Skip to content

README.md

Latest commit

 

History

History
158 lines (118 loc) · 5.07 KB

README.md

File metadata and controls

158 lines (118 loc) · 5.07 KB

github-workflows

Shared GitHub Actions reusable workflows for jitsucom repos.

Workflows

ai-review.yml — AI Code Review

Reviews pull requests and commits for bugs, security issues, and correctness problems using OpenAI Codex.

  • On pull requests: posts a native PR review with inline comments via a GitHub App
  • On push to main (commits not part of any PR): posts a review as a commit comment
  • Skips commits that already belong to an open PR (reviewed there instead)
  • Reports token usage and estimated cost in the workflow summary

Secrets required

All three secrets must be available to the workflow — either as org secrets or repo secrets.

Secret Required for Description
OPENAI_API_KEY always OpenAI API key with Codex access
AI_CODE_REVIEW_APP_ID PR mode GitHub App ID for posting PR reviews
AI_CODE_REVIEW_PRIVATE_KEY PR mode Private key (.pem) for the GitHub App

GitHub App setup

The GitHub App needs Pull requests: Read & write on the target repo.

  1. Create app: https://github.com/organizations/jitsucom/settings/apps/new
  2. Install the app on the target repo(s)
  3. Generate a private key in the app settings
  4. Store secrets (org-level example):
gh secret set AI_CODE_REVIEW_APP_ID --org jitsucom --repos my-repo --body "<app-id>"
gh secret set AI_CODE_REVIEW_PRIVATE_KEY --org jitsucom --repos my-repo < app-private-key.pem
gh secret set OPENAI_API_KEY --org jitsucom --repos my-repo --body "<key>"

Usage

Add a thin wrapper workflow to your repo:

# .github/workflows/ai-review.yml
name: AI Review

on:
  pull_request:
    types: [opened, reopened, synchronize, edited, ready_for_review]
  push:
    branches: [main]
  workflow_dispatch:
    inputs:
      pr_number:
        description: PR number to review (leave blank to review a commit)
        required: false
      commit_sha:
        description: Commit SHA to review (leave blank when using PR number)
        required: false

jobs:
  ai-review:
    uses: jitsucom/github-workflows/.github/workflows/ai-review.yml@main
    secrets: inherit
    with:
      pr_number: ${{ inputs.pr_number }}
      commit_sha: ${{ inputs.commit_sha }}

Use the review_instructions input to focus the review on what matters for your repo:

    with:
      pr_number: ${{ inputs.pr_number }}
      commit_sha: ${{ inputs.commit_sha }}
      review_instructions: >-
        Focus on infrastructure safety, Terraform drift, and secret leaks.
        Skip style nitpicks.

Updating

All consuming repos pick up changes automatically on the next run — no changes needed per repo.

Composite actions

Reusable composite actions live under .github/actions/. Consume them by path:

- uses: jitsucom/github-workflows/.github/actions/<name>@<tag-or-main>

slack-notify — Slack webhook notification

Sends a formatted notification to Slack with title + optional bullet blocks. Used by the deploy workflows.

Inputs:

  • header — required.
  • color — optional, defaults to good (green). Accepts good, warning, danger, or a hex color like #36a64f.
  • blocks — optional. YAML array of block objects with title, value, url (optional), is_code (optional). Omit to send the header alone.
  • slack_webhook_url — optional override. Normally leave empty; the action reads SLACK_WEBHOOK_URL env first (see below) and only uses this input as a fallback, mainly for ad-hoc testing.

The composite action can't read org secrets directly. Standard pattern: set SLACK_WEBHOOK_URL once at the job level from secrets.CI_SLACK_WEBHOOK.

jobs:
  notify:
    env:
      SLACK_WEBHOOK_URL: ${{ secrets.CI_SLACK_WEBHOOK }}
    steps:
      - uses: jitsucom/github-workflows/.github/actions/slack-notify@main
        with:
          header: "Deploy started"

See action.yml.

Reusable-workflow wrapper

For callers that prefer secrets: inherit over wiring the env var, or for testing the action directly from the GitHub UI (workflow_dispatch), there's a thin wrapper at .github/workflows/slack-notify.yml:

jobs:
  notify:
    uses: jitsucom/github-workflows/.github/workflows/slack-notify.yml@main
    secrets: inherit
    with:
      header: "Deploy started"

Trade-off: each invocation runs as its own job on a fresh runner (~30–60s startup) and can't share workspace state with sibling steps. For inline notifications inside an existing deploy job, use the composite action directly.

install-yq — Install the yq CLI

Installs mikefarah/yq to /usr/local/bin with a pinned version + sha256 checksum. Inputs: version, sha256 (both have safe defaults). See action.yml.

install-kustomize — Install the kustomize CLI

Installs the standalone kustomize CLI with a pinned version + sha256 checksum. Inputs: version, sha256 (both have safe defaults). See action.yml.