fix: per-workspace mimir config, auto_inject flag, version-less @perseus header #51
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Pilot — Autonomous Code Review | |
| # SECURITY: this workflow must never execute PR-controlled code while it holds | |
| # secrets. PR Pilot only needs the PR diff, which it fetches through the GitHub | |
| # API (data, not code). We therefore check out the BASE ref (trusted code on the | |
| # target branch) and run the agent from there, passing only the PR number. | |
| # | |
| # Using `pull_request` (not `pull_request_target`) means forked PRs do not | |
| # receive secrets at all. Checking out the base ref additionally protects | |
| # against same-repo or compromised-write PRs that try to modify the workflow's | |
| # code path to exfiltrate GEMINI_API_KEY or abuse the write token. | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| # Least privilege: only what is needed to post a review. | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| concurrency: | |
| group: pr-pilot-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| review: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Check out the BASE ref (trusted), NOT the PR head. The PR's code is | |
| # never installed or executed in this job. | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies (from trusted base ref) | |
| run: pip install -e . | |
| - name: Run PR Pilot Agent Chain | |
| # The agent CLI reads PR context from GITHUB_EVENT_PATH and the PR diff | |
| # from the API, so it never needs the PR's checked-out code. | |
| # | |
| # PR Pilot's agent chain is published separately; this repo currently | |
| # ships only the product page. Resolve the entrypoint if it is present, | |
| # otherwise skip cleanly so the check never red-X's a PR on missing | |
| # optional tooling (and never blocks a merge). Also skip when no API key | |
| # is available (e.g. forked PRs, which do not receive secrets). | |
| env: | |
| GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| if [ -z "${GEMINI_API_KEY}" ]; then | |
| echo "PR Pilot: GEMINI_API_KEY not available (forked PR?) — skipping autonomous review." | |
| exit 0 | |
| fi | |
| for entry in pr-pilot/cli.py src/cli.py src/perseus/pr_pilot.py; do | |
| if [ -f "$entry" ]; then | |
| echo "PR Pilot: running $entry" | |
| exec python "$entry" | |
| fi | |
| done | |
| echo "PR Pilot: agent entrypoint not found in this repo — skipping autonomous review." | |
| echo "(Add pr-pilot/cli.py to enable Gemini-based PR review.)" |