semantic-kernel/.github/workflows/devflow-pr-review.yml at 1122769f6ad129d99a723632dc253d851d50c280 · microsoft/semantic-kernel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: DevFlow PR Review

on:
  pull_request_target:
    types:
      - opened
      - reopened
      - ready_for_review
  workflow_dispatch:
    inputs:
      pr_number:
        description: Pull request number to review
        required: true
        type: string

permissions:
  contents: read
  issues: write
  pull-requests: write

concurrency:
  group: devflow-pr-review-${{ github.repository }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

env:
  DEVFLOW_REPOSITORY: ${{ vars.DF_REPO }}
  DEVFLOW_REF: main
  TARGET_REPO_PATH: ${{ github.workspace }}/target-repo
  DEVFLOW_PATH: ${{ github.workspace }}/devflow

jobs:
  review:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    if: ${{ github.event_name != 'pull_request_target' || !github.event.pull_request.draft }}

    steps:
      - name: Resolve PR metadata
        id: pr
        shell: bash
        env:
          PR_HTML_URL: ${{ github.event.pull_request.html_url }}
          PR_NUMBER_EVENT: ${{ github.event.pull_request.number }}
          PR_NUMBER_INPUT: ${{ inputs.pr_number }}
        run: |
          set -euo pipefail

          if [[ "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then
            pr_number="${PR_NUMBER_EVENT}"
            pr_url="${PR_HTML_URL}"
          else
            pr_number="${PR_NUMBER_INPUT}"
            pr_url="https://github.com/${GITHUB_REPOSITORY}/pull/${pr_number}"
          fi

          if [[ ! "$pr_number" =~ ^[1-9][0-9]*$ ]]; then
            echo "Could not determine PR number; for workflow_dispatch runs, the 'pr_number' input is required when not running on pull_request_target." >&2
            exit 1
          fi

          echo "pr_url=${pr_url}" >> "$GITHUB_OUTPUT"
          echo "pr_number=${pr_number}" >> "$GITHUB_OUTPUT"
          echo "repo=${GITHUB_REPOSITORY}" >> "$GITHUB_OUTPUT"

      # Safe checkout: base repo only, not the untrusted PR head.
      - name: Checkout target repo base
        uses: actions/checkout@v5
        with:
          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.sha || github.sha }}
          fetch-depth: 0
          persist-credentials: false
          path: target-repo

      # Private DevFlow checkout: the PAT/token grants access to this repo's code.
      - name: Checkout DevFlow
        uses: actions/checkout@v5
        with:
          repository: ${{ env.DEVFLOW_REPOSITORY }}
          ref: ${{ env.DEVFLOW_REF }}
          token: ${{ secrets.DEVFLOW_TOKEN }}
          fetch-depth: 1
          persist-credentials: false
          path: devflow

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Set up uv
        uses: astral-sh/setup-uv@v6
        with:
          version: "0.5.x"
          enable-cache: true

      - name: Install DevFlow dependencies
        working-directory: ${{ env.DEVFLOW_PATH }}
        run: uv sync --frozen

      - name: Classify PR relevance
        id: spam
        working-directory: ${{ env.DEVFLOW_PATH }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_COPILOT_TOKEN: ${{ secrets.GH_COPILOT_TOKEN }}
          SK_REPO_PATH: ${{ env.TARGET_REPO_PATH }}
          AGENT_REPO_PATH: ${{ env.TARGET_REPO_PATH }}
          PR_REPO: ${{ steps.pr.outputs.repo }}
          PR_NUMBER: ${{ steps.pr.outputs.pr_number }}
        run: |
          uv run python scripts/classify_pr_spam.py \
            --repo "$PR_REPO" \
            --pr-number "$PR_NUMBER" \
            --repo-path "${TARGET_REPO_PATH}" \
            --apply-labels

      - name: Stop after spam gate
        if: ${{ steps.spam.outputs.decision != 'allow' }}
        shell: bash
        env:
          SPAM_DECISION: ${{ steps.spam.outputs.decision }}
        run: |
          echo "Skipping review because spam gate decided: ${SPAM_DECISION}"

      - name: Run PR review
        if: ${{ steps.spam.outputs.decision == 'allow' }}
        id: review
        working-directory: ${{ env.DEVFLOW_PATH }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_COPILOT_TOKEN: ${{ secrets.GH_COPILOT_TOKEN }}
          SK_REPO_PATH: ${{ env.TARGET_REPO_PATH }}
          AGENT_REPO_PATH: ${{ env.TARGET_REPO_PATH }}
          PR_URL: ${{ steps.pr.outputs.pr_url }}
        run: |
          uv run python scripts/trigger_pr_review.py \
            --pr-url "$PR_URL" \
            --github-username "$GITHUB_ACTOR" \
            --no-require-comment-selection