Skip to content

Windows first-class: fix product I/O bugs, port test suite, add windows-latest CI #46

Windows first-class: fix product I/O bugs, port test suite, add windows-latest CI

Windows first-class: fix product I/O bugs, port test suite, add windows-latest CI #46

Workflow file for this run

name: PR Pilot — Autonomous Code Review
# SECURITY: this workflow must never execute PR-controlled code while it holds
# secrets. PR Pilot only needs the PR diff, which it fetches through the GitHub
# API (data, not code). We therefore check out the BASE ref (trusted code on the
# target branch) and run the agent from there, passing only the PR number.
#
# Using `pull_request` (not `pull_request_target`) means forked PRs do not
# receive secrets at all. Checking out the base ref additionally protects
# against same-repo or compromised-write PRs that try to modify the workflow's
# code path to exfiltrate GEMINI_API_KEY or abuse the write token.
on:
pull_request:
types: [opened, synchronize, reopened]
# Least privilege: only what is needed to post a review.
permissions:
contents: read
pull-requests: write
concurrency:
group: pr-pilot-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
review:
runs-on: ubuntu-latest
steps:
# Check out the BASE ref (trusted), NOT the PR head. The PR's code is
# never installed or executed in this job.
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.sha }}
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies (from trusted base ref)
run: pip install -e .
- name: Run PR Pilot Agent Chain
# The agent CLI reads PR context from GITHUB_EVENT_PATH and the PR diff
# from the API, so it never needs the PR's checked-out code.
#
# PR Pilot's agent chain is published separately; this repo currently
# ships only the product page. Resolve the entrypoint if it is present,
# otherwise skip cleanly so the check never red-X's a PR on missing
# optional tooling (and never blocks a merge). Also skip when no API key
# is available (e.g. forked PRs, which do not receive secrets).
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
if [ -z "${GEMINI_API_KEY}" ]; then
echo "PR Pilot: GEMINI_API_KEY not available (forked PR?) — skipping autonomous review."
exit 0
fi
for entry in pr-pilot/cli.py src/cli.py src/perseus/pr_pilot.py; do
if [ -f "$entry" ]; then
echo "PR Pilot: running $entry"
exec python "$entry"
fi
done
echo "PR Pilot: agent entrypoint not found in this repo — skipping autonomous review."
echo "(Add pr-pilot/cli.py to enable Gemini-based PR review.)"