|
| 1 | +# Reviewer Bot — initial PR review. |
| 2 | +# |
| 3 | +# Own-job composite caller of the databricks-bot-engine actions. We deliberately |
| 4 | +# do NOT use the engine's reusable WORKFLOW (jobs.<id>.uses: |
| 5 | +# .../reviewer-bot.reusable.yml@<sha>): a cross-repo reusable-workflow call to |
| 6 | +# the private engine fails to resolve ("workflow was not found"). Cross-repo |
| 7 | +# composite ACTIONS (steps: - uses: .../.github/actions/...@<sha>) DO resolve |
| 8 | +# in-org — this is the pattern databricks-driver-test's engineer bot uses in |
| 9 | +# production, and the one the engineer-bot workflows here use too. So this file |
| 10 | +# owns the job and replicates the reusable's steps (fork gate, token mint, |
| 11 | +# install, run) with cross-repo action refs. |
| 12 | +# |
| 13 | +# Engine pin: the SHA below pins BOTH the action refs AND engine-ref, so the |
| 14 | +# workflow and installed engine match. Bump in lockstep; never @main. |
| 15 | +# |
| 16 | +# Auth: PAT-free. We mint a short-lived, engine-scoped App installation token |
| 17 | +# from the review-bot App creds and pass it as engine-pat to install-bot-engine |
| 18 | +# (no stored BOT_ENGINE_PAT). |
| 19 | +name: Reviewer Bot |
| 20 | + |
| 21 | +on: |
| 22 | + pull_request: |
| 23 | + types: [opened, synchronize, reopened, ready_for_review] |
| 24 | + workflow_dispatch: |
| 25 | + inputs: |
| 26 | + pr_number: |
| 27 | + description: 'PR number to review' |
| 28 | + required: true |
| 29 | + type: string |
| 30 | + dry_run: |
| 31 | + description: 'Print what would be posted instead of posting' |
| 32 | + required: false |
| 33 | + default: 'true' |
| 34 | + type: string |
| 35 | + |
| 36 | +permissions: |
| 37 | + contents: read |
| 38 | + pull-requests: write |
| 39 | + id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install |
| 40 | + |
| 41 | +jobs: |
| 42 | + review: |
| 43 | + # SECURITY FLOOR (was the reusable's job `if:`): manual dispatch, OR a |
| 44 | + # non-draft, non-fork PR. fork == false keeps the App + model tokens off |
| 45 | + # untrusted code. |
| 46 | + if: >- |
| 47 | + github.event_name == 'workflow_dispatch' |
| 48 | + || (github.event.pull_request.draft == false |
| 49 | + && github.event.pull_request.head.repo.fork == false) |
| 50 | + environment: azure-prod # DATABRICKS_HOST / DATABRICKS_TOKEN live here |
| 51 | + runs-on: |
| 52 | + group: databricks-protected-runner-group |
| 53 | + labels: [linux-ubuntu-latest] |
| 54 | + timeout-minutes: 30 |
| 55 | + steps: |
| 56 | + # Checkout FIRST. Default ref = the PR merge ref on pull_request, the |
| 57 | + # default branch on dispatch. persist-credentials:false — the reviewer |
| 58 | + # reads this tree via read_paths/grep, so no token may sit in .git/config. |
| 59 | + - name: Checkout |
| 60 | + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
| 61 | + with: |
| 62 | + fetch-depth: 0 |
| 63 | + persist-credentials: false |
| 64 | + |
| 65 | + # Mint the review-bot token (posts findings). |
| 66 | + - name: Mint review-bot App token |
| 67 | + id: setup |
| 68 | + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 |
| 69 | + with: |
| 70 | + app-id: ${{ secrets.REVIEW_BOT_APP_ID }} |
| 71 | + private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }} |
| 72 | + |
| 73 | + - name: Setup Python |
| 74 | + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 |
| 75 | + with: |
| 76 | + python-version: '3.11' |
| 77 | + |
| 78 | + - name: Setup Node (for the Claude Code CLI the SDK spawns) |
| 79 | + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 |
| 80 | + with: |
| 81 | + node-version: '20' |
| 82 | + |
| 83 | + # PAT-free engine install: mint a per-run token scoped to ONLY the engine |
| 84 | + # repo (contents:read) from the review-bot App creds. Requires the |
| 85 | + # review-bot App installed on databricks-bot-engine with contents:read. |
| 86 | + - name: Mint engine-scoped install token |
| 87 | + id: engine-token |
| 88 | + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 |
| 89 | + with: |
| 90 | + app-id: ${{ secrets.REVIEW_BOT_APP_ID }} |
| 91 | + private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }} |
| 92 | + owner: databricks |
| 93 | + repositories: databricks-bot-engine |
| 94 | + permission-contents: read |
| 95 | + |
| 96 | + # LOCAL composite (not a cross-repo `uses:` of the engine — that fails to |
| 97 | + # resolve from this external repo). It pip-installs the pinned engine via |
| 98 | + # the engine-scoped token. |
| 99 | + - name: Install engine + Claude SDK/CLI |
| 100 | + uses: ./.github/actions/install-bot-engine |
| 101 | + with: |
| 102 | + engine-ref: b6205fb502566d617a456ccf3c37f3e4e3072ccd |
| 103 | + engine-token: ${{ steps.engine-token.outputs.token }} |
| 104 | + |
| 105 | + - name: Resolve trigger inputs |
| 106 | + id: inputs |
| 107 | + # SECURITY: dispatcher-supplied values pass via env, never interpolated |
| 108 | + # into the script body (an inline expression would inject at assignment, |
| 109 | + # before the digits-only check). Env values expand without re-parsing. |
| 110 | + env: |
| 111 | + GH_TOKEN: ${{ steps.setup.outputs.token }} |
| 112 | + EVENT_NAME: ${{ github.event_name }} |
| 113 | + INPUT_PR: ${{ inputs.pr_number }} |
| 114 | + INPUT_DRY_RUN: ${{ inputs.dry_run }} |
| 115 | + EVENT_PR: ${{ github.event.pull_request.number }} |
| 116 | + REPO: ${{ github.repository }} |
| 117 | + run: | |
| 118 | + if [ "$EVENT_NAME" = "workflow_dispatch" ]; then |
| 119 | + RAW_PR="$INPUT_PR"; DRY_RUN="$INPUT_DRY_RUN" |
| 120 | + else |
| 121 | + RAW_PR="$EVENT_PR"; DRY_RUN="false" |
| 122 | + fi |
| 123 | + [[ "$RAW_PR" =~ ^[0-9]+$ ]] || { echo "::error::Invalid pr_number '$RAW_PR'"; exit 1; } |
| 124 | + case "$DRY_RUN" in true|false) ;; *) DRY_RUN="true" ;; esac # fail safe |
| 125 | + HEAD_SHA=$(gh pr view "$RAW_PR" --repo "$REPO" --json headRefOid -q .headRefOid) |
| 126 | + { echo "pr_number=$RAW_PR"; echo "head_sha=$HEAD_SHA"; echo "dry_run=$DRY_RUN"; } >> "$GITHUB_OUTPUT" |
| 127 | +
|
| 128 | + - name: Run reviewer |
| 129 | + env: |
| 130 | + GH_TOKEN: ${{ steps.setup.outputs.token }} |
| 131 | + GITHUB_REPOSITORY: ${{ github.repository }} |
| 132 | + PR_NUMBER: ${{ steps.inputs.outputs.pr_number }} |
| 133 | + HEAD_SHA: ${{ steps.inputs.outputs.head_sha }} |
| 134 | + DRY_RUN: ${{ steps.inputs.outputs.dry_run }} |
| 135 | + MODEL_ENDPOINT: https://${{ secrets.DATABRICKS_HOST }}/serving-endpoints/databricks-claude-opus-4-8/invocations |
| 136 | + DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} |
| 137 | + RUNNER_TEMP: ${{ runner.temp }} |
| 138 | + # The reviewer's repo-specific ADDITIVE guidance, read from the TRUSTED |
| 139 | + # checkout (run_review enforces containment). Engine owns the base prompt. |
| 140 | + REVIEW_SYSTEM_PROMPT: .bot/prompts/review/system.md |
| 141 | + run: python -m databricks_bot_engine.reviewer_bot.run_review |
0 commit comments