fix(workflows): unblock PR checks on large diffs + private go modules

Kbayero · Kbayero · commit b11df8a4f428 · 2026-05-19T12:06:21.000-04:00
diff --git a/.github/scripts/ai-review.sh b/.github/scripts/ai-review.sh
@@ -95,17 +95,21 @@ else
     diff_content=$(cat "$DIFF_FILE")
 fi
 
-user_message=$(printf '%s\n\n---\n\nPR diff to review:\n\n```diff\n%s\n```\n' \
-    "$prompt_body" "$diff_content")
-
-request_body=$(jq -n \
+# Write the user message to a temp file. Passing it through --arg would hit
+# the system ARG_MAX limit on PRs with large diffs ("Argument list too long").
+user_message_file=$(mktemp)
+printf '%s\n\n---\n\nPR diff to review:\n\n```diff\n%s\n```\n' \
+    "$prompt_body" "$diff_content" > "$user_message_file"
+
+request_body_file=$(mktemp)
+jq -n \
     --arg model "$MODEL" \
-    --arg content "$user_message" \
+    --rawfile content "$user_message_file" \
     '{
         model: $model,
         messages: [{role: "user", content: $content}],
         temperature: 0.2
-    }')
+    }' > "$request_body_file"
 
 # --- Call the API ------------------------------------------------------------
 
@@ -115,7 +119,7 @@ http_status=$(curl -sS -o "$response_file" -w '%{http_code}' \
     -H "Content-Type: application/json" \
     -H "api-key: ${THREATWINDS_API_KEY}" \
     -H "api-secret: ${THREATWINDS_API_SECRET}" \
-    --data "$request_body" || echo "000")
+    --data-binary "@${request_body_file}" || echo "000")
 
 if [[ "$http_status" != "200" ]]; then
     echo "ThreatWinds API HTTP $http_status"
diff --git a/.github/workflows/_pr-reusable-go-deps.yml b/.github/workflows/_pr-reusable-go-deps.yml
@@ -7,6 +7,10 @@ on:
         required: false
         type: string
         default: '1.23'
+    secrets:
+      API_SECRET:
+        required: false
+        description: "PAT with read access to private utmstack/* Go modules. Without it, `go list -u -m -json all` fails on projects that import private repos."
 
 jobs:
   deps:
@@ -19,6 +23,23 @@ jobs:
         with:
           go-version: ${{ inputs.go_version }}
 
+      # Some projects in this monorepo (e.g. ./installer) depend on private
+      # utmstack/* modules. `go list -u -m -json all` tries to clone those
+      # over HTTPS and fails without auth — same pattern the deploy pipelines
+      # already use for `go build`.
+      - name: Configure git for private Go modules
+        if: ${{ env.HAS_API_SECRET == 'true' }}
+        env:
+          HAS_API_SECRET: ${{ secrets.API_SECRET != '' }}
+          API_SECRET: ${{ secrets.API_SECRET }}
+        run: |
+          git config --global url."https://${API_SECRET}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
+          {
+            echo "GOPRIVATE=github.com/utmstack"
+            echo "GONOPROXY=github.com/utmstack"
+            echo "GONOSUMDB=github.com/utmstack"
+          } >> "$GITHUB_ENV"
+
       - name: Run go-deps.sh --check --discover
         id: run
         run: |
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -21,6 +21,8 @@ jobs:
   go_deps:
     name: Go deps
     uses: ./.github/workflows/_pr-reusable-go-deps.yml
+    secrets:
+      API_SECRET: ${{ secrets.API_SECRET }}
 
   ai_review:
     name: AI review
