From 1a4c6df6c9dfd7e518bc83c767879c9988020460 Mon Sep 17 00:00:00 2001
From: Shaun Arman <shaun.arman@motorolasolutions.com>
Date: Sun, 12 Apr 2026 16:50:12 -0500
Subject: [PATCH] =?UTF-8?q?fix:=20harden=20pr-review=20workflow=20?=
 =?UTF-8?q?=E2=80=94=20URLs,=20DNS,=20correctness=20and=20reliability?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security:
- Replace http://172.0.0.29:3000 git remote with https://gogs.tftsr.com
- Replace http://172.0.0.29:3000 Gitea API URL with https://gogs.tftsr.com
- Remove internal 172.0.0.29 from container DNS (keep 8.8.8.8, 1.1.1.1)
- Move PR_TITLE and PR_NUMBER to env vars to prevent shell injection

Correctness:
- Fix diff_size comparison from lexicographic > '0' to != '0'
- Strip leading whitespace from wc -l output via tr -d ' '
- Switch diff truncation from head -c 20000 to head -n 500 (line-safe)
- Add jq empty validation before parsing Ollama response

Reliability:
- Add --connect-timeout 30 and --retry 3 --retry-delay 5 to Ollama curl
- Add --connect-timeout 10 to review POST curl
- Change Post review comment to if: always() so it runs on analysis failure
- Post explicit failure comment when analysis produces no output
---
 .gitea/workflows/pr-review.yml | 56 ++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git a/.gitea/workflows/pr-review.yml b/.gitea/workflows/pr-review.yml
index ff520e8c..58c9afe2 100644
--- a/.gitea/workflows/pr-review.yml
+++ b/.gitea/workflows/pr-review.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: ubuntu:22.04
-      options: --dns 172.0.0.29 --dns 8.8.8.8 --dns 1.1.1.1
+      options: --dns 8.8.8.8 --dns 1.1.1.1
     steps:
       - name: Install dependencies
         shell: bash
@@ -26,7 +26,7 @@ jobs:
         run: |
           set -euo pipefail
           git init
-          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
+          git remote add origin https://gogs.tftsr.com/sarman/tftsr-devops_investigation.git
           git fetch --depth=1 origin ${{ github.head_ref }}
           git checkout FETCH_HEAD
 
@@ -37,36 +37,45 @@ jobs:
           set -euo pipefail
           git fetch origin ${{ github.base_ref }}
           git diff origin/${{ github.base_ref }}..HEAD > /tmp/pr_diff.txt
-          echo "diff_size=$(wc -l < /tmp/pr_diff.txt)" >> $GITHUB_OUTPUT
+          echo "diff_size=$(wc -l < /tmp/pr_diff.txt | tr -d ' ')" >> $GITHUB_OUTPUT
 
       - name: Analyze with Ollama
-        if: steps.diff.outputs.diff_size > '0'
+        id: analyze
+        if: steps.diff.outputs.diff_size != '0'
         shell: bash
         env:
           OLLAMA_URL: https://ollama-ui.tftsr.com/ollama/v1
           OLLAMA_API_KEY: ${{ secrets.OLLAMA_API_KEY }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           set -euo pipefail
           if grep -q "^Binary files" /tmp/pr_diff.txt; then
             echo "WARNING: Binary file changes detected — they will be excluded from analysis"
           fi
-          DIFF_CONTENT=$(head -c 20000 /tmp/pr_diff.txt \
+          DIFF_CONTENT=$(head -n 500 /tmp/pr_diff.txt \
             | sed -E 's/(password|token|secret|api_key|private_key)[[:space:]]*[=:][[:space:]]*\S+/\1=[REDACTED]/gi')
-          PR_TITLE="${{ github.event.pull_request.title }}"
           PROMPT="Analyze the following code changes for correctness, security issues, and best practices. PR Title: ${PR_TITLE}\n\nDiff:\n${DIFF_CONTENT}\n\nProvide a review with: 1) Summary, 2) Bugs/errors, 3) Security issues, 4) Best practices. Give specific comments with suggested fixes."
           BODY=$(jq -n \
             --arg model "qwen3-coder-next:latest" \
             --arg content "$PROMPT" \
             '{model: $model, messages: [{role: "user", content: $content}], stream: false}')
-          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PR #${{ github.event.pull_request.number }} - Calling Ollama API (${#BODY} bytes)..."
-          HTTP_CODE=$(curl -s --max-time 120 -o /tmp/ollama_response.json -w "%{http_code}" \
+          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PR #${PR_NUMBER} - Calling Ollama API (${#BODY} bytes)..."
+          HTTP_CODE=$(curl -s --max-time 120 --connect-timeout 30 \
+            --retry 3 --retry-delay 5 --retry-all-errors \
+            -o /tmp/ollama_response.json -w "%{http_code}" \
             -X POST "$OLLAMA_URL/chat/completions" \
             -H "Authorization: Bearer $OLLAMA_API_KEY" \
             -H "Content-Type: application/json" \
             -d "$BODY")
           echo "HTTP status: $HTTP_CODE"
           echo "Response file size: $(wc -c < /tmp/ollama_response.json) bytes"
-          jq . /tmp/ollama_response.json 2>/dev/null || cat /tmp/ollama_response.json
+          if ! jq empty /tmp/ollama_response.json 2>/dev/null; then
+            echo "ERROR: Invalid JSON response from Ollama"
+            cat /tmp/ollama_response.json
+            exit 1
+          fi
+          jq . /tmp/ollama_response.json
           if [ "$HTTP_CODE" != "200" ]; then
             echo "ERROR: Ollama returned HTTP $HTTP_CODE"
             exit 1
@@ -79,7 +88,7 @@ jobs:
           echo "$REVIEW" > /tmp/pr_review.txt
 
       - name: Post review comment
-        if: success()
+        if: always() && steps.diff.outputs.diff_size != '0'
         shell: bash
         env:
           TF_TOKEN: ${{ secrets.TFT_GITEA_TOKEN }}
@@ -95,20 +104,21 @@ jobs:
             BODY=$(jq -n \
               --arg body "🤖 Automated PR Review:\n\n${REVIEW_BODY}\n\n---\n*this is an automated review from Ollama*" \
               '{body: $body, event: "COMMENT"}')
-            HTTP_CODE=$(curl -s --max-time 30 \
-              -o /tmp/review_post_response.json -w "%{http_code}" \
-              -X POST "http://172.0.0.29:3000/api/v1/repos/sarman/tftsr-devops_investigation/pulls/$PR_NUMBER/reviews" \
-              -H "Authorization: token $TF_TOKEN" \
-              -H "Content-Type: application/json" \
-              -d "$BODY")
-            echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"
-            if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
-              echo "ERROR: Failed to post review (HTTP $HTTP_CODE)"
-              cat /tmp/review_post_response.json
-              exit 1
-            fi
           else
-            echo "No review to post"
+            BODY=$(jq -n \
+              '{body: "⚠️ Automated PR Review could not be completed — Ollama analysis failed or produced no output.", event: "COMMENT"}')
+          fi
+          HTTP_CODE=$(curl -s --max-time 30 --connect-timeout 10 \
+            -o /tmp/review_post_response.json -w "%{http_code}" \
+            -X POST "https://gogs.tftsr.com/api/v1/repos/sarman/tftsr-devops_investigation/pulls/$PR_NUMBER/reviews" \
+            -H "Authorization: token $TF_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "$BODY")
+          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"
+          if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
+            echo "ERROR: Failed to post review (HTTP $HTTP_CODE)"
+            cat /tmp/review_post_response.json
+            exit 1
           fi
 
       - name: Cleanup