ci: add automated PR review GitHub Actions workflow

[Copilot]

Overview

No .github/workflows/ directory existed — all checks in scripts/pr-review-checks.sh were manual-only with no CI enforcement. This adds a full automated PR review pipeline triggered on pull_request (opened, synchronize, reopened) targeting main.

.github/workflows/pr-review.yml — 9 parallel jobs:

Job	Check
format	cargo fmt -- --check
lint	cargo clippy -- -D warnings
test	cargo test
docs	cargo doc --no-deps
security-audit	cargo audit
build	cargo build --release
commit-message-check	Conventional Commits validation on all PR commits
pr-description-check	Enforces non-empty PR body with an overview section
summary	Gate job for branch protection rules

All Rust jobs skip gracefully when Cargo.toml is absent. Includes concurrency cancel-on-push, actions/cache@v4 for Cargo, and minimal GITHUB_TOKEN permissions (contents: read globally; {} on non-checkout jobs).

.github/pull_request_template.md — standard GitHub-recognized template filename (distinct from the existing PR_REVIEW_TEMPLATE.md reference doc); auto-populates new PR descriptions with Overview, Type of Change, Checklist, Related Issues, and Additional Notes sections.

scripts/pr-review-checks.sh — header comment added noting it mirrors the Actions workflow and can be used locally for pre-push validation.

Type of Change

• Bug Fix
• New Feature
• Documentation Update
• Refactor
• Other (please specify): CI/CD automation

Checklist

• Code follows the project's style guidelines (cargo fmt passes)
• No Clippy warnings (cargo clippy -- -D warnings passes)
• Unit tests have been added or modified (cargo test passes)
• Documentation has been updated (cargo doc --no-deps passes)
• No sensitive information (keys, secrets, PII) is exposed
• Commit messages follow the conventional commit format (e.g., feat:, fix:, chore:)

Related Issues

Additional Notes

CodeQL missing-workflow-permissions alerts were resolved by setting permissions: contents: read at workflow level and permissions: {} on jobs that don't need repository access (pr-description-check, summary).

Original prompt

Background

The repository currently has several static PR review documents and a manual shell script, but no GitHub Actions workflow to automatically trigger reviews when a PR is opened or updated.

Existing files:

• .github/PR_REVIEW_TEMPLATE.md — static PR review template (manual checklist)
• .github/REVIEW_CHECKLIST.md — review checklist reference document
• .github/RUST_CRYPTO_REVIEW.md — Rust and cryptography review guidelines
• .github/CODEOWNERS — code owners (@LucienSong)
• scripts/pr-review-checks.sh — local shell script that runs cargo fmt/clippy/test/doc/audit/build, but is never automatically triggered

Problem

There is no .github/workflows/ directory and no CI/CD automation. The scripts/pr-review-checks.sh script must be run manually. We need an automated workflow.

Requirements

1. Create .github/workflows/pr-review.yml

A GitHub Actions workflow that triggers on pull_request events (opened, synchronize, reopened) targeting the main branch. It should run the following checks as separate jobs or well-organized steps:

a. Formatting Check

• Run cargo fmt -- --check to verify code formatting

b. Lint Check

• Run cargo clippy -- -D warnings to catch common mistakes and enforce best practices

c. Tests

• Run cargo test to execute all unit and integration tests

d. Documentation Build

• Run cargo doc --no-deps to verify documentation builds successfully

e. Security Audit

• Install and run cargo audit to check for known vulnerabilities in dependencies

f. Build Verification

• Run cargo build --release to verify the release build succeeds

g. Commit Message Check

• Validate that PR commit messages follow conventional commit format (e.g., feat:, fix:, chore:, docs:, refactor:, test:, ci:)

h. PR Description Check

• Verify the PR body is not empty and contains meaningful content (e.g., minimum length check, or checks for required sections like "Overview")

Workflow configuration details:

• Use ubuntu-latest runner
• Install the stable Rust toolchain with clippy and rustfmt components
• Use appropriate caching for Cargo dependencies (e.g., actions/cache or Swatinem/rust-cache)
• Each major check should be a separate job so they can run in parallel and failures are clearly visible
• Add a final summary job that depends on all check jobs (for branch protection rules)

2. Create .github/pull_request_template.md

A standard GitHub pull request template file (this is the filename GitHub automatically recognizes, different from the existing PR_REVIEW_TEMPLATE.md which is just a reference document). When someone creates a new PR, GitHub will auto-populate the PR description with this template.

The template should include:

• Overview/Description section
• Type of Change checkboxes (Bug Fix, New Feature, Documentation Update, Refactor, Other)
• Checklist items aligned with the REVIEW_CHECKLIST.md:
  • Code follows style guidelines
  • Unit tests added/modified
  • Documentation updated
  • No sensitive information exposed
  • Commit messages follow conventional format
• Related Issues section
• Additional Notes section

3. Update scripts/pr-review-checks.sh

Add a header comment explaining that this script is now also run automatically via GitHub Actions, but can still be used locally for pre-push checks. No functional changes needed to the script itself.

Important Notes

• The project is a Rust project (uses Cargo)
• Keep the workflow file clean, well-commented, and easy to maintain
• Make sure the workflow handles the case where Cargo.toml / Cargo.lock might not exist yet (the repo is still in early stages) — consider adding a check or making certain steps conditional
• Reference the existing review documents in comments where appropriate

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: 看看项目创建的自动化审核PR脚本和文档，好像不全，也不是我想要的。我想要一个当有PR提交或修改时自动触发的审核脚本

Assistant:

Let me first look at the existing automation scripts and documentation in the repository.

Assistant: 我已经查看了项目中所有现有的审核相关文件。以下是现状分析：

📋 现有文件分析

你的仓库目前有以下 PR 审核相关文件：

文件	类型	作用
.github/PR_REVIEW_TEMPLATE.md	静态模板	PR 描述模板（手动填写的 checklist）
.github/REVIEW_CHECKLIST.md	静态文档	审核清单参考文档
.github/RUST_CRYPTO_REVIEW.md	静态文档	Rust 和密码学审核指南
.github/CODEOWNERS	配置	代码所有者（@LucienSong）
scripts/pr-review-checks.sh	Shell 脚本	本地运行的检查脚本（fmt/clippy/test/audit/build）

❌ 缺什么？

你说得对，关键缺失的是 GitHub Actions Workflow 文件（.github/workflows/*.yml）。目前：

1. scripts/pr-review-checks.sh 只是一个手动执行的本地脚本，不会在 PR 提交/修改时自动触发
2. 没有 .github/workflows/ 目录，也就没有任何 CI/CD 自动化
3. 三个 .md 文件只是静态文档，不会参与自动化流程

✅ 你需要的

一个 GitHub Actions Workflow，在 PR 提交（opened） 或 修改（synchronize） 时自动触发，执行完整的审核检查。

---

要我帮你创建一个 PR，添加完整的自动化 PR 审核 workflow 吗？它会包含：

1. **`.github/workflows/pr-review.yml...

This pull request was created from Copilot chat.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.