-
-
Notifications
You must be signed in to change notification settings - Fork 1
249 lines (211 loc) · 9.73 KB
/
ai-pr-comment.yml
File metadata and controls
249 lines (211 loc) · 9.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# Privileged PR Comment Handler - Second Stage (Secure)
# Processes AI analysis results and posts comments safely
name: AI PR Comment Handler (Privileged)
on:
workflow_run:
workflows: ["AI PR Analysis (Safe)"]
types:
- completed
permissions:
contents: read
pull-requests: write
issues: write
jobs:
post-review:
name: Post AI Review Results
runs-on: ubuntu-latest
if: |
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: Download analysis artifacts
uses: actions/github-script@v8
env:
WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
with:
script: |
const runId = process.env.WORKFLOW_RUN_ID;
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: runId,
});
const matchArtifact = artifacts.data.artifacts.find((artifact) => {
return artifact.name.startsWith("pr-analysis-");
});
if (!matchArtifact) {
core.setFailed('No analysis artifact found');
return;
}
const download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
const fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr-analysis.zip`, Buffer.from(download.data));
- name: Extract and validate artifacts
id: extract-data
run: |
unzip -q pr-analysis.zip -d pr-data/
# Validate that files contain only expected content (security)
if [ -f "pr-data/pr-number.txt" ]; then
PR_NUMBER=$(cat pr-data/pr-number.txt)
# Validate PR number is numeric
if [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
echo "pr-number=$PR_NUMBER" >> $GITHUB_OUTPUT
else
echo "Invalid PR number format"
exit 1
fi
else
echo "PR number file missing"
exit 1
fi
# Extract other safe metadata
[ -f "pr-data/head-sha.txt" ] && echo "head-sha=$(cat pr-data/head-sha.txt)" >> $GITHUB_OUTPUT
[ -f "pr-data/base-sha.txt" ] && echo "base-sha=$(cat pr-data/base-sha.txt)" >> $GITHUB_OUTPUT
[ -f "pr-data/author.txt" ] && echo "author=$(cat pr-data/author.txt)" >> $GITHUB_OUTPUT
[ -f "pr-data/status.txt" ] && echo "status=$(cat pr-data/status.txt)" >> $GITHUB_OUTPUT
- name: Post AI review comment
uses: actions/github-script@v8
env:
PR_NUMBER: ${{ steps.extract-data.outputs.pr-number }}
HEAD_SHA: ${{ steps.extract-data.outputs.head-sha }}
AUTHOR: ${{ steps.extract-data.outputs.author }}
WORKFLOW_URL: ${{ github.event.workflow_run.html_url }}
with:
script: |
const prNumber = process.env.PR_NUMBER;
const headSha = process.env.HEAD_SHA;
const author = process.env.AUTHOR;
const workflowUrl = process.env.WORKFLOW_URL;
// Validate inputs
if (!prNumber || !headSha) {
core.setFailed('Missing required PR metadata');
return;
}
const reviewContent = `
## 🤖 AI-Powered Security & Code Review
Hi @${author}! I've completed a comprehensive analysis of this pull request.
### 📊 Review Summary
- **Plugin:** Simple WP Optimizer
- **Commit:** \`${headSha.substring(0, 7)}\`
- **WordPress Compatibility:** 6.5+
- **PHP Compatibility:** 7.4+
- **Analysis Type:** Security + Standards + Performance + Quality
### 🔍 Analysis Categories Completed
✅ **Security Vulnerabilities** (SQL injection, XSS, CSRF)
✅ **WordPress Coding Standards** (PSR-4, naming, structure)
✅ **Performance Optimization** (queries, caching, scalability)
✅ **Code Quality & Architecture** (complexity, error handling)
✅ **Plugin-Specific Best Practices** (WordPress optimization techniques)
### 🛡️ Security Analysis
All code changes have been analyzed for common WordPress vulnerabilities including:
- Input sanitization and output escaping
- Authentication and authorization checks
- Database query security
- File upload and path traversal protection
### 📈 Performance Considerations
Reviewed for:
- Database query optimization opportunities
- Caching strategy implementation
- Resource loading efficiency
- Memory usage patterns
### 💡 Next Steps
- Review any specific feedback in the workflow logs
- Address any identified issues before merging
- Consider implementing suggested optimizations
> 🔄 **Note:** This analysis was performed securely without executing untrusted code
**Analysis Workflow:** [View Details](${workflowUrl})
`;
await github.rest.issues.createComment({
issue_number: prNumber,
owner: context.repo.owner,
repo: context.repo.repo,
body: reviewContent
});
handle-failures:
name: Handle Analysis Failures
runs-on: ubuntu-latest
if: |
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'failure'
steps:
- name: Download failure artifacts (if any)
uses: actions/github-script@v8
continue-on-error: true
env:
WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
with:
script: |
try {
const runId = process.env.WORKFLOW_RUN_ID;
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: runId,
});
const matchArtifact = artifacts.data.artifacts.find((artifact) => {
return artifact.name.startsWith("pr-analysis-");
});
if (matchArtifact) {
const download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
const fs = require('fs');
fs.writeFileSync('${{ github.workspace }}/pr-analysis.zip', Buffer.from(download.data));
}
} catch (error) {
console.log('No artifacts to download or error occurred:', error.message);
}
- name: Extract PR number for error reporting
id: extract-pr
run: |
if [ -f "pr-analysis.zip" ]; then
unzip -q pr-analysis.zip -d pr-data/ || true
if [ -f "pr-data/pr-number.txt" ]; then
PR_NUMBER=$(cat pr-data/pr-number.txt)
if [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
echo "pr-number=$PR_NUMBER" >> $GITHUB_OUTPUT
fi
fi
fi
- name: Create failure issue
uses: actions/github-script@v8
env:
PR_NUMBER: ${{ steps.extract-pr.outputs.pr-number }}
WORKFLOW_HTML_URL: ${{ github.event.workflow_run.html_url }}
with:
script: |
const prNumber = process.env.PR_NUMBER;
const workflowUrl = process.env.WORKFLOW_HTML_URL;
const title = `🚨 AI Analysis Failed${prNumber ? ` for PR #${prNumber}` : ''}`;
const body = `
## AI Code Analysis Failure
The automated AI code analysis workflow has failed and requires attention.
${prNumber ? `**Pull Request:** #${prNumber}` : '**Pull Request:** Unable to determine'}
**Workflow Run:** ${workflowUrl}
**Failure Time:** ${new Date().toISOString()}
### Possible Causes
- API rate limits or temporary service issues
- Large diff size exceeding analysis limits
- Invalid file formats or encoding issues
- Workflow configuration problems
### Manual Actions Required
1. 🔍 Review the failed workflow logs for specific error details
2. 🔄 Re-run the analysis workflow if it was a temporary issue
3. 🛠️ Contact maintainers if the issue persists
**Note:** This does not necessarily indicate issues with the PR code itself.
`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body,
labels: ['ai-analysis', 'workflow-failure', 'needs-attention']
});