Skip to content

AI reviewer tweaks 1 #2688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sam0x17 wants to merge 4 commits into
base: devnet-ready
Choose a base branch
from
+103 −48
Open

AI reviewer tweaks 1 #2688

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a5d9337
tweak
sam0x17 May 21, 2026
6973dd5
fix prefetch
sam0x17 May 25, 2026
dd3550f
Merge remote-tracking branch 'origin/devnet-ready' into ai-reviewer-t…
sam0x17 May 27, 2026
30c465b
WIP
sam0x17 May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 32 additions & 2 deletions .github/ai-review/prefetch.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,38 @@ jq -r '.body // ""' "$OUTPUT_DIR/pr.json" > "$OUTPUT_DIR/pr-body.md"
# Files changed (paths + per-file additions/deletions; full content lives in the diff)
gh_retry gh pr view "$PR_NUMBER" --repo "$REPO" --json files > "$OUTPUT_DIR/pr-files.json"

# Full unified diff
gh_retry gh pr diff "$PR_NUMBER" --repo "$REPO" > "$OUTPUT_DIR/pr-diff.patch"
# Full unified diff. Use local `git diff` rather than `gh pr diff` because
# the GitHub REST diff endpoint hard-caps at 20,000 lines (HTTP 406
# `PullRequest.diff too_large`). The workflow already checked out the PR
# head with `fetch-depth: 0`, so all branches are available locally.
#
# Hardening against PR-controlled diff suppression:
# --text force textual diff so a `.gitattributes` `binary` mark
# cannot hide hunks in sensitive paths.
# --no-textconv ignore textconv filters (which can mangle/suppress output
# and execute external programs).
# --no-ext-diff ignore external diff drivers configured via `.gitattributes`.
# We also pin the comparison to the immutable `baseRefOid` SHA from pr.json
# rather than the moving `origin/<base>` tip — so an advance of the base
# branch between fetch and diff cannot change what gets reviewed.
BASE_SHA_FOR_DIFF=$(jq -r '.baseRefOid' "$OUTPUT_DIR/pr.json")
HEAD_SHA_FOR_DIFF=$(jq -r '.headRefOid' "$OUTPUT_DIR/pr.json")
SAFE_DIFF_OPTS=(--no-ext-diff --no-textconv --text)
if git cat-file -e "${BASE_SHA_FOR_DIFF}^{commit}" 2>/dev/null; then
git diff "${SAFE_DIFF_OPTS[@]}" "${BASE_SHA_FOR_DIFF}...${HEAD_SHA_FOR_DIFF}" \
Comment on lines +96 to +100
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Protected AI-review prefetch helper modified

This PR changes .github/ai-review/prefetch.sh, the helper that prepares the no-network context consumed by the reviewers and runs before Codex with GitHub credentials available. The run instructions require diffs under .github/ai-review/* to be flagged HIGH or CRITICAL against the trusted base copy. The prior diff-suppression concern is addressed by --no-ext-diff --no-textconv --text, but the protected helper modification itself remains a blocking review-infra change.

> "$OUTPUT_DIR/pr-diff.patch"
else
# Base commit not local (e.g. shallow checkout missing the merge base).
# Fall back to the REST endpoint; bail loudly if it 406s on a huge PR.
echo "::warning::base commit ${BASE_SHA_FOR_DIFF} not local; falling back to gh pr diff (may fail for >20k-line PRs)"
gh_retry gh pr diff "$PR_NUMBER" --repo "$REPO" > "$OUTPUT_DIR/pr-diff.patch"
fi
Comment on lines +82 to +107
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Protected AI-review prefetch helper modified

This PR modifies .github/ai-review/prefetch.sh, a protected review-infrastructure helper. The operating instructions for this run require any diff against trusted .github/ai-review/* files to be flagged as HIGH or CRITICAL. Because this script controls the context handed to the no-network review personas, this change should be treated as blocking until explicitly validated by a trusted human/nucleus reviewer.

DIFF_BYTES=$(wc -c < "$OUTPUT_DIR/pr-diff.patch")
DIFF_LINES=$(wc -l < "$OUTPUT_DIR/pr-diff.patch")
echo "PR diff: ${DIFF_LINES} lines, ${DIFF_BYTES} bytes"
if (( DIFF_BYTES > 2 * 1024 * 1024 )); then
echo "::warning::PR diff is large (${DIFF_BYTES} bytes); the persona may need to focus on pr-files.json to triage."
fi

# All PR comments (issue-style). `--paginate` alone writes one JSON array per
# page; `--slurp` wraps them as [[page1], [page2], ...]; we then flatten with
Expand Down
Loading