$diff_range" >
"$changed_files_tmp"
+ mv "$changed_files_tmp" "$REVIEW_CONTEXT_DIR/pr_changed_files.txt"
+
+ diff_tmp="$(mktemp "$REVIEW_CONTEXT_DIR/pr.diff.tmp.XXXXXX")"
+ git diff --no-ext-diff --no-color "$diff_range" > "$diff_tmp"
+ mv "$diff_tmp" "$REVIEW_CONTEXT_DIR/pr.diff"
+ git diff --shortstat "$diff_range"
+
helper="$RUNNER_TEMP/prepare_review_agents.py"
gh api \
-H "Accept: application/vnd.github.raw" \
@@ -340,11 +337,12 @@ jobs:
- User review focus: PLACEHOLDER_CONTEXT_DIR/review_focus.txt
- PR changed files: PLACEHOLDER_CONTEXT_DIR/pr_changed_files.txt
- Authoritative aggregate PR diff: PLACEHOLDER_CONTEXT_DIR/pr.diff
+ - PR diff range: merge-base(PLACEHOLDER_BASE_SHA,
PLACEHOLDER_HEAD_SHA) to PLACEHOLDER_HEAD_SHA
- Required AGENTS.md files:
PLACEHOLDER_CONTEXT_DIR/required_agents.txt
- Shared subagent review ledger:
PLACEHOLDER_CONTEXT_DIR/subagent_review_findings.md
PR diff and path-reading (for all subagents and the main agent):
- - PLACEHOLDER_CONTEXT_DIR/pr.diff is the authoritative aggregate
diff for the whole PR, and PLACEHOLDER_CONTEXT_DIR/pr_changed_files.txt is the
authoritative changed-path list. Do not obtain the PR diff or changed-path list
through other means.
+ - PLACEHOLDER_CONTEXT_DIR/pr.diff and
PLACEHOLDER_CONTEXT_DIR/pr_changed_files.txt were both generated locally with
`git diff PLACEHOLDER_BASE_SHA...PLACEHOLDER_HEAD_SHA` after the live PR
base/head were verified. They are the authoritative PR diff and changed-path
list: they contain changes from the computed merge base to the PR head. The
listed PR Base SHA identifies the target-branch snapshot and is not necessarily
the diff's left endpoint. Do not obtain the PR diff or chang [...]
- Before reading any file whose exact path is not already confirmed
by PLACEHOLDER_CONTEXT_DIR/pr_changed_files.txt,
PLACEHOLDER_CONTEXT_DIR/pr.diff, or a previous successful command output, you
MUST first run `rg --files` to confirm the actual path of the target file.
Before reviewing any code, you MUST read and follow the code review
skill in this repository. During review, you must strictly follow those
instructions.
@@ -650,6 +648,11 @@ jobs:
- name: Sync Codex auth back to OSS
if: ${{ always() }}
run: |
+ if [ -z "$CODEX_AUTH_OSS_OBJECT" ]; then
+ echo "No selected Codex auth object found; skipping OSS auth sync."
+ exit 0
+ fi
+
if [ ! -s "$CODEX_HOME/auth.json" ]; then
echo "No Codex auth file found; skipping OSS auth sync."
exit 0
@@ -660,22 +663,26 @@ jobs:
and (.tokens.access_token | type == "string" and length > 0)
and (.tokens.refresh_token | type == "string" and length > 0)
' "$CODEX_HOME/auth.json" >/dev/null
- ossutil -i "$OSS_AK" -k "$OSS_SK" -e "$OSS_ENDPOINT" cp -f
"$CODEX_HOME/auth.json" "$OSS_CODEX_AUTH_OBJECT"
+ ossutil -i "$OSS_AK" -k "$OSS_SK" -e "$OSS_ENDPOINT" cp -f
"$CODEX_HOME/auth.json" "$CODEX_AUTH_OSS_OBJECT"
env:
OSS_AK: ${{ secrets.OSS_AK }}
OSS_SK: ${{ secrets.OSS_SK }}
OSS_ENDPOINT: oss-cn-hongkong.aliyuncs.com
- OSS_CODEX_AUTH_OBJECT: oss://doris-community-ci/codex/auth.json
- name: Comment PR on review failure
- if: ${{ always() && steps.review.outcome != 'success' }}
+ if: ${{ always() && (steps.review_context.outcome != 'success' ||
steps.review.outcome != 'success') }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ REVIEW_CONTEXT_OUTCOME: ${{ steps.review_context.outcome }}
REVIEW_FAILURE_REASON: ${{ steps.review.outputs.failure_reason }}
REVIEW_OUTCOME: ${{ steps.review.outcome }}
RUN_URL: ${{ github.server_url }}/${{ github.repository
}}/actions/runs/${{ github.run_id }}
run: |
- error_msg="${REVIEW_FAILURE_REASON:-Review step was $REVIEW_OUTCOME
(possibly timeout or cancelled)}"
+ if [ "$REVIEW_CONTEXT_OUTCOME" != "success" ]; then
+ error_msg="Review context preparation failed before Codex ran;
inspect the 'Prepare authoritative PR context and required AGENTS guides' step."
+ else
+ error_msg="${REVIEW_FAILURE_REASON:-Review step was
$REVIEW_OUTCOME (possibly timeout or cancelled)}"
+ fi
gh pr comment "${{ inputs.pr_number }}" --body "$(cat <<EOF
Codex automated review failed and did not complete.
@@ -687,11 +694,16 @@ jobs:
)"
- name: Fail workflow if review failed
- if: ${{ always() && steps.review.outcome != 'success' }}
+ if: ${{ always() && (steps.review_context.outcome != 'success' ||
steps.review.outcome != 'success') }}
env:
+ REVIEW_CONTEXT_OUTCOME: ${{ steps.review_context.outcome }}
REVIEW_FAILURE_REASON: ${{ steps.review.outputs.failure_reason }}
REVIEW_OUTCOME: ${{ steps.review.outcome }}
run: |
- error_msg="${REVIEW_FAILURE_REASON:-Review step was $REVIEW_OUTCOME
(possibly timeout or cancelled)}"
+ if [ "$REVIEW_CONTEXT_OUTCOME" != "success" ]; then
+ error_msg="Review context preparation failed before Codex ran;
inspect the 'Prepare authoritative PR context and required AGENTS guides' step."
+ else
+ error_msg="${REVIEW_FAILURE_REASON:-Review step was
$REVIEW_OUTCOME (possibly timeout or cancelled)}"
+ fi
echo "Codex automated review failed: ${error_msg}"
exit 1
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]