OpenHands-CLI/.github/workflows/pr-review-by-openhands.yml at main · OpenHands/OpenHands-CLI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
---
name: PR Review by OpenHands

on:
    # MITIGATION:
    # This workflow runs a tool-using LLM agent (bash, repo checkout) on untrusted
    # PR content (title/body/diff). Using `pull_request_target` would expose secrets in the
    # base-repo context, which is a known risky pattern:
    # https://adnanthekhan.com/posts/clinejection/
    pull_request:
        types: [opened, ready_for_review, labeled, review_requested]

permissions:
    contents: read
    pull-requests: write
    issues: write

jobs:
    pr-review:
        # Run when one of the following conditions is met:
        #   1. A new non-draft PR is opened by a non-first-time contributor, OR
        #   2. A draft PR is converted to ready for review by a non-first-time contributor, OR
        #   3. 'review-this' label is added, OR
        #   4. openhands-agent or all-hands-bot is requested as a reviewer
        # Note: FIRST_TIME_CONTRIBUTOR and NONE PRs require manual trigger via label/reviewer request.
        if: |
            !github.event.pull_request.head.repo.fork && (
              (github.event.action == 'opened' && github.event.pull_request.draft == false && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && github.event.pull_request.author_association != 'NONE') ||
              (github.event.action == 'ready_for_review' && github.event.pull_request.author_association != 'FIRST_TIME_CONTRIBUTOR' && github.event.pull_request.author_association != 'NONE') ||
              github.event.label.name == 'review-this' ||
              github.event.requested_reviewer.login == 'openhands-agent' ||
              github.event.requested_reviewer.login == 'all-hands-bot'
            )
        concurrency:
            group: pr-review-${{ github.event.pull_request.number }}
            cancel-in-progress: true
        runs-on: ubuntu-24.04
        steps:
            - name: Run PR Review
              uses: OpenHands/extensions/plugins/pr-review@main
              with:
                  llm-model: litellm_proxy/claude-sonnet-4-5-20250929
                  llm-base-url: https://llm-proxy.app.all-hands.dev
                  # Review style: roasted (other option: standard)
                  review-style: roasted
                  llm-api-key: ${{ secrets.LLM_API_KEY }}
                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
                  lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}