awslabs
diff --git a/‎.github/workflows/auto-approve.yml‎
Lines changed: 101 additions & 0 deletions b/‎.github/workflows/auto-approve.yml‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎.github/workflows/base.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/base.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/issue-bot.yml‎
Lines changed: 130 additions & 0 deletions b/‎.github/workflows/issue-bot.yml‎
Lines changed: 130 additions & 0 deletions
diff --git a/‎.github/workflows/stale.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/stale.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.github/workflows/update-kb.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/update-kb.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎docs/checks.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/checks.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/profiles.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/profiles.md‎
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,101 @@
+name: Auto-Approve Clean PRs
+
+on:
+  workflow_run:
+    workflows: [".github/workflows/base.yml", "PyDeequ Bot"]
+    types: [completed]
+
+permissions:
+  pull-requests: write
+  actions: read
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request' || github.event.workflow_run.event == 'pull_request_target'
+    timeout-minutes: 2
+
+    steps:
+      - name: Find PR and check both conditions
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const sha = context.payload.workflow_run.head_sha;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+
+            // Find the PR for this SHA
+            let prNumber = null;
+            const prs = context.payload.workflow_run.pull_requests;
+            if (prs && prs.length > 0) {
+              prNumber = prs[0].number;
+            } else {
+              const {data: searchResult} = await github.rest.pulls.list({
+                owner, repo, state: 'open', sort: 'updated', direction: 'desc', per_page: 30
+              });
+              const match = searchResult.find(pr => pr.head.sha === sha);
+              if (match) {
+                prNumber = match.number;
+              }
+            }
+
+            if (!prNumber) {
+              core.info(`No open PR found for SHA ${sha}, skipping`);
+              return;
+            }
+
+            core.info(`Found PR #${prNumber} for SHA ${sha}`);
+
+            // Verify the PR head SHA still matches (no new push since trigger)
+            const {data: pr} = await github.rest.pulls.get({
+              owner, repo, pull_number: prNumber
+            });
+            if (pr.head.sha !== sha) {
+              core.info(`PR head ${pr.head.sha} differs from trigger SHA ${sha} — new push arrived, skipping`);
+              return;
+            }
+
+            // Condition 1: CI must have passed for this SHA
+            const {data: workflowRuns} = await github.rest.actions.listWorkflowRunsForRepo({
+              owner, repo, head_sha: sha, status: 'completed'
+            });
+            const ciRun = workflowRuns.workflow_runs.find(r =>
+              r.name === '.github/workflows/base.yml' && r.conclusion === 'success'
+            );
+            if (!ciRun) {
+              core.info(`CI has not passed for SHA ${sha}, skipping`);
+              return;
+            }
+
+            // Condition 2: Bot must have posted a clean review for this SHA
+            const {data: reviews} = await github.rest.pulls.listReviews({
+              owner, repo, pull_number: prNumber
+            });
+
+            const CLEAN_MARKER = '<!-- deequ-bot:clean -->';
+
+            const latestBot = reviews
+              .filter(r => r.user.login === 'github-actions[bot]')
+              .sort((a, b) => new Date(b.submitted_at) - new Date(a.submitted_at))[0];
+
+            if (!latestBot || !latestBot.body.includes(CLEAN_MARKER) || latestBot.commit_id !== sha) {
+              core.info('Bot has not posted a clean review for this SHA, skipping');
+              return;
+            }
+
+            // Both conditions met — check for existing approval to prevent doubles
+            const botApprovals = reviews.filter(r =>
+              r.user.login === 'github-actions[bot]' && r.state === 'APPROVED'
+            );
+            if (botApprovals.length > 0) {
+              core.info('Bot already approved this PR, skipping');
+              return;
+            }
+
+            // Approve
+            core.info(`Approving PR #${prNumber}: bot review clean + CI passed for SHA ${sha}`);
+            await github.rest.pulls.createReview({
+              owner, repo, pull_number: prNumber,
+              event: 'APPROVE',
+              body: `No issues found and CI is passing. Auto-approved.\n\n---\n*Generated by AI — human merge required.*`
+            });
@@ -14,17 +14,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         name: Install Python 3.12
         with:
           python-version: "3.12"
 
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         name: Setup Java 17
         with:
-          distribution: "corretto"
+          distribution: "temurin"
           java-version: "17"
 
       - name: Download Spark 3.5
 
@@ -0,0 +1,130 @@
+name: PyDeequ Bot
+
+on:
+  issues:
+    types: [opened, reopened]
+  pull_request_target: # Runs base branch code with secrets; safe because bot fetches diff via API, never executes PR code. NEVER add ref: to checkout.
+    types: [opened, reopened, synchronize]
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      issue_number:
+        description: "Issue/PR number to process"
+        required: true
+      dry_run:
+        description: "Dry run (no writes)"
+        type: boolean
+        default: true
+
+# Serialize per issue/PR to prevent duplicate comments
+concurrency:
+  group: bot-${{ github.event.issue.number || github.event.pull_request.number || inputs.issue_number }}
+  cancel-in-progress: false
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    if: >-
+      (github.event_name == 'workflow_dispatch') ||
+      (github.actor != 'github-actions[bot]' &&
+       (github.event.issue.pull_request == null || github.event_name == 'pull_request_target'))
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: pip install requests==2.33.1 boto3==1.42.94
+
+      - name: Run analysis
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number || inputs.issue_number }}
+          EVENT_TYPE: ${{ github.event_name }}
+          EVENT_ACTION: ${{ github.event.action }}
+          EVENT_BEFORE: ${{ github.event.before }}
+          EVENT_AFTER: ${{ github.event.pull_request.head.sha || github.event.after }}
+          GITHUB_ACTOR: ${{ github.actor }}
+          KB_S3_BUCKET: ${{ secrets.KB_S3_BUCKET }}
+          KB_S3_KEY: ${{ secrets.KB_S3_KEY }}
+          BEDROCK_MODEL_ID: ${{ secrets.BEDROCK_MODEL_ID }}
+          GUARDRAIL_ID: ${{ secrets.GUARDRAIL_ID }}
+          GUARDRAIL_VERSION: ${{ secrets.GUARDRAIL_VERSION }}
+          SM_ISSUE_CLASSIFY_PROMPT: pydeequ-bot/issue-classify-prompt
+          SM_ISSUE_RESPOND_PROMPT: pydeequ-bot/issue-respond-prompt
+          SM_PR_FILE_REVIEW_PROMPT: pydeequ-bot/pr-file-review-prompt
+          SM_FOLLOWUP_PROMPT: pydeequ-bot/followup-prompt
+          CODEBASE_SRC_DIR: pydeequ
+          CODEBASE_FILE_EXT: .py
+          DRY_RUN: ${{ inputs.dry_run || 'false' }}
+          ARTIFACT_PATH: ${{ runner.temp }}/bot_result.json
+        run: python -m issue_bot.main analyze
+        working-directory: scripts
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: bot-result
+          path: ${{ runner.temp }}/bot_result.json
+          retention-days: 30
+
+  act:
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    needs: analyze
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: pip install requests==2.33.1 boto3==1.42.94
+
+      - name: Download artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: bot-result
+          path: ${{ runner.temp }}
+
+      - name: Execute actions
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number || inputs.issue_number }}
+          EVENT_TYPE: ${{ github.event_name }}
+          EVENT_ACTION: ${{ github.event.action }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          DRY_RUN: ${{ inputs.dry_run || 'false' }}
+          ARTIFACT_PATH: ${{ runner.temp }}/bot_result.json
+        run: python -m issue_bot.main act
+        working-directory: scripts
@@ -0,0 +1,36 @@
+name: Manage Stale Issues and PRs
+
+on:
+  schedule:
+    - cron: '0 9 * * MON'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+        with:
+          days-before-stale: 60
+          days-before-close: 14
+          stale-issue-label: 'stale'
+          stale-pr-label: 'stale'
+          stale-issue-message: >
+            This issue has been inactive for 60 days. It will be closed in 14 days
+            if there is no further activity. If this is still relevant, please comment
+            to keep it open.
+          stale-pr-message: >
+            This PR has been inactive for 60 days. It will be closed in 14 days
+            if there is no further activity. If you are still working on this,
+            please push an update or comment to keep it open.
+          close-issue-message: >
+            Closed due to inactivity. Feel free to reopen if this is still relevant.
+          close-pr-message: >
+            Closed due to inactivity. Feel free to reopen if you'd like to continue this work.
+          exempt-issue-labels: 'bug,enhancement,help-wanted'
+          exempt-pr-labels: 'help-wanted'
+          operations-per-run: 50
@@ -0,0 +1,36 @@
+name: Update Knowledge Base
+
+on:
+  push:
+    branches: [master]
+    paths-ignore:
+      - '.github/workflows/**'
+      - 'scripts/issue_bot/**'
+      - 'tests/test_bot.py'
+  workflow_dispatch:
+
+jobs:
+  update-kb:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.12"
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+      - name: Generate and upload KB
+        run: |
+          python3 scripts/generate_kb.py > kb.md
+          SIZE=$(wc -c < kb.md | tr -d ' ')
+          if [ "$SIZE" -lt 10000 ]; then
+            echo "ERROR: KB too small ($SIZE bytes), refusing to upload" >&2
+            exit 1
+          fi
+          aws s3 cp kb.md s3://${{ secrets.KB_S3_BUCKET }}/${{ secrets.KB_S3_KEY }} --quiet
+          echo "Uploaded $SIZE bytes to s3://${{ secrets.KB_S3_BUCKET }}/${{ secrets.KB_S3_KEY }}"
@@ -15,7 +15,7 @@ Here are the current supported functionalities of Checks.
 |  | areAnyComplete(columns) | Done |
 |  | haveAnyCompleteness(columns, assertion) | Done |
 |  | isUnique(column) | Done |
-|  | isPrimaryKey(column, *columns) | Not Implemented |
+|  | isPrimaryKey(column, *columns) | Done |
 |  | hasUniqueness(columns, assertion) | Done |
 |  | hasDistinctness(columns, assertion) | Done |
 |  | hasUniqueValueRatio(columns, assertion) | Done |
 
@@ -20,5 +20,7 @@ Here are the current supported functionalities of Profiles.
 |  | useSparkSession |  |
 | ColumnProfilesBuilder | ColumnProfilesBuilder(spark_session) | Done |
 |  | property: profiles | Done |
+|  | property: numRecords | Done |
 | StandardColumnProfile | StandardColumnProfile(spark_session, column, java_column_profile) | Done |
+| StringColumnProfile | StringColumnProfile(spark_session, column, java_column_profile) | Done |
 | NumericColumnProfile | NumericColumnProfile(spark_session, column, java_column_profile) | Done |