ci: replace PR review workflows with unified axrun workflow #9
Conversation
Replace individual gemini and claude-code PR review workflows with unified pr-review-axrun.yml that supports multiple AI agents (Claude, Gemini, Codex, Copilot) via matrix strategy.
|
🤖 Hi @Jercik, I've received your request, and I'm working on it now! You can track my progress in the logs for more details. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
📋 Review Summary
This PR consolidates multiple individual agent workflows into a single axrun-based workflow with a matrix strategy for Claude, Gemini, Codex, and Copilot. This simplifies maintenance and centralizes the prompt definition.
🔍 General Feedback
- Architecture: The unified workflow approach is much cleaner and reduces code duplication compared to maintaining separate files for each agent.
- Security: Using
pull_request_targetwith the prompt embedded in the workflow file is a secure pattern. It ensures that the agent's instructions cannot be modified by the PR author, while still allowing the agent to analyze the PR code (checked out viaref: head.sha). - Fork Handling: The workflow explicitly skips forks (
if: ...fork == false). This ensures secrets are safe but means external contributors will not receive automated reviews. - Interactive Mode: The ability to trigger reviews via comments (
@gemini-cli) has been removed in favor of automatic triggers on PR updates. - Resource Usage: I've added a suggestion to enable
concurrencyto prevent redundant runs when multiple commits are pushed in quick succession.
| # We checkout PR head so local file reads see PR content. | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened] | ||
|
|
There was a problem hiding this comment.
Without a concurrency group, every push to the PR will trigger a new set of 4 matrix jobs (totaling 4 concurrent runs). This can waste actions minutes and cause race conditions where multiple agents try to comment on the PR simultaneously.
Consider adding a concurrency group to cancel in-progress runs for the same PR.
| types: [opened, synchronize, reopened] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true |
There was a problem hiding this comment.
Pull request overview
This PR consolidates multiple agent-specific PR review workflows into a single unified workflow using axrun with a matrix strategy. It removes the Claude Code, Gemini Review, Gemini Invoke, and Gemini Dispatch workflows and replaces them with a new pr-review-axrun.yml that supports Claude, Gemini, Codex, and Copilot agents through a matrix configuration.
Changes:
- Removed legacy agent-specific workflows (Claude Code, Gemini Review/Invoke/Dispatch)
- Added unified axrun-based workflow with embedded security-hardened prompt
- Implemented matrix strategy to run reviews with multiple AI agents in parallel
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/pr-review-claude-code.yml |
Removed Claude Code-specific PR review workflow |
.github/workflows/pr-review-axrun.yml |
Added unified workflow with matrix strategy for Claude, Gemini, Codex, and Copilot agents |
.github/workflows/gemini-review.yml |
Removed Gemini-specific review workflow |
.github/workflows/gemini-invoke.yml |
Removed Gemini invoke workflow for command handling |
.github/workflows/gemini-dispatch.yml |
Removed Gemini dispatch workflow for routing review/invoke commands |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| include: | ||
| - agent: claude | ||
| display_name: Claude | ||
| model: opus |
There was a problem hiding this comment.
The model name "opus" for Claude is ambiguous. Claude models typically have full names like "claude-opus-4-20250514" or "claude-3-opus-20240229". Please verify this is the correct model identifier for the axrun tool, or use a fully qualified model name.
| model: opus | |
| model: claude-3-opus-20240229 |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 96f13e0bd6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Install ${{ matrix.agent }} | ||
| run: npx -y axinstall ${{ matrix.agent }} --with npm |
There was a problem hiding this comment.
Because this workflow is triggered by pull_request_target and checks out the PR head, running npx -y axinstall … from the repo root lets a same‑repo PR add a malicious .npmrc (or other npm config) to redirect the registry or alter npm behavior. npx honors repo-local config, so the PR can cause execution of attacker-controlled packages with access to AXVAULT, PERPLEXITY_API_KEY, and the write-scoped token. This is a supply‑chain/secrets‑exfil path that only requires a malicious branch PR in the base repo. Mitigate by running npx before checkout or forcing a safe npm config (e.g., set NPM_CONFIG_USERCONFIG to a trusted file or delete .npmrc before invoking npx).
Useful? React with 👍 / 👎.
|
🎉 This PR is included in version 1.1.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Summary
pr-review-axrun.ymlwith embedded prompt and matrix strategySupported agents: Claude, Gemini, Codex, Copilot