|
| 1 | +# Engineer Bot — follow-up. |
| 2 | +# |
| 3 | +# When someone replies to a review thread on a PR carrying the `engineer-bot` |
| 4 | +# label (or the label is applied), the bot re-evaluates the open threads in |
| 5 | +# catch-up mode, applies a fixup (or replies / marks blocked), and pushes to the |
| 6 | +# PR branch. Driven by this repo's .bot/ prompts. |
| 7 | +# |
| 8 | +# Like the author, this builds/runs the product, so it keeps its own job and |
| 9 | +# interleaves `poetry install` before the shared bot-run composite. Consumer |
| 10 | +# differences vs the engine dogfood: REF-mode install pinned to an engine SHA, |
| 11 | +# authenticated PAT-free by an engine-scoped App token minted below. |
| 12 | +# |
| 13 | +# The gate below is the canonical label-gated form copied verbatim from the |
| 14 | +# engine dogfood (the single source of truth). It ANDs with the engine-side |
| 15 | +# floor; do not weaken it. |
| 16 | +name: Engineer Bot — Follow-up |
| 17 | + |
| 18 | +on: |
| 19 | + pull_request_review_comment: |
| 20 | + types: [created] |
| 21 | + # `engineer-bot` label applied → catch-up over pre-existing review threads. |
| 22 | + pull_request: |
| 23 | + types: [labeled] |
| 24 | + |
| 25 | +permissions: |
| 26 | + contents: write # push fixup commits to the PR branch |
| 27 | + pull-requests: write # post inline replies |
| 28 | + id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install |
| 29 | + |
| 30 | +jobs: |
| 31 | + followup: |
| 32 | + # SECURITY + scope (CANONICAL label-gated model — verbatim from the engine): |
| 33 | + # - skip fork PRs — keep the model + App token out of untrusted code's reach; |
| 34 | + # - operate only on non-fork OPEN PRs carrying the `engineer-bot` label |
| 35 | + # (maintainer-applied opt-in; label requires triage+); |
| 36 | + # - comment path: trusted commenters only (OWNER/MEMBER/COLLABORATOR, or a |
| 37 | + # bot — reviewer-bot/Copilot), never the engineer-bot's own comments, and |
| 38 | + # never a reviewer-bot reconcile loopback; |
| 39 | + # - labeled path: the `engineer-bot` label was just applied by a human. |
| 40 | + if: >- |
| 41 | + github.event.pull_request.head.repo.fork == false |
| 42 | + && github.event.pull_request.state == 'open' |
| 43 | + && ( |
| 44 | + ( |
| 45 | + github.event_name == 'pull_request_review_comment' |
| 46 | + && contains(github.event.pull_request.labels.*.name, 'engineer-bot') |
| 47 | + && !startsWith(github.event.comment.user.login, 'peco-engineer-bot') |
| 48 | + && !contains(github.event.comment.body, '<!-- pr-review-bot:v1 reconcile -->') |
| 49 | + && ( |
| 50 | + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) |
| 51 | + || ( |
| 52 | + github.event.comment.user.type == 'Bot' |
| 53 | + && ( |
| 54 | + startsWith(github.event.comment.user.login, 'peco-review-bot') |
| 55 | + || startsWith(github.event.comment.user.login, 'Copilot') |
| 56 | + || startsWith(github.event.comment.user.login, 'copilot') |
| 57 | + ) |
| 58 | + ) |
| 59 | + ) |
| 60 | + ) |
| 61 | + || ( |
| 62 | + github.event_name == 'pull_request' |
| 63 | + && github.event.action == 'labeled' |
| 64 | + && github.event.label.name == 'engineer-bot' |
| 65 | + && github.event.sender.type != 'Bot' |
| 66 | + && !startsWith(github.event.sender.login, 'peco-engineer-bot') |
| 67 | + ) |
| 68 | + ) |
| 69 | + environment: azure-prod # DATABRICKS_HOST / DATABRICKS_TOKEN live here |
| 70 | + runs-on: |
| 71 | + group: databricks-protected-runner-group |
| 72 | + labels: [linux-ubuntu-latest] |
| 73 | + timeout-minutes: 30 |
| 74 | + concurrency: |
| 75 | + group: engineer-bot-followup-pr-${{ github.event.pull_request.number }} |
| 76 | + cancel-in-progress: false |
| 77 | + steps: |
| 78 | + # Checkout FIRST (remote action) so the local `./` composites resolve. |
| 79 | + # Check out the PR head BRANCH (not the merge ref) so fixups push back to |
| 80 | + # it; bot-run re-establishes the authenticated push remote. |
| 81 | + - name: Checkout PR head branch |
| 82 | + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
| 83 | + with: |
| 84 | + ref: ${{ github.event.pull_request.head.ref }} |
| 85 | + fetch-depth: 0 |
| 86 | + persist-credentials: false |
| 87 | + |
| 88 | + # Mint the engineer-bot token (this repo — pushes fixup commits, posts replies). |
| 89 | + - name: Mint engineer-bot App token |
| 90 | + id: setup |
| 91 | + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 |
| 92 | + with: |
| 93 | + app-id: ${{ secrets.ENGINEER_BOT_APP_ID }} |
| 94 | + private-key: ${{ secrets.ENGINEER_BOT_APP_PRIVATE_KEY }} |
| 95 | + |
| 96 | + # Python + connector deps via the repo's OWN setup-poetry action (JFrog |
| 97 | + # mirror + poetry lock + install) — egress-safe, tolerates a stale lock. |
| 98 | + # The agent runs `poetry run python -m pytest tests/unit` to verify fixups. |
| 99 | + - name: Setup Poetry + connector deps (for pytest self-verify) |
| 100 | + uses: ./.github/actions/setup-poetry |
| 101 | + with: |
| 102 | + python-version: '3.11' |
| 103 | + |
| 104 | + - name: Setup Node (for the Claude Code CLI the SDK spawns) |
| 105 | + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 |
| 106 | + with: |
| 107 | + node-version: '20' |
| 108 | + |
| 109 | + # PAT-free engine install: engine-scoped token (contents:read) from the |
| 110 | + # same App creds. |
| 111 | + - name: Mint engine-scoped install token |
| 112 | + id: engine-token |
| 113 | + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 |
| 114 | + with: |
| 115 | + app-id: ${{ secrets.ENGINEER_BOT_APP_ID }} |
| 116 | + private-key: ${{ secrets.ENGINEER_BOT_APP_PRIVATE_KEY }} |
| 117 | + owner: databricks |
| 118 | + repositories: databricks-bot-engine |
| 119 | + permission-contents: read |
| 120 | + |
| 121 | + # LOCAL composite (cross-repo `uses:` of the engine won't resolve here). |
| 122 | + - name: Install engine + Claude SDK/CLI |
| 123 | + uses: ./.github/actions/install-bot-engine |
| 124 | + with: |
| 125 | + engine-ref: b6205fb502566d617a456ccf3c37f3e4e3072ccd |
| 126 | + engine-token: ${{ steps.engine-token.outputs.token }} |
| 127 | + |
| 128 | + # Run the follow-up. Inlines the engine's bot-run env contract for |
| 129 | + # engineer:followup, plus the authenticated push remote bot-run would set |
| 130 | + # up (followup pushes fixup commits via a plain `git push`, which doesn't |
| 131 | + # consult GH_TOKEN; the checkout is persist-credentials:false). |
| 132 | + - name: Run engineer follow-up (catch-up over all unaddressed threads) |
| 133 | + env: |
| 134 | + GH_TOKEN: ${{ steps.setup.outputs.token }} |
| 135 | + GITHUB_REPOSITORY: ${{ github.repository }} |
| 136 | + PR_NUMBER: ${{ github.event.pull_request.number }} |
| 137 | + HEAD_SHA: ${{ github.event.pull_request.head.sha }} |
| 138 | + HEAD_BRANCH: ${{ github.event.pull_request.head.ref }} |
| 139 | + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} |
| 140 | + PR_TITLE: ${{ github.event.pull_request.title }} |
| 141 | + PR_URL: ${{ github.event.pull_request.html_url }} |
| 142 | + TRIGGER_COMMENT_ID: ${{ github.event.comment.id }} |
| 143 | + MODEL_ENDPOINT: https://${{ secrets.DATABRICKS_HOST }}/serving-endpoints/databricks-claude-opus-4-8/invocations |
| 144 | + DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} |
| 145 | + RUNNER_TEMP: ${{ runner.temp }} |
| 146 | + run: | |
| 147 | + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" |
| 148 | + python -m databricks_bot_engine.engineer_bot.run --phase followup \ |
| 149 | + --system-prompt "$GITHUB_WORKSPACE/.bot/prompts/engineer-followup/system.md" |
0 commit comments