diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 7e92dfdf41e..e0dca655c42 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -22,7 +22,11 @@ # # Performs critical code review with a focus on edge cases, potential bugs, and code quality issues # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"157775cca9731ab610782c1d32686916daf54178f0a02b382ddb90e59fc3b946","strict":true,"agent_id":"codex"} +# Resolved workflow manifest: +# Imports: +# - shared/pr-code-review-config.md +# +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0bcda97848945013d6b4fd79d1b02de83e428386f0ed3b8ac39b5e2bf6e354a5","strict":true,"agent_id":"codex"} name: "Grumpy Code Reviewer 🔥" "on": @@ -229,6 +233,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + {{#runtime-import .github/workflows/shared/pr-code-review-config.md}} + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' {{#runtime-import .github/workflows/grumpy-reviewer.md}} GH_AW_PROMPT_EOF } > "$GH_AW_PROMPT" diff --git a/.github/workflows/grumpy-reviewer.md b/.github/workflows/grumpy-reviewer.md index 535a18c0584..356396ce159 100644 --- a/.github/workflows/grumpy-reviewer.md +++ b/.github/workflows/grumpy-reviewer.md @@ -10,17 +10,14 @@ permissions: contents: read pull-requests: read engine: codex +imports: + - shared/pr-code-review-config.md tools: - cache-memory: true github: min-integrity: approved - toolsets: [pull_requests, repos] safe-outputs: create-pull-request-review-comment: max: 5 - side: "RIGHT" - submit-pull-request-review: - max: 1 messages: footer: "> 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}" run-started: "😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time." diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 1a15d6e2685..29a53db2499 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -24,9 +24,10 @@ # # Resolved workflow manifest: # Imports: +# - shared/pr-code-review-config.md # - shared/reporting.md # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"02499e8cdb83ed473b50353b2f91edd95d5c962027fc11a8aaf5b11e67096427","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"7ef95d3950a08b270d3339bc5457cf95be6ef0cb3fe4eebe189f547880de9226","strict":true,"agent_id":"copilot"} name: "PR Nitpick Reviewer 🔍" "on": @@ -247,6 +248,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + {{#runtime-import .github/workflows/shared/pr-code-review-config.md}} + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' {{#runtime-import .github/workflows/shared/reporting.md}} GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' diff --git a/.github/workflows/pr-nitpick-reviewer.md b/.github/workflows/pr-nitpick-reviewer.md index b07eed1b353..3ec68288704 100644 --- a/.github/workflows/pr-nitpick-reviewer.md +++ b/.github/workflows/pr-nitpick-reviewer.md @@ -7,10 +7,6 @@ permissions: pull-requests: read actions: read engine: copilot -tools: - cache-memory: true - github: - toolsets: [pull_requests, repos] safe-outputs: create-discussion: expires: 1d @@ -19,9 +15,6 @@ safe-outputs: max: 1 create-pull-request-review-comment: max: 10 - side: "RIGHT" - submit-pull-request-review: - max: 1 messages: footer: "> 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}" run-started: "🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}..." @@ -29,6 +22,7 @@ safe-outputs: run-failure: "🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected..." timeout-minutes: 15 imports: + - shared/pr-code-review-config.md - shared/reporting.md --- diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 7def4f3e681..3dfdeca9caa 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -22,7 +22,11 @@ # # Security-focused AI agent that reviews pull requests to identify changes that could weaken security posture or extend AWF boundaries # -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"d5881d67be07fecc7e9406368eba2019fc2dc659a2db705ea58278f705731b16","strict":true,"agent_id":"copilot"} +# Resolved workflow manifest: +# Imports: +# - shared/pr-code-review-config.md +# +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6ae73a1972b16e068d3bf5d532df795942fdfaa62d38c4b824caefa098c81b60","strict":true,"agent_id":"copilot"} name: "Security Review Agent 🔒" "on": @@ -226,6 +230,9 @@ jobs: GH_AW_PROMPT_EOF cat << 'GH_AW_PROMPT_EOF' + {{#runtime-import .github/workflows/shared/pr-code-review-config.md}} + GH_AW_PROMPT_EOF + cat << 'GH_AW_PROMPT_EOF' {{#runtime-import .github/workflows/security-review.md}} GH_AW_PROMPT_EOF } > "$GH_AW_PROMPT" @@ -701,7 +708,7 @@ jobs: "GITHUB_HOST": "\${GITHUB_SERVER_URL}", "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", "GITHUB_READ_ONLY": "1", - "GITHUB_TOOLSETS": "all" + "GITHUB_TOOLSETS": "all,pull_requests,repos" }, "guard-policies": { "allow-only": { diff --git a/.github/workflows/security-review.md b/.github/workflows/security-review.md index 3054bbc24dd..9f327590da5 100644 --- a/.github/workflows/security-review.md +++ b/.github/workflows/security-review.md @@ -12,7 +12,6 @@ permissions: issues: read security-events: read tools: - cache-memory: true github: toolsets: [all] agentic-workflows: @@ -22,15 +21,14 @@ tools: safe-outputs: create-pull-request-review-comment: max: 10 - side: "RIGHT" - submit-pull-request-review: - max: 1 messages: footer: "> 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}" run-started: "🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications..." run-success: "🔒 [{workflow_name}]({run_url}) completed the security review." run-failure: "⚠️ [{workflow_name}]({run_url}) {status} during security review." timeout-minutes: 15 +imports: + - shared/pr-code-review-config.md --- # Security Review Agent 🔒 diff --git a/.github/workflows/shared/pr-code-review-config.md b/.github/workflows/shared/pr-code-review-config.md new file mode 100644 index 00000000000..af41b48356b --- /dev/null +++ b/.github/workflows/shared/pr-code-review-config.md @@ -0,0 +1,38 @@ +--- +# Base configuration for AI-powered PR code review workflows +# Provides: cache-memory, GitHub PR tools, and review comment safe-outputs + +tools: + cache-memory: true + github: + toolsets: [pull_requests, repos] + +safe-outputs: + create-pull-request-review-comment: + side: "RIGHT" + submit-pull-request-review: + max: 1 +--- + +## PR Code Review Configuration + +This shared component provides the standard tooling for AI pull request code review agents. + +### Available Tools + +- **`cache-memory`** — Persist review history across runs at `/tmp/gh-aw/cache-memory/` + - Store previous review notes: `/tmp/gh-aw/cache-memory/pr-{number}.json` + - Avoid repeating comments seen in previous reviews +- **GitHub PR tools** — Access PR diffs, file changes, review threads, and check runs + +### Review Guidelines + +1. **Check cache first** — Read `/tmp/gh-aw/cache-memory/pr-${{ github.event.issue.number }}.json` to avoid re-stating previous comments +2. **Use `get_diff`** — Fetch the actual diff to review line-by-line changes +3. **Use `get_review_comments`** — Check existing review threads before adding new ones +4. **Submit as a unified review** — Batch comments and call `submit-pull-request-review` once with an overall assessment + +### Safe Output Usage + +- `create-pull-request-review-comment` — Post inline comments on specific lines +- `submit-pull-request-review` — Submit the overall review (APPROVE / REQUEST_CHANGES / COMMENT)