refactor: extract shared PR code review base configuration

.github/workflows/grumpy-reviewer.md

@@ -10,17 +10,14 @@ permissions:
   contents: read
   pull-requests: read
 engine: codex
+imports:
+  - shared/pr-code-review-config.md
 tools:
-  cache-memory: true
   github:
     min-integrity: approved
-    toolsets: [pull_requests, repos]
 safe-outputs:
   create-pull-request-review-comment:
     max: 5
-    side: "RIGHT"
-  submit-pull-request-review:
-    max: 1
   messages:
     footer: "> 😤 *Reluctantly reviewed by [{workflow_name}]({run_url})*{history_link}"
     run-started: "😤 *sigh* [{workflow_name}]({run_url}) is begrudgingly looking at this {event_type}... This better be worth my time."

.github/workflows/pr-nitpick-reviewer.md

@@ -7,10 +7,6 @@ permissions:
   pull-requests: read
   actions: read
 engine: copilot
-tools:
-  cache-memory: true
-  github:
-    toolsets: [pull_requests, repos]
 safe-outputs:
   create-discussion:
     expires: 1d
@@ -19,16 +15,14 @@ safe-outputs:
     max: 1
   create-pull-request-review-comment:
     max: 10
-    side: "RIGHT"
-  submit-pull-request-review:
-    max: 1
   messages:
     footer: "> 🔍 *Meticulously inspected by [{workflow_name}]({run_url})*{history_link}"
     run-started: "🔬 Adjusting monocle... [{workflow_name}]({run_url}) is scrutinizing every pixel of this {event_type}..."
     run-success: "🔍 Nitpicks catalogued! [{workflow_name}]({run_url}) has documented all the tiny details. Perfection awaits! ✅"
     run-failure: "🔬 Lens cracked! [{workflow_name}]({run_url}) {status}. Some nitpicks remain undetected..."
 timeout-minutes: 15
 imports:
+  - shared/pr-code-review-config.md
   - shared/reporting.md
 ---
 

.github/workflows/security-review.md

@@ -12,7 +12,6 @@ permissions:
   issues: read
   security-events: read
 tools:
-  cache-memory: true
   github:
     toolsets: [all]
   agentic-workflows:
@@ -22,15 +21,14 @@ tools:
 safe-outputs:
   create-pull-request-review-comment:
     max: 10
-    side: "RIGHT"
-  submit-pull-request-review:
-    max: 1
   messages:
     footer: "> 🔒 *Security review by [{workflow_name}]({run_url})*{history_link}"
     run-started: "🔍 [{workflow_name}]({run_url}) is analyzing this {event_type} for security implications..."
     run-success: "🔒 [{workflow_name}]({run_url}) completed the security review."
     run-failure: "⚠️ [{workflow_name}]({run_url}) {status} during security review."
 timeout-minutes: 15
+imports:
+  - shared/pr-code-review-config.md
 ---
 
 # Security Review Agent 🔒

.github/workflows/shared/pr-code-review-config.md

@@ -0,0 +1,38 @@
+---
+# Base configuration for AI-powered PR code review workflows
+# Provides: cache-memory, GitHub PR tools, and review comment safe-outputs
+
+tools:
+  cache-memory: true
+  github:
+    toolsets: [pull_requests, repos]
+
+safe-outputs:
+  create-pull-request-review-comment:
+    side: "RIGHT"
+  submit-pull-request-review:
+    max: 1
+---
+
+## PR Code Review Configuration
+
+This shared component provides the standard tooling for AI pull request code review agents.
+
+### Available Tools
+
+- **`cache-memory`** — Persist review history across runs at `/tmp/gh-aw/cache-memory/`
+  - Store previous review notes: `/tmp/gh-aw/cache-memory/pr-{number}.json`
+  - Avoid repeating comments seen in previous reviews
+- **GitHub PR tools** — Access PR diffs, file changes, review threads, and check runs
+
+### Review Guidelines
+
+1. **Check cache first** — Read `/tmp/gh-aw/cache-memory/pr-${{ github.event.issue.number }}.json` to avoid re-stating previous comments
+2. **Use `get_diff`** — Fetch the actual diff to review line-by-line changes
+3. **Use `get_review_comments`** — Check existing review threads before adding new ones
+4. **Submit as a unified review** — Batch comments and call `submit-pull-request-review` once with an overall assessment
+
+### Safe Output Usage
+
+- `create-pull-request-review-comment` — Post inline comments on specific lines
+- `submit-pull-request-review` — Submit the overall review (APPROVE / REQUEST_CHANGES / COMMENT)