feat(bots): onboard reviewer-bot to pinned databricks-bot-engine #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Reviewer Bot — follow-up on review-comment replies. | |
| # | |
| # Own-job composite caller (see reviewer-bot.yml for why we don't use the engine | |
| # reusable WORKFLOW: cross-repo reusable-workflow calls to the private engine | |
| # fail "workflow was not found"; cross-repo composite ACTIONS resolve in-org). | |
| # This file owns the job and replicates the reusable followup's steps with | |
| # cross-repo action refs, PAT-free (engine-scoped App token). | |
| # | |
| # Enablement: no label gate — engage every non-fork open PR (this repo's policy). | |
| # The security floor (fork==false, PR open) is the job `if:` below; loop- | |
| # prevention lives in the engine's followup.py post-checkout. | |
| name: Reviewer Bot — Follow-up | |
| on: | |
| pull_request_review_comment: | |
| types: [created] | |
| pull_request: | |
| types: [synchronize] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install | |
| jobs: | |
| followup: | |
| # SECURITY FLOOR: never run the agent on a fork PR (keeps App + model tokens | |
| # off untrusted code); only act on OPEN PRs. | |
| if: >- | |
| github.event.pull_request.head.repo.fork == false | |
| && github.event.pull_request.state == 'open' | |
| environment: azure-prod # DATABRICKS_HOST / DATABRICKS_TOKEN live here | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: [linux-ubuntu-latest] | |
| timeout-minutes: 20 | |
| concurrency: | |
| group: reviewer-bot-followup-pr-${{ github.event.pull_request.number }} | |
| cancel-in-progress: false | |
| steps: | |
| # Review-bot token (posts inline replies + resolves threads). | |
| - name: Mint review-bot App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.REVIEW_BOT_APP_ID }} | |
| private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }} | |
| - name: Checkout PR head (read-only; agent only POSTS via GH_TOKEN) | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| # followup.py runs `git rev-list <base>..<head>` for finding-anchor SHA | |
| # verification. fetch-depth:0 usually brings the base along, but not | |
| # guaranteed. Best-effort fetch when missing; NEVER fatal — a missing base | |
| # makes the rev-list helper fail-closed to an empty allowlist (SHA | |
| # verification degrades, reconciliation still runs). The persist- | |
| # credentials:false checkout means this fetch has no auth, so it may fail | |
| # on a private repo; swallow it and warn. | |
| - name: Ensure PR base commit is present (for rev-list base..head) | |
| env: | |
| PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| run: | | |
| if git cat-file -e "${PR_BASE_SHA}^{commit}" 2>/dev/null; then | |
| exit 0 | |
| fi | |
| if ! git fetch --no-tags --depth=1 origin "$PR_BASE_SHA"; then | |
| echo "::warning::Could not fetch PR base commit ${PR_BASE_SHA}. Continuing: followup.py fail-closes to an empty SHA allowlist, so SHA verification degrades gracefully but reconciliation still runs." >&2 | |
| fi | |
| - name: Setup Python | |
| uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 | |
| with: | |
| python-version: '3.11' | |
| - name: Setup Node (for the Claude Code CLI the SDK spawns) | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: '20' | |
| # PAT-free engine install: engine-scoped token (contents:read) from the | |
| # review-bot App creds — SEPARATE from app-token above (which is scoped to | |
| # THIS repo for PR posting). | |
| - name: Mint engine-scoped install token | |
| id: engine-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.REVIEW_BOT_APP_ID }} | |
| private-key: ${{ secrets.REVIEW_BOT_APP_PRIVATE_KEY }} | |
| owner: databricks | |
| repositories: databricks-bot-engine | |
| permission-contents: read | |
| # LOCAL composite (cross-repo `uses:` of the engine won't resolve here). | |
| - name: Install engine + Claude SDK/CLI | |
| uses: ./.github/actions/install-bot-engine | |
| with: | |
| engine-ref: b6205fb502566d617a456ccf3c37f3e4e3072ccd | |
| engine-token: ${{ steps.engine-token.outputs.token }} | |
| - name: Run reviewer follow-up | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| TRIGGER_COMMENT_ID: ${{ github.event.comment.id }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| MODEL_ENDPOINT: https://${{ secrets.DATABRICKS_HOST }}/serving-endpoints/databricks-claude-opus-4-8/invocations | |
| DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} | |
| DRY_RUN: 'false' | |
| RUNNER_TEMP: ${{ runner.temp }} | |
| run: python -m databricks_bot_engine.reviewer_bot.followup |