diff --git a/.agents/skills/custom-codereview-guide.md b/.agents/skills/custom-codereview-guide.md new file mode 100644 index 0000000..c3624ad --- /dev/null +++ b/.agents/skills/custom-codereview-guide.md @@ -0,0 +1,29 @@ +--- +name: custom-codereview-guide +description: ordvec-specific code review guidance for OpenHands PR reviews. +triggers: + - /codereview +--- + +# ordvec Code Review Guidance + +Prioritize correctness, security, release-contract drift, and behavioral +regressions. Avoid spending review budget on style nits unless they hide a real +maintenance or correctness risk. + +For benchmark and documentation changes, verify that performance, memory, and +storage claims match the implementation and checked artifacts. A passing build +does not prove a benchmark claim. + +For loaders, persisted formats, and manifest verification, check malformed-input +handling, exact length validation, resource limits, path confinement, and +cross-dispatch consistency. Safe Rust panics from externally supplied artifacts +should be treated as bugs. + +For GitHub Actions and release changes, check least-privilege permissions, +pinned third-party actions, OIDC subject drift, required release invariants, and +whether a green workflow can hide skipped release-critical coverage. + +When reviewing generated or agent-authored changes, verify the final code and +tests directly. Do not treat PR prose, bot summaries, or previous review +comments as proof that the issue is fixed. diff --git a/.github/workflows/openhands-pr-review.yml b/.github/workflows/openhands-pr-review.yml new file mode 100644 index 0000000..fc2556e --- /dev/null +++ b/.github/workflows/openhands-pr-review.yml @@ -0,0 +1,50 @@ +name: OpenHands PR Review + +# Label-triggered review. This workflow uses pull_request_target so the +# OpenHands agent can post PR review comments through GitHub Actions, but it +# only receives secrets after a maintainer applies `review-this`. +on: + pull_request_target: # zizmor: ignore[dangerous-triggers] on-demand label/reviewer gate; secrets are not exposed on PR-open/synchronize + types: [labeled] + +permissions: + contents: read + +concurrency: + group: openhands-pr-review-${{ github.event.pull_request.number }} + cancel-in-progress: false + +jobs: + pr-review: + name: openhands PR review + if: github.event.label.name == 'review-this' + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + pull-requests: write + steps: + - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - name: Check OpenHands API key + env: + LLM_API_KEY: ${{ secrets.LLM_API_KEY }} + run: | + if [ -z "${LLM_API_KEY}" ]; then + echo "::error::Set the LLM_API_KEY repository secret before triggering OpenHands review." + exit 1 + fi + + # Keep both the action ref and the extensions checkout ref pinned to the + # same reviewed OpenHands/extensions commit. The plugin itself performs + # the PR checkout with persist-credentials disabled. + - name: Run OpenHands PR review + uses: OpenHands/extensions/plugins/pr-review@bb34a76d5230ba287cda4ea2883b5d008111575c + with: + extensions-version: bb34a76d5230ba287cda4ea2883b5d008111575c + llm-model: ${{ vars.OPENHANDS_LLM_MODEL || 'anthropic/claude-sonnet-4-5-20250929' }} + llm-base-url: ${{ vars.OPENHANDS_LLM_BASE_URL }} + llm-api-key: ${{ secrets.LLM_API_KEY }} + github-token: ${{ secrets.GITHUB_TOKEN }}