ask to review#8
Conversation
|
The PR title "ask to review" is non-descriptive and should be updated to clearly state the intent, such as "ci: update Cassandra review permissions and security constraints." Overall, great work on hardening the CI workflow against external PRs. |
anysoftkeyboard-bot
left a comment
anysoftkeyboard-bot
left a comment
There was a problem hiding this comment.
While the repository check for forks is a positive security improvement, the use of a classic Personal Access Token (PAT) instead of GITHUB_TOKEN requires clarification due to security implications, and the PR title needs to be more descriptive.
| - name: Run Cassandra AI Review | ||
| uses: menny/cassandra@v0.2.0 | ||
| with: | ||
| reviewer_github_token: ${{ secrets.AI_CODE_REVIEW_GH_TOKEN }} |
There was a problem hiding this comment.
We are introducing a classic Personal Access Token (PAT) via secrets.AI_CODE_REVIEW_GH_TOKEN. Unless this specific action requires a PAT to trigger subsequent workflows (which the default GITHUB_TOKEN cannot do) or to bypass specific API limitations, we should prefer secrets.GITHUB_TOKEN. Classic PATs are long-lived and often over-privileged compared to the short-lived, repo-scoped default token.
| review: | ||
| name: Cassandra Review | ||
| runs-on: ubuntu-latest | ||
| if: github.event.pull_request.head.repo.full_name == github.repository |
There was a problem hiding this comment.
The addition of the repository check is excellent. This ensures the workflow doesn't trigger on fork PRs where secrets like GEMINI_API_KEY are missing, preventing unnecessary CI failures and improving the resilience of our pipeline.
2 participants
No description provided.