ci: add Qodo PR-Agent workflow (DeepSeek V4 Pro via OpenRouter)#1
Open
singanuk wants to merge 5 commits into
Open
ci: add Qodo PR-Agent workflow (DeepSeek V4 Pro via OpenRouter)#1singanuk wants to merge 5 commits into
singanuk wants to merge 5 commits into
Conversation
Adds automated PR review via Qodo PR-Agent routed through the host-side self-hosted runner. Uses DeepSeek V4 Pro via OpenRouter (US-hosted). Generated by D:\Windows-CI\Scripts\Add-PRAgentToRepo.ps1. Template: D:\Windows-CI\Templates\pr-agent-workflow.yml. Setup docs: D:\Windows-CI\Templates\README.md.
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow ChangesPR-Agent Workflow Integration
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr-agent-review.yml:
- Around line 66-71: The workflow currently allows any PR commenter to invoke
slash commands (/review, /describe, /improve, /ask); restrict this by adding an
authorization check on github.event.comment.author_association and/or matching
the PR author: update the conditional that wraps
(startsWith(github.event.comment.body, '/review') || ...) to also require
(github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR' ||
github.event.comment.user.login == github.event.issue.user.login), so only repo
owners/members/collaborators or the PR author can trigger the commands.
- Line 87: Replace the floating ref "uses: qodo-ai/pr-agent@main" with a full
immutable commit SHA to pin the action; locate the workflow step that contains
the exact string "uses: qodo-ai/pr-agent@main" and change it to "uses:
qodo-ai/pr-agent@<FULL_COMMIT_SHA>" where <FULL_COMMIT_SHA> is the 40-character
commit hash from the qodo-ai/pr-agent repository (obtain the latest trusted
commit on the action's repo or your approved release) so the workflow uses a
fixed, auditable revision.
- Around line 48-53: Remove the manual dispatch trigger and its unused input:
delete the workflow_dispatch block (including the pr_number input) from the
workflow header and then remove the job condition that checks for the manual
dispatch (the condition referencing workflow_dispatch / inputs.pr_number or
github.event_name == 'workflow_dispatch') so the workflow only relies on
supported events (pull_request, pull_request_target, issue_comment,
pull_request_review_comment); ensure no remaining references to pr_number remain
in the file.
- Around line 77-87: The workflow currently tries to run the Docker-based action
"uses: qodo-ai/pr-agent@main" on a Windows self-hosted runner (runs-on:
[self-hosted, Windows, X64]) which is unsupported; change the job's runs-on to a
Linux self-hosted or hosted runner (e.g., use "runs-on: ubuntu-latest" or
[self-hosted, Linux, X64]) so the container action can run, or alternatively
replace the Docker-based step "PR Agent" with a non-container implementation of
PR-Agent if Windows must be kept.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 4cb09a65-3a2e-46c5-8988-c2cfb38ff509
📒 Files selected for processing (1)
.github/workflows/pr-agent-review.yml
Comment on lines
+48
to
+53
| workflow_dispatch: | ||
| inputs: | ||
| pr_number: | ||
| description: "PR number (manual trigger)" | ||
| required: true | ||
| type: string |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Event branches handled by PR-Agent GitHub action runner:"
curl -fsSL https://raw.githubusercontent.com/qodo-ai/pr-agent/main/pr_agent/servers/github_action_runner.py \
| rg -n 'GITHUB_EVENT_NAME ==|pull_request_target|issue_comment|pull_request_review_comment|workflow_dispatch'Repository: singanuk/test1
Length of output: 508
🏁 Script executed:
cat -n .github/workflows/pr-agent-review.yml | sed -n '45,75p'Repository: singanuk/test1
Length of output: 1359
Remove workflow_dispatch trigger and its unused condition from the workflow.
PR-Agent's GitHub action runner does not support manual dispatch triggers. The verification shows it only handles pull_request, pull_request_target, issue_comment, and pull_request_review_comment events. While workflow_dispatch is declared with a pr_number input and included in the job condition (line 72), manual dispatch triggers will execute the job but the action will not process them, resulting in no-ops.
🔧 Fix
- workflow_dispatch:
- inputs:
- pr_number:
- description: "PR number (manual trigger)"
- required: true
- type: stringAnd at line 72, replace:
- github.event_name == 'workflow_dispatch'
+ false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: "PR number (manual trigger)" | |
| required: true | |
| type: string |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-agent-review.yml around lines 48 - 53, Remove the
manual dispatch trigger and its unused input: delete the workflow_dispatch block
(including the pr_number input) from the workflow header and then remove the job
condition that checks for the manual dispatch (the condition referencing
workflow_dispatch / inputs.pr_number or github.event_name ==
'workflow_dispatch') so the workflow only relies on supported events
(pull_request, pull_request_target, issue_comment, pull_request_review_comment);
ensure no remaining references to pr_number remain in the file.
Comment on lines
+66
to
+71
| (github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request != null && | ||
| (startsWith(github.event.comment.body, '/review') || | ||
| startsWith(github.event.comment.body, '/describe') || | ||
| startsWith(github.event.comment.body, '/improve') || | ||
| startsWith(github.event.comment.body, '/ask'))) || |
There was a problem hiding this comment.
Slash-command trigger is too permissive for public PR comments.
Any commenter on a PR can currently trigger /review, /describe, /improve, or /ask, which can be abused for cost burn/noise.
🔒 Proposed hardening
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request != null &&
+ github.event.comment.user.type != 'Bot' &&
+ contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
(startsWith(github.event.comment.body, '/review') ||
startsWith(github.event.comment.body, '/describe') ||
startsWith(github.event.comment.body, '/improve') ||
startsWith(github.event.comment.body, '/ask'))) ||📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| (github.event_name == 'issue_comment' && | |
| github.event.issue.pull_request != null && | |
| (startsWith(github.event.comment.body, '/review') || | |
| startsWith(github.event.comment.body, '/describe') || | |
| startsWith(github.event.comment.body, '/improve') || | |
| startsWith(github.event.comment.body, '/ask'))) || | |
| (github.event_name == 'issue_comment' && | |
| github.event.issue.pull_request != null && | |
| github.event.comment.user.type != 'Bot' && | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && | |
| (startsWith(github.event.comment.body, '/review') || | |
| startsWith(github.event.comment.body, '/describe') || | |
| startsWith(github.event.comment.body, '/improve') || | |
| startsWith(github.event.comment.body, '/ask'))) || |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-agent-review.yml around lines 66 - 71, The workflow
currently allows any PR commenter to invoke slash commands (/review, /describe,
/improve, /ask); restrict this by adding an authorization check on
github.event.comment.author_association and/or matching the PR author: update
the conditional that wraps (startsWith(github.event.comment.body, '/review') ||
...) to also require (github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR' ||
github.event.comment.user.login == github.event.issue.user.login), so only repo
owners/members/collaborators or the PR author can trigger the commands.
|
|
||
| steps: | ||
| - name: PR Agent | ||
| uses: qodo-ai/pr-agent@main |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Current main branch commit:"
curl -fsSL https://api.github.com/repos/qodo-ai/pr-agent/branches/main | jq -r '.commit.sha'
echo
echo "Recent tags (for pinning alternatives):"
curl -fsSL 'https://api.github.com/repos/qodo-ai/pr-agent/tags?per_page=10' | jq -r '.[].name'Repository: singanuk/test1
Length of output: 154
🏁 Script executed:
cat .github/workflows/pr-agent-review.yml | head -100Repository: singanuk/test1
Length of output: 3411
🌐 Web query:
GitHub Actions security best practices pinning commit SHA vs branch main
💡 Result:
For GitHub Actions security best practices, always pin actions and reusable workflows to a full-length commit SHA rather than mutable references like the main branch. Pinning to SHA provides immutability, preventing supply chain attacks where a malicious actor force-pushes to main or rewrites tags, injecting malicious code into your workflows [1][2][3][4]. Branches like main are highly mutable and unstable, as new commits can be added anytime, making them unsuitable for production security [5][6]. Tags are better than branches but still risky if deleted/recreated by compromised maintainers [1]. Example of secure pinning: uses: actions/checkout@19269a0f... # v4.1.7 Add the version comment for context. Use Dependabot to automate updates to new SHAs [4][7]. GitHub now supports org/repo-level policies to enforce SHA pinning across the full dependency tree [3]. Audit third-party actions, prefer verified creators, and review source code [1]. Never use short SHAs [2].
Citations:
- 1: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?learn=getting_started&learnProduct=actions
- 2: https://docs.github.com/enterprise-server@3.0/actions/security-guides/security-hardening-for-github-actions
- 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 4: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
- 5: https://docs.github.com/en/actions/how-tos/creating-and-publishing-actions/managing-custom-actions
- 6: https://proaction.io/docs/unstable-github-ref/
- 7: Pin all GitHub Actions to immutable SHA commits for supply chain security github/gh-aw#5691
Pin the action to an immutable commit SHA instead of @main.
Using @main makes executions non-reproducible and increases supply-chain risk. GitHub's security hardening guidance recommends pinning to a full-length commit SHA to prevent malicious code injection via force-pushes or branch rewrites.
🔧 Proposed fix
- uses: qodo-ai/pr-agent@main
+ uses: qodo-ai/pr-agent@<full_commit_sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-agent-review.yml at line 87, Replace the floating ref
"uses: qodo-ai/pr-agent@main" with a full immutable commit SHA to pin the
action; locate the workflow step that contains the exact string "uses:
qodo-ai/pr-agent@main" and change it to "uses:
qodo-ai/pr-agent@<FULL_COMMIT_SHA>" where <FULL_COMMIT_SHA> is the 40-character
commit hash from the qodo-ai/pr-agent repository (obtain the latest trusted
commit on the action's repo or your approved release) so the workflow uses a
fixed, auditable revision.
PR-Agent is a Docker container action which cannot run on Windows self-hosted runners. Switching to GitHub-hosted ubuntu-latest (free within 2000-min/mo quota for personal repos). Discovered via failed run on VPS_Deploy: ##[error]Container action is only supported on Linux
There was a problem hiding this comment.
♻️ Duplicate comments (3)
.github/workflows/pr-agent-review.yml (3)
58-63:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove unsupported manual-dispatch path from this workflow.
workflow_dispatchandinputs.pr_numberintroduce a trigger path that PR-Agent does not process, creating a run that effectively does nothing.🔧 Minimal fix
on: pull_request: @@ issue_comment: types: [created] - - workflow_dispatch: - inputs: - pr_number: - description: "PR number (manual trigger)" - required: true - type: string concurrency: - group: pr-agent-${{ github.event.pull_request.number || github.event.issue.number || inputs.pr_number }} + group: pr-agent-${{ github.event.pull_request.number || github.event.issue.number }} cancel-in-progress: true @@ - github.event_name == 'workflow_dispatch' + false#!/bin/bash set -euo pipefail # Verify PR-Agent GitHub action runner supported events: curl -fsSL https://raw.githubusercontent.com/qodo-ai/pr-agent/main/pr_agent/servers/github_action_runner.py \ | rg -n "pull_request|pull_request_target|issue_comment|pull_request_review_comment|workflow_dispatch" # Verify current workflow still references workflow_dispatch/pr_number: cat -n .github/workflows/pr-agent-review.yml | rg -n "workflow_dispatch|pr_number|inputs\\.pr_number"Also applies to: 67-67, 82-82
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-agent-review.yml around lines 58 - 63, Remove the unsupported manual trigger by deleting the workflow_dispatch block and the inputs.pr_number entry (remove the workflow_dispatch: and pr_number/input lines) so the workflow only uses supported PR-Agent triggers (e.g., pull_request, pull_request_target, issue_comment, etc.); also remove any other references to inputs.pr_number elsewhere in the workflow (including the occurrences noted around the same area) to avoid creating no-op runs.
76-81:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRestrict slash-command triggers to trusted actors.
Currently, any PR commenter can trigger costly commands (
/review,/describe,/improve,/ask).🔒 Hardening patch
(github.event_name == 'issue_comment' && github.event.issue.pull_request != null && + github.event.comment.user.type != 'Bot' && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) && (startsWith(github.event.comment.body, '/review') || startsWith(github.event.comment.body, '/describe') || startsWith(github.event.comment.body, '/improve') || startsWith(github.event.comment.body, '/ask'))) ||🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-agent-review.yml around lines 76 - 81, The slash-command trigger condition is open to any commenter; restrict it by adding an author check alongside the existing startsWith(...) checks—e.g., require github.event.comment.author_association to be one of 'OWNER','MEMBER','COLLABORATOR' or check github.event.comment.user.login against a configured TRUSTED_USERS list; update the workflow conditional that contains the startsWith(github.event.comment.body, '/review' ... ) to short-circuit unless the commenter meets the trusted criteria so only trusted actors can invoke /review, /describe, /improve, or /ask.
98-98:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
qodo-ai/pr-agentto an immutable full SHA.Using
@mainmakes execution non-reproducible and increases supply-chain risk.🔧 Pin to a trusted commit
- uses: qodo-ai/pr-agent@main + uses: qodo-ai/pr-agent@<FULL_40_CHAR_COMMIT_SHA>#!/bin/bash set -euo pipefail # Fetch latest commit on main (replace with your approved/reviewed commit if needed) curl -fsSL https://api.github.com/repos/qodo-ai/pr-agent/commits/main | jq -r '.sha'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-agent-review.yml at line 98, Replace the non-deterministic GitHub Action reference "uses: qodo-ai/pr-agent@main" with an immutable full commit SHA (e.g. "uses: qodo-ai/pr-agent@<FULL_SHA>") so the workflow is reproducible and supply-chain safe; update the workflow where the uses: qodo-ai/pr-agent@main line appears, fetch and verify the approved commit SHA from the qodo-ai/pr-agent repo (or your reviewed pinned SHA) and substitute it into the uses entry, and consider documenting or automating future pin updates (e.g., via Dependabot) after validation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/pr-agent-review.yml:
- Around line 58-63: Remove the unsupported manual trigger by deleting the
workflow_dispatch block and the inputs.pr_number entry (remove the
workflow_dispatch: and pr_number/input lines) so the workflow only uses
supported PR-Agent triggers (e.g., pull_request, pull_request_target,
issue_comment, etc.); also remove any other references to inputs.pr_number
elsewhere in the workflow (including the occurrences noted around the same area)
to avoid creating no-op runs.
- Around line 76-81: The slash-command trigger condition is open to any
commenter; restrict it by adding an author check alongside the existing
startsWith(...) checks—e.g., require github.event.comment.author_association to
be one of 'OWNER','MEMBER','COLLABORATOR' or check
github.event.comment.user.login against a configured TRUSTED_USERS list; update
the workflow conditional that contains the startsWith(github.event.comment.body,
'/review' ... ) to short-circuit unless the commenter meets the trusted criteria
so only trusted actors can invoke /review, /describe, /improve, or /ask.
- Line 98: Replace the non-deterministic GitHub Action reference "uses:
qodo-ai/pr-agent@main" with an immutable full commit SHA (e.g. "uses:
qodo-ai/pr-agent@<FULL_SHA>") so the workflow is reproducible and supply-chain
safe; update the workflow where the uses: qodo-ai/pr-agent@main line appears,
fetch and verify the approved commit SHA from the qodo-ai/pr-agent repo (or your
reviewed pinned SHA) and substitute it into the uses entry, and consider
documenting or automating future pin updates (e.g., via Dependabot) after
validation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 573b9288-ffd2-486c-93f1-91646f8831a8
📒 Files selected for processing (1)
.github/workflows/pr-agent-review.yml
Default PR_ACTIONS only includes opened/reopened/ready_for_review/ review_requested. Without synchronize, pushes to an existing PR cause 'Skipping action: synchronize' and PR-Agent does nothing. Discovered when test1 PR-Agent run succeeded but posted no review.
Owner
Author
|
C:/Program Files/Git/review |
PR-Agent fails with 'Ensure <model> is defined in MAX_TOKENS' for newer models not in its hardcoded dict. Setting CONFIG.CUSTOM_MODEL_MAX_TOKENS to 65536 (well below V4's 1M context but plenty for PR diff review).
There was a problem hiding this comment.
♻️ Duplicate comments (3)
.github/workflows/pr-agent-review.yml (3)
58-68:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove the manual-dispatch path; it likely does nothing for PR-Agent.
Line [58] adds
workflow_dispatch, and Line [82] allows it, but upstream PR-Agent action runner handling appears limited to PR/comment events. This can burn minutes with no useful output.🔧 Suggested minimal diff
- workflow_dispatch: - inputs: - pr_number: - description: "PR number (manual trigger)" - required: true - type: string concurrency: - group: pr-agent-${{ github.event.pull_request.number || github.event.issue.number || inputs.pr_number }} + group: pr-agent-${{ github.event.pull_request.number || github.event.issue.number }} cancel-in-progress: true jobs: pr_agent: if: | (github.event_name == 'pull_request' && github.event.pull_request.draft == false && github.event.pull_request.user.type != 'Bot') || (github.event_name == 'issue_comment' && github.event.issue.pull_request != null && (startsWith(github.event.comment.body, '/review') || startsWith(github.event.comment.body, '/describe') || startsWith(github.event.comment.body, '/improve') || - startsWith(github.event.comment.body, '/ask'))) || - github.event_name == 'workflow_dispatch' + startsWith(github.event.comment.body, '/ask')))#!/bin/bash set -euo pipefail curl -fsSL https://raw.githubusercontent.com/qodo-ai/pr-agent/main/pr_agent/servers/github_action_runner.py \ | rg -n 'workflow_dispatch|GITHUB_EVENT_NAME == "pull_request"|issue_comment|pull_request_review_comment' # Expected: matches for PR/comment events, no workflow_dispatch handler.Also applies to: 72-83
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-agent-review.yml around lines 58 - 68, The workflow defines a manual workflow_dispatch input pr_number and then uses inputs.pr_number in the concurrency group, which enables unnecessary manual-dispatch runs; remove the workflow_dispatch block (including the pr_number input) and update the concurrency.group expression in the concurrency section to stop referencing inputs.pr_number (use only github.event.pull_request.number || github.event.issue.number), and also remove any other workflow_dispatch-related lines (the manual-dispatch handling around lines 72-83) so the job only responds to PR/comment events.
98-98:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
qodo-ai/pr-agentto an immutable commit SHA.Line [98] uses
@main, which is mutable and increases supply-chain risk for workflow executions.🔧 Suggested diff
- uses: qodo-ai/pr-agent@main + uses: qodo-ai/pr-agent@009ba5a116c4d3273368a6dc53a4efdb7904d519 # main as of 2026-05-02#!/bin/bash set -euo pipefail curl -fsSL https://api.github.com/repos/qodo-ai/pr-agent/branches/main | jq -r '.commit.sha' # Use the returned 40-char SHA (or your approved release SHA) in `uses:`.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-agent-review.yml at line 98, Replace the mutable workflow reference "uses: qodo-ai/pr-agent@main" with an immutable commit SHA: fetch the repository's approved 40-char commit SHA for qodo-ai/pr-agent (e.g., via the GitHub API or your approved release SHA) and update the workflow step "uses: qodo-ai/pr-agent@<SHA>" so the action is pinned to that specific commit rather than `@main`.
76-81:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRestrict slash-command triggers to trusted users.
Line [76]-Line [81] currently allows any PR commenter to trigger expensive
/review//describe//improve//askruns.🔒 Suggested hardening
(github.event_name == 'issue_comment' && github.event.issue.pull_request != null && + github.event.comment.user.type != 'Bot' && + ( + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) || + github.event.comment.user.login == github.event.issue.user.login + ) && (startsWith(github.event.comment.body, '/review') || startsWith(github.event.comment.body, '/describe') || startsWith(github.event.comment.body, '/improve') || startsWith(github.event.comment.body, '/ask'))) ||🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-agent-review.yml around lines 76 - 81, The workflow condition currently allows any commenter to trigger the slash-command paths that check startsWith(github.event.comment.body, '/review' | '/describe' | '/improve' | '/ask'); tighten this by adding an allowlist/authorization check on the commenter before evaluating those startsWith checks — for example, require github.event.comment.author_association to be one of OWNER|MEMBER|COLLABORATOR or add a contains( fromJson('["alice","bob"]') , github.event.comment.user.login ) check (or reference a repository secret/variable list) and combine it with the existing startsWith predicates so only trusted users can trigger the expensive workflows.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/pr-agent-review.yml:
- Around line 58-68: The workflow defines a manual workflow_dispatch input
pr_number and then uses inputs.pr_number in the concurrency group, which enables
unnecessary manual-dispatch runs; remove the workflow_dispatch block (including
the pr_number input) and update the concurrency.group expression in the
concurrency section to stop referencing inputs.pr_number (use only
github.event.pull_request.number || github.event.issue.number), and also remove
any other workflow_dispatch-related lines (the manual-dispatch handling around
lines 72-83) so the job only responds to PR/comment events.
- Line 98: Replace the mutable workflow reference "uses: qodo-ai/pr-agent@main"
with an immutable commit SHA: fetch the repository's approved 40-char commit SHA
for qodo-ai/pr-agent (e.g., via the GitHub API or your approved release SHA) and
update the workflow step "uses: qodo-ai/pr-agent@<SHA>" so the action is pinned
to that specific commit rather than `@main`.
- Around line 76-81: The workflow condition currently allows any commenter to
trigger the slash-command paths that check startsWith(github.event.comment.body,
'/review' | '/describe' | '/improve' | '/ask'); tighten this by adding an
allowlist/authorization check on the commenter before evaluating those
startsWith checks — for example, require github.event.comment.author_association
to be one of OWNER|MEMBER|COLLABORATOR or add a contains(
fromJson('["alice","bob"]') , github.event.comment.user.login ) check (or
reference a repository secret/variable list) and combine it with the existing
startsWith predicates so only trusted users can trigger the expensive workflows.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: e63cd612-dca7-45d9-90cb-8a3b11075750
📒 Files selected for processing (1)
.github/workflows/pr-agent-review.yml
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
Avoids GitHub-hosted ubuntu-latest minutes entirely. Runs PR-Agent inside WSL2 Ubuntu on the trading machine. Code never leaves the host. Runner: wsl-singanuk-vps-deploy Labels: self-hosted, Linux, X64, local-wsl, windows-ci
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr-agent-review.yml:
- Around line 9-12: The header comment claiming the workflow "runs on
ubuntu-latest" is out of sync with the actual job runner selection; locate the
workflow's runs-on keys (search for "runs-on:" and the "self-hosted" value used
in the job, e.g., the job with runs-on: self-hosted at the later section) and
either update the header comment to accurately describe that this uses a
self-hosted runner (privacy/cost note) or change the job's runs-on to
"ubuntu-latest" if you intended GitHub-hosted runners; ensure the "runs-on"
value and the top comment are consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 306ce011-c7b7-40f6-8f25-c794b3411b8b
📒 Files selected for processing (1)
.github/workflows/pr-agent-review.yml
Comment on lines
+9
to
+12
| # - Runs on GitHub-hosted ubuntu-latest. PR-Agent is a Docker container action | ||
| # that ONLY runs on Linux; Windows self-hosted runners cannot execute it. | ||
| # GitHub-hosted ubuntu-latest minutes are free up to 2000/month for personal | ||
| # repos, which covers ~1000 PR reviews at ~2 min/run. |
There was a problem hiding this comment.
Header docs are out of sync with runtime runner selection.
Line 9 says this runs on ubuntu-latest, but Line 89 uses a self-hosted runner. This drift will mislead maintenance and cost/privacy expectations.
✏️ Proposed fix
-# - Runs on GitHub-hosted ubuntu-latest. PR-Agent is a Docker container action
-# that ONLY runs on Linux; Windows self-hosted runners cannot execute it.
-# GitHub-hosted ubuntu-latest minutes are free up to 2000/month for personal
-# repos, which covers ~1000 PR reviews at ~2 min/run.
+# - Runs on a self-hosted Linux runner (WSL2 Ubuntu on the host machine).
+# PR-Agent is a Docker container action and requires Linux execution context.
+# GitHub-hosted minutes are not used by this workflow unless runs-on is changed.Also applies to: 89-89
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-agent-review.yml around lines 9 - 12, The header
comment claiming the workflow "runs on ubuntu-latest" is out of sync with the
actual job runner selection; locate the workflow's runs-on keys (search for
"runs-on:" and the "self-hosted" value used in the job, e.g., the job with
runs-on: self-hosted at the later section) and either update the header comment
to accurately describe that this uses a self-hosted runner (privacy/cost note)
or change the job's runs-on to "ubuntu-latest" if you intended GitHub-hosted
runners; ensure the "runs-on" value and the top comment are consistent.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Adds automated PR review via Qodo PR-Agent routed through a host-side self-hosted runner.
Backend: DeepSeek V4 Pro via OpenRouter (US-hosted, ~0.015-0.03 USD per PR).
Routing: runs-on: self-hosted/Windows/X64 -> per-repo host runner.
Setup template: D:\Windows-CI\Templates\pr-agent-workflow.yml
Onboarding script: D:\Windows-CI\Scripts\Add-PRAgentToRepo.ps1
After merge, every PR gets:
To customize:
Summary by CodeRabbit
PR Type
Enhancement
Description
Add GitHub Actions workflow for automated PR reviews via Qodo PR-Agent
Configure DeepSeek V4 Pro model via OpenRouter with flash fallback
Enable auto-describe and auto-review on PR open/push with concurrency control
Support slash commands (/review, /describe, /improve, /ask) via issue comments
Set custom model max tokens (65536) to avoid missing token config errors
Diagram Walkthrough
flowchart LR PR_EVENT["PR Opened/Ready/Synchronize"] --> CONDITION{"Draft? Bot author?"} CONDITION -- No --> JOB["pr_agent job on ubuntu-latest"] JOB --> STEP["PR Agent step (qodo-ai/pr-agent)"] STEP --> MODEL["Model: openrouter/deepseek/deepseek-v4-pro"] MODEL --> OUTPUT["Post review & description"] SLASH["Slash comment: /review /describe"] --> JOB DISPATCH["workflow_dispatch"] --> JOBFile Walkthrough
pr-agent-review.yml
Add PR-Agent review workflow using DeepSeek V4 Pro.github/workflows/pr-agent-review.yml
synchronize), issue_comment (slash commands), workflow_dispatch
containing /review, /describe, /improve, /ask
errors