Fix: Remove App Slug detection (#28)

Turns out the /app or /installation both uses JWT authentication rather
than installation token. As such we cannot detect the app slug from
inside the workflow, but delegate to the parent workflow. Added
documentation for this use case

Author: HungKNguyen

README.md

@@ -16,6 +16,8 @@ Based on the original work from [anthropics/claude-code-security-review](https:/
 
 ## Quick Start
 
+### Basic Setup (Default GitHub Token)
+
 Add this to your repository's `.github/workflows/code-review.yml`:
 
 ```yaml
@@ -51,6 +53,50 @@ jobs:
           require-label: 'READY TO REVIEW' # If this isn't set, the action will trigger any time *any* label is applied
 ```
 
+### GitHub App Setup (Recommended for Organizations)
+
+For custom bot name/avatar and better mention detection:
+
+```yaml
+name: Code Review
+
+permissions:
+  pull-requests: write
+  contents: read
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled, review_requested]
+  issue_comment:
+    types: [created]
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request' || (github.event_name == 'issue_comment' && github.event.issue.pull_request)
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: 2
+
+      - name: Generate App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1.9.0
+        with:
+          app-id: ${{ secrets.CODE_REVIEW_APP_ID }}
+          private-key: ${{ secrets.CODE_REVIEW_APP_PRIVATE_KEY }}
+
+      - uses: PSPDFKit-labs/nutrient-code-review@main
+        with:
+          claude-api-key: ${{ secrets.CLAUDE_API_KEY }}
+          app-slug: ${{ steps.app-token.outputs.app-slug }}
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+```
+
+**Note**: The `app-slug` parameter enables the bot to detect when it's mentioned in PR comments (e.g., `@my-code-review-app`). Requires `actions/create-github-app-token@v1.9.0` or later.
+
 ## Security Considerations
 
 This action is not hardened against prompt injection attacks and should only be used to review trusted PRs. We recommend [configuring your repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) to use the "Require approval for all external contributors" option to ensure workflows only run after a maintainer has reviewed the PR.
@@ -79,6 +125,7 @@ This action is not hardened against prompt injection attacks and should only be
 | `custom-security-scan-instructions` | Path to custom security scan instructions text file to append to the security section | None | No |
 | `dismiss-stale-reviews` | Dismiss previous bot reviews when posting a new review (useful for follow-up commits) | `true` | No |
 | `skip-draft-prs` | Skip code review on draft pull requests | `true` | No |
+| `app-slug` | GitHub App slug for bot mention detection. If using `actions/create-github-app-token@v1.9.0+`, pass `${{ steps.app-token.outputs.app-slug }}`. Otherwise defaults to `github-actions`. | `github-actions` | No |
 | `require-label` | Only run review if this label is present. Leave empty to review all PRs. Add `labeled` to your workflow `pull_request` types to trigger on label addition. | None | No |
 
 ### Action Outputs

action.yml

@@ -59,6 +59,11 @@ inputs:
     required: false
     default: 'true'
 
+  app-slug:
+    description: 'GitHub App slug for bot mentions (e.g., "my-code-review-app"). Defaults to "github-actions".'
+    required: false
+    default: 'github-actions'
+
   require-label:
     description: 'Only run review if this label is present on the PR. Leave empty to review all PRs. To trigger on label addition, add "labeled" to your workflow pull_request types.'
     required: false
@@ -196,53 +201,14 @@ runs:
         restore-keys: |
           claudecode-${{ github.repository_id }}-pr-${{ github.event.pull_request.number || steps.pr-info.outputs.pr_number }}-
 
-    - name: Detect bot identity
-      id: bot-identity
-      shell: bash
-      env:
-        GH_TOKEN: ${{ env.GITHUB_TOKEN || github.token }}
-        GITHUB_REPOSITORY: ${{ github.repository }}
-      run: |
-        # Get authenticated user (the bot making API calls)
-        # Note: /user endpoint doesn't work with GitHub App tokens, so we try multiple methods
-        BOT_LOGIN=""
-
-        # Method 1: Try /user endpoint (works for PATs, not GitHub App tokens)
-        if [ -z "$BOT_LOGIN" ]; then
-          if BOT_LOGIN_TMP=$(gh api user --jq '.login' 2>/dev/null); then
-            BOT_LOGIN="$BOT_LOGIN_TMP"
-            echo "Detected bot via /user endpoint: $BOT_LOGIN"
-          fi
-        fi
-
-        # Method 2: Try /app endpoint (works for GitHub App tokens)
-        if [ -z "$BOT_LOGIN" ]; then
-          if APP_DATA=$(gh api app 2>/dev/null); then
-            APP_SLUG=$(echo "$APP_DATA" | jq -r '.slug // empty' 2>/dev/null)
-            if [ -n "$APP_SLUG" ] && [ "$APP_SLUG" != "null" ]; then
-              BOT_LOGIN="${APP_SLUG}[bot]"
-              echo "Detected bot via /app endpoint: $BOT_LOGIN"
-            fi
-          fi
-        fi
-
-        # Method 3: Fallback to default
-        if [ -z "$BOT_LOGIN" ]; then
-          BOT_LOGIN="github-actions"
-          echo "Using default bot identity: $BOT_LOGIN"
-        fi
-
-        echo "bot_login=$BOT_LOGIN" >> $GITHUB_OUTPUT
-        echo "Detected bot identity: $BOT_LOGIN"
-
     - name: Detect trigger type
       id: trigger-detection
       shell: bash
       env:
         EVENT_NAME: ${{ github.event_name }}
         EVENT_ACTION: ${{ github.event.action }}
         COMMENT_BODY: ${{ github.event.comment.body }}
-        BOT_LOGIN: ${{ steps.bot-identity.outputs.bot_login }}
+        APP_SLUG: ${{ inputs.app-slug }}
       run: |
         TRIGGER_TYPE="unknown"
 
@@ -264,11 +230,11 @@ runs:
         elif [ "$EVENT_NAME" == "issue_comment" ]; then
           # Check if comment mentions this specific bot
           # Escape special regex characters in bot login to prevent regex injection
-          if [ -n "$BOT_LOGIN" ]; then
-            ESCAPED_BOT=$(printf '%s\n' "$BOT_LOGIN" | sed 's/[]\/$*.^[]/\\&/g')
+          if [ -n "$APP_SLUG" ]; then
+            ESCAPED_BOT=$(printf '%s\n' "$APP_SLUG" | sed 's/[]\/$*.^[]/\\&/g')
             if echo "$COMMENT_BODY" | grep -qE "@${ESCAPED_BOT}\\b"; then
               TRIGGER_TYPE="mention"
-              echo "Detected mention of @$BOT_LOGIN in comment"
+              echo "Detected mention of @$APP_SLUG in comment"
             fi
           fi
         fi
@@ -543,7 +509,7 @@ runs:
         GH_TOKEN: ${{ env.GITHUB_TOKEN || github.token }}
         GITHUB_REPOSITORY: ${{ github.repository }}
         PR_NUMBER: ${{ github.event.pull_request.number || steps.pr-info.outputs.pr_number }}
-        BOT_LOGIN: ${{ steps.bot-identity.outputs.bot_login }}
+        BOT_LOGIN: ${{ inputs.app-slug }}[bot]
       run: |
         # Request the bot as a reviewer to make it appear in the PR's reviewer list
         # This is optional and will fail silently if the bot is already a reviewer or doesn't have permissions