enginescript-site-optimizer/.github/workflows/ai-pr-review.yml at b2e994be2d03e30aa765bf457cf1969ce0210459 · EngineScript/enginescript-site-optimizer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Safe PR Analysis - First Stage (Unprivileged)
# Analyzes PR content and saves results as artifacts for privileged workflow

name: AI PR Analysis (Safe)

on:
  pull_request:
    types: [opened, synchronize, reopened]

# Cancel previous workflow runs for the same PR
concurrency:
  group: ${{ github.workflow }}-${{ github.event.number }}
  cancel-in-progress: true

permissions:
  contents: read
  # NO write permissions in this workflow for security

jobs:
  analyze-pr:
    name: Analyze PR Content (Unprivileged)
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code (Safe - uses default branch)
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
          # SECURITY: Do NOT checkout PR head - use base branch only
          ref: ${{ github.event.pull_request.base.ref }}

      - name: Get PR diff safely
        id: pr-diff
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # SECURITY: Get diff without checking out untrusted code
          BASE_SHA="${{ github.event.pull_request.base.sha }}"
          HEAD_SHA="${{ github.event.pull_request.head.sha }}"

          # Use GitHub API to get diff instead of git checkout
          # SECURITY: Use environment variable for token to avoid exposure in logs
          curl -H "Authorization: token $GITHUB_TOKEN" \
               -H "Accept: application/vnd.github.v3.diff" \
               "https://api.github.com/repos/${{ github.repository }}/compare/$BASE_SHA...$HEAD_SHA" \
               > pr_diff.txt

          echo "base-sha=$BASE_SHA" >> $GITHUB_OUTPUT
          echo "head-sha=$HEAD_SHA" >> $GITHUB_OUTPUT
          echo "pr-number=${{ github.event.number }}" >> $GITHUB_OUTPUT

      - name: Run AI Analysis (No secrets exposed)
        uses: google-github-actions/run-gemini-cli@v0.1.11
        with:
          prompt: |
            You are an expert WordPress plugin developer and security consultant reviewing a pull request for the "Simple WP Optimizer" WordPress plugin.

            PLUGIN CONTEXT:
            - WordPress performance optimization plugin
            - Removes unnecessary WordPress features and scripts to improve performance
            - Supports WordPress 6.5+ and PHP 7.4+
            - Features include emoji removal, jQuery migrate removal, header cleanup, DNS prefetch optimization

            COMPREHENSIVE REVIEW CHECKLIST:

            🔒 SECURITY ANALYSIS:
            1. SQL Injection vulnerabilities
            2. XSS (Cross-Site Scripting) issues
            3. CSRF (Cross-Site Request Forgery) protection
            4. Input validation and sanitization
            5. Output escaping compliance
            6. Authentication and authorization checks
            7. File upload security (if applicable)

            📝 WORDPRESS STANDARDS:
            1. WordPress Coding Standards compliance
            2. Proper use of WordPress APIs
            3. Hook usage (actions/filters)
            4. Internationalization (i18n) implementation
            5. Plugin structure and organization
            6. PHPDoc documentation quality

            ⚡ PERFORMANCE REVIEW:
            1. Database query optimization
            2. Caching strategies
            3. Resource loading efficiency
            4. Memory usage considerations
            5. Scalability implications

            🏗️ CODE QUALITY:
            1. Function complexity and readability
            2. Error handling implementation
            3. Type safety and parameter validation
            4. Code reusability and DRY principles
            5. Naming conventions

            🔧 PLUGIN-SPECIFIC:
            1. WordPress optimization best practices
            2. Performance impact assessment
            3. Admin interface usability
            4. Plugin activation/deactivation handling
            5. Compatibility with WordPress core features

            REVIEW FORMAT:
            For each category, provide:
            - ✅ Approved items
            - ⚠️ Issues requiring attention (with severity: CRITICAL/HIGH/MEDIUM/LOW)
            - 💡 Improvement suggestions
            - 📚 Relevant documentation links

            Focus on actionable feedback that improves:
            - Security posture
            - WordPress ecosystem compatibility
            - Code maintainability
            - Performance and user experience

            Analyze the following PR diff:
        env:
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}

      - name: Save PR metadata for privileged workflow
        run: |
          mkdir -p ./pr-data
          echo "${{ github.event.number }}" > ./pr-data/pr-number.txt
          echo "${{ github.event.pull_request.head.sha }}" > ./pr-data/head-sha.txt
          echo "${{ github.event.pull_request.base.sha }}" > ./pr-data/base-sha.txt
          echo "${{ github.event.pull_request.user.login }}" > ./pr-data/author.txt
          echo "AI analysis completed successfully" > ./pr-data/status.txt

      - name: Upload analysis results
        uses: actions/upload-artifact@v4
        with:
          name: pr-analysis-${{ github.event.number }}
          path: pr-data/
          retention-days: 30