Skip to content

ci: add PR review workflow with high-risk detection #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
lml2468 wants to merge 1 commit into from
Closed

ci: add PR review workflow with high-risk detection #126

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/pr-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: Auto PR Review

on:
pull_request:
types: [opened, synchronize]
Copy link
Copy Markdown
Collaborator

@Jerry-Xin Jerry-Xin Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The synchronize event fires on every push to the PR branch. Both steps below will create new comments each time, which can spam the PR. Consider checking for an existing bot comment and updating it instead of creating a new one.


jobs:
review-check:
runs-on: ubuntu-latest
steps:
- name: Check high-risk patterns
uses: actions/github-script@v7
with:
script: |
const { data: files } = await github.rest.pulls.listFiles({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.pull_request.number,
});

const highRiskPatterns = [
/webhook/i,
/auth/i,
/token/i,
/secret/i,
/\.env/,
/openclaw\.plugin\.json/,
Copy link
Copy Markdown
Collaborator

@Jerry-Xin Jerry-Xin Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These patterns are quite broad. For example, /auth/i will match filenames containing "author", "authorization-docs", etc. Consider using word-boundary anchors like /\bauth\b/i to reduce false positives.

];

const riskFiles = [];
for (const file of files) {
for (const pattern of highRiskPatterns) {
if (pattern.test(file.filename) || pattern.test(file.patch || '')) {
riskFiles.push(`⚠️ ${file.filename} — matches: ${pattern}`);
break;
}
}
}

if (riskFiles.length > 0) {
const body = `## 🔴 HIGH-RISK PR 检测\n\n此 PR 涉及敏感模块,**必须人工 review**:\n\n${riskFiles.join('\n')}\n\n请 repo owner 审核后再 merge。`;
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: body,
});

await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: ['high-risk'],
});
}

Copy link
Copy Markdown
Collaborator

@Jerry-Xin Jerry-Xin Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This checklist is posted unconditionally on every PR event. Two issues: (1) it creates duplicate comments on each push, and (2) the checklist items are not always relevant (e.g., doc-only PRs). Consider deduplicating and/or making this conditional based on changed file types.

- name: Remind review needed
uses: actions/github-script@v7
with:
script: |
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: '📋 **Review Checklist**\n- [ ] 是否涉及 webhook payload 格式变更?\n- [ ] 是否有认证/token 相关改动?\n- [ ] 是否修改了 plugin.json 配置?\n- [ ] 影响范围已评估\n- [ ] 测试覆盖',
});
Loading