ci: upgrade cagent-action to v1.4.3 with OIDC-based credential fetching #351
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Review | |
| on: | |
| issue_comment: # Enables /review command in PR comments | |
| types: [created] | |
| pull_request_review_comment: # Captures feedback on review comments for learning | |
| types: [created] | |
| pull_request: # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review) | |
| types: [ready_for_review, opened] | |
| permissions: | |
| contents: read | |
| jobs: | |
| review: | |
| if: >- | |
| github.event_name == 'issue_comment' || | |
| github.event_name == 'pull_request_review_comment' || | |
| github.event.pull_request.user.login != 'dependabot[bot]' | |
| uses: docker/cagent-action/.github/workflows/review-pr.yml@ec4865576952df6285652f2cf8ffb4ad45ff5f80 # v1.4.3 | |
| # Scoped to the job so other jobs in this workflow aren't over-permissioned | |
| permissions: | |
| contents: read # Read repository files and PR diffs | |
| pull-requests: write # Post review comments and approve/request changes | |
| issues: write # Create security incident issues if secrets are detected in output | |
| checks: write # (Optional) Show review progress as a check run on the PR | |
| id-token: write # Fetch app credentials and org membership token via OIDC | |
| actions: read # Download artifacts across workflow_run boundaries |