feat: ACNA-4515 add pr-reviewer workflow

[chsrimanaswi]

Description

Adds an AI-powered PR reviewer workflow that automatically reviews pull requests using Claude via AWS Bedrock. Triggers on PR open/reopen/synchronize and on /review or /pr-reviewer comments by admins or maintainers.

Related Issue

ACNA-4515

Motivation and Context

Reduces code review toil by providing automated first-pass reviews with inline suggestions. Part of a broader rollout across App Builder repos.

How Has This Been Tested?

Tested end-to-end in adobe/generator-aio-app — workflow triggers correctly on PR events and /review comments, posts inline suggestions and summary reviews via github-actions[bot].

Screenshots (if appropriate):

N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[github-actions]

🤖 PR Reviewer

The workflow is well-structured with clear gate logic and security-conscious permission checks. A few minor robustness and security concerns exist around comment body matching, the use of @main for an external reusable workflow, and potential injection risk from environment variables passed into shell conditionals.

📝 4 suggestion(s) - Please review inline comments below.

---

💡 How to re-trigger

Comment /review or /pr-reviewer on this PR

[github-actions]

Exact string matching on comment body is fragile — comments with trailing newlines, spaces, or carriage returns (common from some clients) will silently not match. Consider using a contains() or trimming approach. Also, this check runs before the collaborator gate, so any user can trigger the check job just by commenting (even if they're denied in the gate). This is low-risk but worth noting.

Suggested change

	(github.event.comment.body == '/review' || github.event.comment.body == '/pr-reviewer'))
	(github.event.comment.body == '/review' || github.event.comment.body == '/pr-reviewer' ||
	startsWith(github.event.comment.body, '/review
	') || startsWith(github.event.comment.body, '/pr-reviewer
	'))

[github-actions]

The gh api call uses $GITHUB_REPOSITORY directly in a shell string. While this value is set by GitHub Actions and is generally safe, using it unquoted inside a path segment in a shell command is a best-practice risk. Prefer quoting or using the --repo flag.

Suggested change

	DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER)
	PERM=$(gh api "repos/$GITHUB_REPOSITORY/collaborators/$COMMENT_USER_LOGIN/permission" --jq '.permission' 2>/dev/null || echo "none")

[github-actions]

Same quoting concern for the pulls API call — quote the URL to prevent word splitting.

Suggested change

	echo "pr_number=$ISSUE_NUMBER" >> $GITHUB_OUTPUT
	DATA=$(gh api "repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER")

[github-actions]

Pinning an external reusable workflow to @main is a supply-chain security risk. A compromised or unintended change to the main branch of adobe/aio-reusable-workflows could affect this workflow. Pin to a specific SHA or at minimum a release tag.

Suggested change

	uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main
	uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@<commit-sha-or-tag>

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Proposed changes not required