From 74235038da618b6d5213109265138376607d3f5a Mon Sep 17 00:00:00 2001 From: HungKNguyen Date: Fri, 13 Feb 2026 13:45:39 +0700 Subject: [PATCH 1/2] make changes --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ action.yml | 54 ++++++++++-------------------------------------------- 2 files changed, 57 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index 19d6591..2474766 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,8 @@ Based on the original work from [anthropics/claude-code-security-review](https:/ ## Quick Start +### Basic Setup (Default GitHub Token) + Add this to your repository's `.github/workflows/code-review.yml`: ```yaml @@ -51,6 +53,50 @@ jobs: require-label: 'READY TO REVIEW' # If this isn't set, the action will trigger any time *any* label is applied ``` +### GitHub App Setup (Recommended for Organizations) + +For custom bot name/avatar and better mention detection: + +```yaml +name: Code Review + +permissions: + pull-requests: write + contents: read + +on: + pull_request: + types: [opened, synchronize, reopened, labeled, review_requested] + issue_comment: + types: [created] + +jobs: + review: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' || (github.event_name == 'issue_comment' && github.event.issue.pull_request) + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + fetch-depth: 2 + + - name: Generate App Token + id: app-token + uses: actions/create-github-app-token@v1.9.0 + with: + app-id: ${{ secrets.CODE_REVIEW_APP_ID }} + private-key: ${{ secrets.CODE_REVIEW_APP_PRIVATE_KEY }} + + - uses: PSPDFKit-labs/nutrient-code-review@main + with: + claude-api-key: ${{ secrets.CLAUDE_API_KEY }} + app-slug: ${{ steps.app-token.outputs.app-slug }} + env: + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} +``` + +**Note**: The `app-slug` parameter enables the bot to detect when it's mentioned in PR comments (e.g., `@my-code-review-app`). Requires `actions/create-github-app-token@v1.9.0` or later. + ## Security Considerations This action is not hardened against prompt injection attacks and should only be used to review trusted PRs. We recommend [configuring your repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) to use the "Require approval for all external contributors" option to ensure workflows only run after a maintainer has reviewed the PR. @@ -79,6 +125,7 @@ This action is not hardened against prompt injection attacks and should only be | `custom-security-scan-instructions` | Path to custom security scan instructions text file to append to the security section | None | No | | `dismiss-stale-reviews` | Dismiss previous bot reviews when posting a new review (useful for follow-up commits) | `true` | No | | `skip-draft-prs` | Skip code review on draft pull requests | `true` | No | +| `app-slug` | GitHub App slug for bot mention detection. If using `actions/create-github-app-token@v1.9.0+`, pass `${{ steps.app-token.outputs.app-slug }}`. Otherwise defaults to `github-actions`. | `github-actions` | No | | `require-label` | Only run review if this label is present. Leave empty to review all PRs. Add `labeled` to your workflow `pull_request` types to trigger on label addition. | None | No | ### Action Outputs diff --git a/action.yml b/action.yml index 2c582ca..6e673fb 100644 --- a/action.yml +++ b/action.yml @@ -59,6 +59,11 @@ inputs: required: false default: 'true' + app-slug: + description: 'GitHub App slug for bot mentions (e.g., "my-code-review-app"). Defaults to "github-actions".' + required: false + default: 'github-actions' + require-label: description: 'Only run review if this label is present on the PR. Leave empty to review all PRs. To trigger on label addition, add "labeled" to your workflow pull_request types.' required: false @@ -196,45 +201,6 @@ runs: restore-keys: | claudecode-${{ github.repository_id }}-pr-${{ github.event.pull_request.number || steps.pr-info.outputs.pr_number }}- - - name: Detect bot identity - id: bot-identity - shell: bash - env: - GH_TOKEN: ${{ env.GITHUB_TOKEN || github.token }} - GITHUB_REPOSITORY: ${{ github.repository }} - run: | - # Get authenticated user (the bot making API calls) - # Note: /user endpoint doesn't work with GitHub App tokens, so we try multiple methods - BOT_LOGIN="" - - # Method 1: Try /user endpoint (works for PATs, not GitHub App tokens) - if [ -z "$BOT_LOGIN" ]; then - if BOT_LOGIN_TMP=$(gh api user --jq '.login' 2>/dev/null); then - BOT_LOGIN="$BOT_LOGIN_TMP" - echo "Detected bot via /user endpoint: $BOT_LOGIN" - fi - fi - - # Method 2: Try /app endpoint (works for GitHub App tokens) - if [ -z "$BOT_LOGIN" ]; then - if APP_DATA=$(gh api app 2>/dev/null); then - APP_SLUG=$(echo "$APP_DATA" | jq -r '.slug // empty' 2>/dev/null) - if [ -n "$APP_SLUG" ] && [ "$APP_SLUG" != "null" ]; then - BOT_LOGIN="${APP_SLUG}[bot]" - echo "Detected bot via /app endpoint: $BOT_LOGIN" - fi - fi - fi - - # Method 3: Fallback to default - if [ -z "$BOT_LOGIN" ]; then - BOT_LOGIN="github-actions" - echo "Using default bot identity: $BOT_LOGIN" - fi - - echo "bot_login=$BOT_LOGIN" >> $GITHUB_OUTPUT - echo "Detected bot identity: $BOT_LOGIN" - - name: Detect trigger type id: trigger-detection shell: bash @@ -242,7 +208,7 @@ runs: EVENT_NAME: ${{ github.event_name }} EVENT_ACTION: ${{ github.event.action }} COMMENT_BODY: ${{ github.event.comment.body }} - BOT_LOGIN: ${{ steps.bot-identity.outputs.bot_login }} + APP_SLUG: ${{ inputs.app-slug }} run: | TRIGGER_TYPE="unknown" @@ -264,11 +230,11 @@ runs: elif [ "$EVENT_NAME" == "issue_comment" ]; then # Check if comment mentions this specific bot # Escape special regex characters in bot login to prevent regex injection - if [ -n "$BOT_LOGIN" ]; then - ESCAPED_BOT=$(printf '%s\n' "$BOT_LOGIN" | sed 's/[]\/$*.^[]/\\&/g') + if [ -n "APP_SLUG" ]; then + ESCAPED_BOT=$(printf '%s\n' "APP_SLUG" | sed 's/[]\/$*.^[]/\\&/g') if echo "$COMMENT_BODY" | grep -qE "@${ESCAPED_BOT}\\b"; then TRIGGER_TYPE="mention" - echo "Detected mention of @$BOT_LOGIN in comment" + echo "Detected mention of @APP_SLUG in comment" fi fi fi @@ -543,7 +509,7 @@ runs: GH_TOKEN: ${{ env.GITHUB_TOKEN || github.token }} GITHUB_REPOSITORY: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number || steps.pr-info.outputs.pr_number }} - BOT_LOGIN: ${{ steps.bot-identity.outputs.bot_login }} + BOT_LOGIN: ${{ inputs.app-slug }}[bot] run: | # Request the bot as a reviewer to make it appear in the PR's reviewer list # This is optional and will fail silently if the bot is already a reviewer or doesn't have permissions From cbdf51b6527ce9eef34c4f0f0cc00a7302e2514a Mon Sep 17 00:00:00 2001 From: HungKNguyen Date: Fri, 13 Feb 2026 13:57:55 +0700 Subject: [PATCH 2/2] address review --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 6e673fb..ec846aa 100644 --- a/action.yml +++ b/action.yml @@ -230,11 +230,11 @@ runs: elif [ "$EVENT_NAME" == "issue_comment" ]; then # Check if comment mentions this specific bot # Escape special regex characters in bot login to prevent regex injection - if [ -n "APP_SLUG" ]; then - ESCAPED_BOT=$(printf '%s\n' "APP_SLUG" | sed 's/[]\/$*.^[]/\\&/g') + if [ -n "$APP_SLUG" ]; then + ESCAPED_BOT=$(printf '%s\n' "$APP_SLUG" | sed 's/[]\/$*.^[]/\\&/g') if echo "$COMMENT_BODY" | grep -qE "@${ESCAPED_BOT}\\b"; then TRIGGER_TYPE="mention" - echo "Detected mention of @APP_SLUG in comment" + echo "Detected mention of @$APP_SLUG in comment" fi fi fi