CodeBoarding-action/.github/workflows/codeboarding.yml at main · CodeBoarding/CodeBoarding-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: CodeBoarding review

on:
  pull_request:
    # Generate once, when the PR becomes reviewable, not on every push, so we
    # don't spend an LLM job per commit. Add `synchronize` to re-run on each
    # push, or refresh anytime with /codeboarding. 'closed' only cancels an
    # in-flight review (see concurrency), it doesn't start one.
    types: [opened, reopened, ready_for_review, closed]
  issue_comment:
    types: [created]

permissions:
  # write: the action commits the generated .codeboarding/analysis.json back to the
  # PR branch so the webview can open this PR's diff at the head SHA (same-repo PRs).
  contents: write
  pull-requests: write
  issues: write

concurrency:
  group: codeboarding-${{ github.event.pull_request.number || github.event.issue.number }}
  # Cancel only when the PR closes — bot comments (issue_comment) and re-triggers
  # must not cancel a running review; they queue behind it instead.
  cancel-in-progress: ${{ github.event_name == 'pull_request' && github.event.action == 'closed' }}

jobs:
  review:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    if: >
      (github.event_name == 'pull_request' && github.event.action != 'closed' && github.event.pull_request.draft == false) ||
      (github.event_name == 'issue_comment' && github.event.issue.pull_request != null &&
       startsWith(github.event.comment.body, '/codeboarding') &&
       contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
    steps:
      # Dogfood: run the action from the checked-out repo (uses: ./) so each PR
      # exercises the action code under review, not the last published release.
      # The action reads its scripts via github.action_path and checks the engine
      # and target repo into subdirectories, so this local checkout is untouched.
      - uses: actions/checkout@v4
      - name: Detect CodeBoarding GitHub App credentials
        id: codeboarding-app-config
        shell: bash
        env:
          CLIENT_ID: ${{ vars.CODEBOARDING_APP_CLIENT_ID }}
          APP_ID: ${{ vars.CODEBOARDING_APP_ID }}
          PRIVATE_KEY: ${{ secrets.CODEBOARDING_APP_PRIVATE_KEY }}
        run: |
          client_id="${CLIENT_ID:-}"
          app_id="${APP_ID:-}"

          # GitHub App client IDs start with "Iv". If that value was stored in
          # CODEBOARDING_APP_ID, use it as a client ID to avoid the deprecated
          # app-id input path.
          if [ -z "$client_id" ] && [ "${app_id#Iv}" != "$app_id" ]; then
            client_id="$app_id"
            app_id=""
          fi

          has_private_key=false
          private_key_valid=false
          if [ -n "$PRIVATE_KEY" ]; then
            has_private_key=true
            if printf '%s' "$PRIVATE_KEY" | openssl pkey -noout >/dev/null 2>&1; then
              private_key_valid=true
            else
              echo "::warning::CODEBOARDING_APP_PRIVATE_KEY is not a valid PEM private key, so CodeBoarding will fall back to github-actions[bot]."
              if printf '%b' "$PRIVATE_KEY" | openssl pkey -noout >/dev/null 2>&1; then
                printf '%s\n' "::warning::CODEBOARDING_APP_PRIVATE_KEY looks like it contains literal \\n escapes. Store the downloaded PEM as multi-line secret text instead."
              fi
            fi
          fi

          {
            [ -n "$client_id" ] && echo "has_client_id=true" || echo "has_client_id=false"
            [ -n "$app_id" ] && echo "has_app_id=true" || echo "has_app_id=false"
            echo "client_id=$client_id"
            echo "has_private_key=$has_private_key"
            echo "private_key_valid=$private_key_valid"
          } >> "$GITHUB_OUTPUT"
      - uses: actions/create-github-app-token@v3
        id: codeboarding-app-token-client
        if: steps.codeboarding-app-config.outputs.has_client_id == 'true' && steps.codeboarding-app-config.outputs.private_key_valid == 'true'
        continue-on-error: true
        with:
          client-id: ${{ steps.codeboarding-app-config.outputs.client_id }}
          private-key: ${{ secrets.CODEBOARDING_APP_PRIVATE_KEY }}
      - uses: actions/create-github-app-token@v3
        id: codeboarding-app-token-app
        if: steps.codeboarding-app-config.outputs.has_client_id != 'true' && steps.codeboarding-app-config.outputs.has_app_id == 'true' && steps.codeboarding-app-config.outputs.private_key_valid == 'true'
        continue-on-error: true
        with:
          app-id: ${{ vars.CODEBOARDING_APP_ID }}
          private-key: ${{ secrets.CODEBOARDING_APP_PRIVATE_KEY }}
      - name: Warn when CodeBoarding App token is unavailable
        if: steps.codeboarding-app-token-client.outputs.token == '' && steps.codeboarding-app-token-app.outputs.token == ''
        shell: bash
        run: |
          echo "::warning::CodeBoarding GitHub App token is unavailable; falling back to github-actions[bot]. Check CODEBOARDING_APP_PRIVATE_KEY formatting if app credentials are configured."
      - uses: ./
        with:
          github_token: ${{ steps.codeboarding-app-token-client.outputs.token || steps.codeboarding-app-token-app.outputs.token || github.token }}
          llm_api_key: ${{ secrets.OPENROUTER_API_KEY }}