feat: ACNA-4515 add pr-reviewer workflow#142
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 PR Reviewer
The workflow is well-structured with clear security gating and good use of environment variables to avoid injection. Two minor but meaningful issues exist: a potential injection risk with GITHUB_REPOSITORY in the shell command, and the missing write permission for pull-request comments which may be needed depending on what the reusable workflow does.
📝 2 suggestion(s) - Please review inline comments below.
💡 How to re-trigger
Comment /review or /pr-reviewer on this PR
| # Intentionally require admin or maintain; write collaborators are excluded to | ||
| # limit who can trigger potentially expensive/sensitive review automation. | ||
| if [ "$PERM" = "admin" ] || [ "$PERM" = "maintain" ]; then | ||
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) |
There was a problem hiding this comment.
GITHUB_REPOSITORY is injected directly into the shell string via variable expansion inside a double-quoted gh api call. While GitHub sets this automatically and it's not user-controlled, best practice is to pass it via an env var and reference it consistently (already done for COMMENT_USER_LOGIN and ISSUE_NUMBER). More critically, the gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER call on line 37 uses GITHUB_REPOSITORY directly from the environment rather than from the sanitized env block, which is inconsistent. Use the env var pattern already established.
| DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER) | |
| DATA=$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${ISSUE_NUMBER}") |
| check: | ||
| # NOTE: comment body matching is exact — /review or /pr-reviewer with no trailing spaces, newlines, or mixed case | ||
| # This does not fail the workflow; non-matching comments simply do not trigger the job | ||
| if: | |
There was a problem hiding this comment.
The workflow lacks explicit permissions declarations. For a security-sensitive gating workflow that calls gh api and passes a token to a reusable workflow, explicitly declaring minimum required permissions (e.g., contents: read, pull-requests: read) at the job or workflow level is a best practice to follow the principle of least privilege and makes the security surface area clear.
| if: | | |
| permissions: | |
| contents: read | |
| pull-requests: read |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
chsrimanaswi
dismissed
github-actions[bot]’s stale review
Proposed changes not required
3 participants
Description
Adds an AI-powered PR reviewer workflow that automatically reviews pull requests using Claude via AWS Bedrock. Triggers on PR open/reopen/synchronize and on
/reviewor/pr-reviewercomments by admins or maintainers.Related Issue
ACNA-4515
Motivation and Context
Reduces code review toil by providing automated first-pass reviews with inline suggestions. Part of a broader rollout across App Builder repos.
How Has This Been Tested?
Tested end-to-end in
adobe/generator-aio-app— workflow triggers correctly on PR events and/reviewcomments, posts inline suggestions and summary reviews viagithub-actions[bot].Screenshots (if appropriate):
N/A
Types of changes
Checklist: