feat!: reduce the action to a generic prompt runner#55
Conversation
Implements the public-action part of the reviewer revamp (docker/gordon#1258, epic docker/gordon#1253). - remove the review-pr composite action, its agents, evals and workflows - remove Docker-internal auth: setup-credentials (AWS OIDC / GitHub App), the authorization waterfall and the org-membership-token, auth-org and skip-auth inputs; users supply their own API keys - remove reviewer-only src modules; tsup entries reduced to main and signed-commit - drop the deprecated cagent-version output - rewrite release, e2e and version-bump workflows (single-pass dist staging, plain github.token with optional RELEASE_TOKEN) - add a documented reviewer example under examples/reviewer/ - rewrite README, AGENTS.md, SECURITY.md and CONTRIBUTING.md to match BREAKING CHANGE: the review-pr and setup-credentials sub-actions, the reusable review-pr.yml workflow, the org-membership-token, auth-org and skip-auth inputs and the cagent-version output are removed. Consumers pinned to earlier tags are unaffected.
derekmisler
left a comment
There was a problem hiding this comment.
🤖 Automated PR Review — this comment was posted by the pr-reviewer bot, not by a human or the implementer agent
Assessment: 🟡 NEEDS ATTENTION
This PR is a well-structured, internally consistent large deletion. The removal of Docker-internal auth, the review-pr orchestration, and the 16 reviewer modules is clean — no dangling references to removed inputs remain. The new generic runner core looks solid.
Two medium-severity issues were found in new code, both in the added examples/ files and CI workflows:
Issues requiring attention:
-
Shell injection in example workflow —
${{ steps.review.outputs.output-file }}is interpolated directly into therun:shell script rather than passed viaenv:. This is the canonical GitHub Actions injection vector (GitHub Security Lab advisory). The example is copy-pasteable by users, so it sets a bad pattern. -
Silent CI skip on version-bump PRs — When
RELEASE_TOKENis not configured,gh pr createfalls back togithub.token. GitHub's security model preventspull_requestCI workflows from firing on events triggered byGITHUB_TOKEN-authenticated calls. Version-bump PRs will be created but no tests will run, and the PR can be merged without validation.
Additional notes:
gh pr comment(without--edit-last) posts a new comment per push. On multiple pushes the reviewer example accumulates stale comments — behavior that contradicts the README's description.examples/reviewer/agent.yamluses modelclaude-sonnet-4-6, which does not match any publicly documented Anthropic API model identifier (expected pattern:claude-3-5-sonnet-20241022or short alias likeclaude-sonnet-4-5). Users copying this file will get an immediate API error.- The new
release.ymlno longer has the explicitgh api -X DELETEthat previously ran on normal exit (the old code had both a trap for errors and an explicit call on normal exit). Now only theEXITtrap handles cleanup. BashEXITtraps do not fire on SIGKILL (GitHub Actions job cancellation), so a cancelled release run will leak therelease-staging/vX.Y.Zbranch requiring manual deletion.
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| PR_NUMBER: ${{ github.event.pull_request.number }} | ||
| run: gh pr comment "$PR_NUMBER" --body-file "${{ steps.review.outputs.output-file }}" |
There was a problem hiding this comment.
🤖 Automated PR Review — this comment was posted by the pr-reviewer bot, not by a human or the implementer agent
[MEDIUM] Shell injection via direct ${{ }} expression interpolation in run: block
${{ steps.review.outputs.output-file }} is resolved by the GitHub Actions runner and substituted literally into the shell script before bash sees it. A crafted value containing shell metacharacters (;, backticks, $(...)) would be executed as arbitrary shell code — this is the canonical injection vector documented by GitHub Security Lab.
The example is copy-pasteable by users; shipping it with this pattern establishes a bad baseline.
Fix: move the value into an env: variable and reference the variable in the shell:
- name: Post review comment
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
OUTPUT_FILE: ${{ steps.review.outputs.output-file }}
run: gh pr comment "$PR_NUMBER" --body-file "$OUTPUT_FILE"| env: | ||
| GH_TOKEN: ${{ env.GITHUB_APP_TOKEN }} | ||
| # optional PAT so created PRs trigger CI; falls back to github.token | ||
| GH_TOKEN: ${{ secrets.RELEASE_TOKEN || github.token }} |
There was a problem hiding this comment.
🤖 Automated PR Review — this comment was posted by the pr-reviewer bot, not by a human or the implementer agent
[MEDIUM] github.token fallback silently disables CI on auto-generated version-bump PRs
When RELEASE_TOKEN is not configured, gh pr create runs with GH_TOKEN: ${{ secrets.RELEASE_TOKEN || github.token }}. GitHub's security model explicitly prevents pull_request workflow runs from being triggered by events caused by a GITHUB_TOKEN-authenticated API call (to avoid recursive loops). As a result, version-bump PRs created without RELEASE_TOKEN will be created successfully but will skip all CI checks (test.yml, etc.), and can be merged without validation.
The comment on the preceding line acknowledges this ("optional PAT so created PRs trigger CI; falls back to github.token") but provides no warning or failure signal when the fallback is active, so maintainers who don't configure RELEASE_TOKEN will not notice the regression until they look for missing check statuses.
Suggestion: emit a warning in the step output when falling back, e.g.:
if [ -z "${{ secrets.RELEASE_TOKEN }}" ]; then
echo "::warning::RELEASE_TOKEN not set — created PR will not trigger pull_request CI workflows"
fi| anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| skip-summary: false | ||
|
|
||
| - name: Post review comment |
There was a problem hiding this comment.
🤖 Automated PR Review — this comment was posted by the pr-reviewer bot, not by a human or the implementer agent
[LOW] gh pr comment always creates a new comment — stale reviews accumulate on repeated pushes
The workflow triggers on [opened, synchronize, reopened]. gh pr comment (without --edit-last) unconditionally creates a new comment each time. On a PR with five pushes, five separate review comments accumulate and the earlier ones become stale. The example README describes the action as posting "the result as a PR comment" (singular), which users will interpret as update-in-place.
Suggestion: use gh pr comment --edit-last to update the most recent bot comment, or look up and delete the previous bot comment before posting. If --edit-last is used, an initial comment creation can be handled with || gh pr comment "$PR_NUMBER" --body-file "$OUTPUT_FILE" as a fallback.
| models: | ||
| sonnet: | ||
| provider: anthropic | ||
| model: claude-sonnet-4-6 |
There was a problem hiding this comment.
🤖 Automated PR Review — this comment was posted by the pr-reviewer bot, not by a human or the implementer agent
[LOW] Model ID claude-sonnet-4-6 does not match any known Anthropic API identifier
Anthropic model IDs follow documented patterns such as claude-3-5-sonnet-20241022, claude-3-7-sonnet-20250219, or the newer short aliases like claude-sonnet-4-5. The string claude-sonnet-4-6 is not publicly documented. If Docker Agent passes this string verbatim to the Anthropic API, the request will be rejected with a model-not-found error at runtime, giving users a confusing failure on a copy-pasted example.
Suggestion: verify the intended model and update to a currently valid identifier (e.g. claude-sonnet-4-5 if that is what was intended), or clearly mark it as a placeholder that must be replaced before use.
Implements docker/gordon#1258 (part of epic docker/gordon#1253): the public Action is reduced to a generic prompt runner. The reviewer orchestration and all Docker-internal auth are removed; the core runner (pinned docker-agent binary download, prompt execution with retries, output filtering, secret-leak scanning, job summary, verbose-log artifact, optional mcp-gateway) is unchanged. A minimal, documented PR-reviewer example built on the generic runner replaces the full-featured pipeline.
Issue acceptance criteria
src/main,src/securitylibrary,src/signed-commitrelease CLI)review-pr/,.github/actions/, 6 reviewer workflows, 16 reviewersrc/modules,.agents/skill deletedsetup-credentials/(AWS OIDC / GitHub App), the 4-tier authorization waterfall and theorg-membership-token,auth-org,skip-authinputs removed; explicit per-provider API key inputs unchangedexamples/reviewer/: minimal read-only agent YAML, copy-pasteable workflow, README with setup and security notesChanges
action.ymlorg-membership-token,auth-org,skip-authand outputcagent-versionremoved; everything else unchangedsrc/src/main/auth.tsand thesrc/securityCLI (index.ts,check-auth.ts) removed; sanitize-input/output kept as librarymainandsigned-commit;@aws-sdk/*and@octokit/auth-appdependencies droppedrelease.ymlrelease-staging/<version>branch, tag,gh release create --generate-notes;publish-agent,update-self-refsandnotifyjobs removedtest-e2e.ymlupdate-docker-agent-version.yml,test.ymlsetup-credentialsand OIDC permissions removedREADME.md,AGENTS.md,SECURITY.md,CONTRIBUTING.mdrewritten to match the slimmed repoDiffstat: 120 files changed, +422 / -22037.
Breaking changes
review-prandsetup-credentialssub-actions, the reusablereview-pr.ymlworkflow and themention-replyinternal action are removed.org-membership-token,auth-org,skip-authinputs andcagent-versionoutput are removed.Validation
pnpm builddist/contains exactlymain.js,signed-commit.js)pnpm testpnpm test:integrationpnpm lint(biome + tsc + actionlint)actionlintonexamples/reviewer/review-pr.ymlexamples/is outside the default scan path)Notes for reviewers
OPENAI_API_KEY/ANTHROPIC_API_KEYfor e2e tests (replace AWS SSM), optionalRELEASE_TOKENPAT (without it, PRs created by automation do not trigger CI).test-e2e.ymlno longer has a manualworkflow_dispatchtrigger; if a manual knob is wanted for the remaining jobs, it can be added as a follow-up.yolodefaults to true; if a more capable example seems preferable, it can be extended with an explicit warning instead.