From b0bb129d9a82907435c620654ac5712cfe026b6e Mon Sep 17 00:00:00 2001
From: Roger Zhang <roger.zhang.cs@gmail.com>
Date: Tue, 14 Apr 2026 13:44:01 -0700
Subject: [PATCH 1/2] ci: add SAM PR Reviewer for AI code reviews

---
 .github/workflows/sam-pr-reviewer.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/sam-pr-reviewer.yml

diff --git a/.github/workflows/sam-pr-reviewer.yml b/.github/workflows/sam-pr-reviewer.yml
new file mode 100644
index 0000000000..2673d5f1fa
--- /dev/null
+++ b/.github/workflows/sam-pr-reviewer.yml
@@ -0,0 +1,22 @@
+name: SAM PR Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: roger-zhangg/sam-pr-reviewer@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          kiro_api_key: ${{ secrets.KIRO_API_KEY }}

From 50a3977fd219bf11038f447779a9c36fbd8b872a Mon Sep 17 00:00:00 2001
From: Roger Zhang <roger.zhang.cs@gmail.com>
Date: Tue, 14 Apr 2026 14:19:32 -0700
Subject: [PATCH 2/2] ci: add SAM PR Reviewer to build.yml

---
 .github/workflows/ai-code-review.yml  | 29 +++++++++++++++++++++++++++
 .github/workflows/sam-pr-reviewer.yml | 22 --------------------
 2 files changed, 29 insertions(+), 22 deletions(-)
 create mode 100644 .github/workflows/ai-code-review.yml
 delete mode 100644 .github/workflows/sam-pr-reviewer.yml

diff --git a/.github/workflows/ai-code-review.yml b/.github/workflows/ai-code-review.yml
new file mode 100644
index 0000000000..7950a0c642
--- /dev/null
+++ b/.github/workflows/ai-code-review.yml
@@ -0,0 +1,29 @@
+name: AI Code Review
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout base branch (trusted) — workspace files are never from the fork
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      # Fetch PR head commit so git diff works, but don't checkout fork files
+      - name: Fetch PR head
+        run: git fetch origin "$PR_HEAD_SHA"
+        env:
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+
+      - uses: roger-zhangg/sam-pr-reviewer@793976165e969a6ccb6ace13d35811c02471f471 # v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          kiro_api_key: ${{ secrets.KIRO_API_KEY }}
diff --git a/.github/workflows/sam-pr-reviewer.yml b/.github/workflows/sam-pr-reviewer.yml
deleted file mode 100644
index 2673d5f1fa..0000000000
--- a/.github/workflows/sam-pr-reviewer.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: SAM PR Review
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  review:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: roger-zhangg/sam-pr-reviewer@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          kiro_api_key: ${{ secrets.KIRO_API_KEY }}