Merge pull request 'feat/pr-review-workflow' (#35 ) from feat/pr-review-workflow into master

Reviewed-on: #35
fix: harden pr-review workflow — secret redaction, log safety, auth header
2026-04-12 23:08:46 +00:00 · 2026-04-12 18:03:17 -05:00 · 2026-04-12 17:40:12 -05:00 · 2026-04-12 17:40:12 -05:00 · 2026-04-12 17:40:12 -05:00 · 2026-04-12 17:40:12 -05:00
4 changed files with 137 additions and 3 deletions
--- a/.gitea/workflows/pr-review.yml
+++ b/.gitea/workflows/pr-review.yml
@ -0,0 +1,134 @@
 name: PR Review Automation
 on:
  pull_request:
    types: [opened, synchronize, reopened, edited]
 concurrency:
  group: pr-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    container:
      image: ubuntu:22.04
      options: --dns 8.8.8.8 --dns 1.1.1.1
    steps:
      - name: Install dependencies
        shell: bash
        run: |
          set -euo pipefail
          apt-get update -qq && apt-get install -y -qq git curl jq
      - name: Checkout code
        shell: bash
        env:
          REPOSITORY: ${{ github.repository }}
        run: |
          set -euo pipefail
          git init
          git remote add origin "https://gogs.tftsr.com/${REPOSITORY}.git"
          git fetch --depth=1 origin ${{ github.head_ref }}
          git checkout FETCH_HEAD
      - name: Get PR diff
        id: diff
        shell: bash
        run: |
          set -euo pipefail
          git fetch origin ${{ github.base_ref }}
          git diff origin/${{ github.base_ref }}..HEAD > /tmp/pr_diff.txt
          echo "diff_size=$(wc -l < /tmp/pr_diff.txt | tr -d ' ')" >> $GITHUB_OUTPUT
      - name: Analyze with Ollama
        id: analyze
        if: steps.diff.outputs.diff_size != '0'
        shell: bash
        env:
          OLLAMA_URL: https://ollama-ui.tftsr.com/ollama/v1
          OLLAMA_API_KEY: ${{ secrets.OLLAMA_API_KEY }}
          PR_TITLE: ${{ github.event.pull_request.title }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          set -euo pipefail
          if grep -q "^Binary files" /tmp/pr_diff.txt; then
            echo "WARNING: Binary file changes detected — they will be excluded from analysis"
          fi
          DIFF_CONTENT=$(head -n 500 /tmp/pr_diff.txt \
            | grep -v -E '^[+-].*(password[[:space:]]*[=:"'"'"']|token[[:space:]]*[=:"'"'"']|secret[[:space:]]*[=:"'"'"']|api_key[[:space:]]*[=:"'"'"']|private_key[[:space:]]*[=:"'"'"']|Authorization:[[:space:]]|AKIA[A-Z0-9]{16}|xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}|gh[opsu]_[A-Za-z0-9_]{36,}|https?://[^@[:space:]]+:[^@[:space:]]+@)' \
            | grep -v -E '^[+-].*[A-Za-z0-9+/]{40,}={0,2}([^A-Za-z0-9+/=]|$)')
          PROMPT="Analyze the following code changes for correctness, security issues, and best practices. PR Title: ${PR_TITLE}\n\nDiff:\n${DIFF_CONTENT}\n\nProvide a review with: 1) Summary, 2) Bugs/errors, 3) Security issues, 4) Best practices. Give specific comments with suggested fixes."
          BODY=$(jq -cn \
            --arg model "qwen3-coder-next:latest" \
            --arg content "$PROMPT" \
            '{model: $model, messages: [{role: "user", content: $content}], stream: false}')
          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] PR #${PR_NUMBER} - Calling Ollama API (${#BODY} bytes)..."
          HTTP_CODE=$(curl -s --max-time 120 --connect-timeout 30 \
            --retry 3 --retry-delay 5 --retry-connrefused --retry-max-time 120 \
            -o /tmp/ollama_response.json -w "%{http_code}" \
            -X POST "$OLLAMA_URL/chat/completions" \
            -H "Authorization: Bearer $OLLAMA_API_KEY" \
            -H "Content-Type: application/json" \
            -d "$BODY")
          echo "HTTP status: $HTTP_CODE"
          echo "Response file size: $(wc -c < /tmp/ollama_response.json) bytes"
          if [ "$HTTP_CODE" != "200" ]; then
            echo "ERROR: Ollama returned HTTP $HTTP_CODE"
            cat /tmp/ollama_response.json
            exit 1
          fi
          if ! jq empty /tmp/ollama_response.json 2>/dev/null; then
            echo "ERROR: Invalid JSON response from Ollama"
            cat /tmp/ollama_response.json
            exit 1
          fi
          REVIEW=$(jq -r '.choices[0].message.content // empty' /tmp/ollama_response.json)
          if [ -z "$REVIEW" ]; then
            echo "ERROR: No content in Ollama response"
            exit 1
          fi
          echo "Review length: ${#REVIEW} chars"
          echo "$REVIEW" > /tmp/pr_review.txt
      - name: Post review comment
        if: always() && steps.diff.outputs.diff_size != '0'
        shell: bash
        env:
          TF_TOKEN: ${{ secrets.TFT_GITEA_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          REPOSITORY: ${{ github.repository }}
        run: |
          set -euo pipefail
          if [ -z "${TF_TOKEN:-}" ]; then
            echo "ERROR: TFT_GITEA_TOKEN secret is not set"
            exit 1
          fi
          if [ -f "/tmp/pr_review.txt" ] && [ -s "/tmp/pr_review.txt" ]; then
            REVIEW_BODY=$(head -c 65536 /tmp/pr_review.txt)
            BODY=$(jq -n \
              --arg body "🤖 Automated PR Review:\n\n${REVIEW_BODY}\n\n---\n*this is an automated review from Ollama*" \
              '{body: $body, event: "COMMENT"}')
          else
            BODY=$(jq -n \
              '{body: "⚠️ Automated PR Review could not be completed — Ollama analysis failed or produced no output.", event: "COMMENT"}')
          fi
          HTTP_CODE=$(curl -s --max-time 30 --connect-timeout 10 \
            -o /tmp/review_post_response.json -w "%{http_code}" \
            -X POST "https://gogs.tftsr.com/api/v1/repos/${REPOSITORY}/pulls/${PR_NUMBER}/reviews" \
            -H "Authorization: Bearer $TF_TOKEN" \
            -H "Content-Type: application/json" \
            -d "$BODY")
          echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"
          if [ "$HTTP_CODE" != "200" ] && [ "$HTTP_CODE" != "201" ]; then
            echo "ERROR: Failed to post review (HTTP $HTTP_CODE)"
            cat /tmp/review_post_response.json
            exit 1
          fi
      - name: Cleanup
        if: always()
        shell: bash
        run: rm -f /tmp/pr_diff.txt /tmp/ollama_response.json /tmp/pr_review.txt /tmp/review_post_response.json
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
  "name": "tftsr",
  "private": true,
-  "version": "0.1.0",
+  "version": "0.2.50",
  "type": "module",
  "scripts": {
    "dev": "vite",
--- a/src-tauri/Cargo.toml
+++ b/src-tauri/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "trcaa"
-version = "0.1.0"
+version = "0.2.50"
 edition = "2021"
 [lib]
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@ -1,6 +1,6 @@
 {
  "productName": "Troubleshooting and RCA Assistant",
-  "version": "0.2.49",
+  "version": "0.2.50",
  "identifier": "com.trcaa.app",
  "build": {
    "frontendDist": "../dist",
Author	SHA1	Message	Date
sarman	4fa01ae7ed	Merge pull request 'feat/pr-review-workflow' (#35 ) from feat/pr-review-workflow into master All checks were successful Auto Tag / build-linux-amd64 (push) Successful in 35m33s Details Auto Tag / build-linux-arm64 (push) Successful in 35m41s Details Auto Tag / build-macos-arm64 (push) Successful in 18m31s Details Auto Tag / autotag (push) Successful in 8s Details Auto Tag / wiki-sync (push) Successful in 9s Details Auto Tag / build-windows-amd64 (push) Successful in 14m12s Details Reviewed-on: #35	2026-04-12 23:08:46 +00:00
Shaun Arman	181b9ef734	fix: harden pr-review workflow — secret redaction, log safety, auth header All checks were successful Test / frontend-typecheck (pull_request) Successful in 1m12s Details Test / rust-tests (pull_request) Successful in 27m19s Details Test / rust-fmt-check (pull_request) Successful in 2m35s Details PR Review Automation / review (pull_request) Successful in 3m45s Details Test / rust-clippy (pull_request) Successful in 25m55s Details Test / frontend-tests (pull_request) Successful in 1m10s Details - Replace flawed sed-based redaction with grep -v line-removal covering JS/YAML assignments, Authorization headers, AWS keys (AKIA…), Slack tokens (xox…), GitHub tokens (gh[opsu]_…), URLs with embedded credentials, and long Base64 strings - Add -c flag to jq -n when building Ollama request body (compact JSON) - Remove jq . full response dump to prevent LLM-echoed secrets in logs - Change Gitea API Authorization header from `token` to `Bearer`	2026-04-12 18:03:17 -05:00
Shaun Arman	144a4551f2	fix: revert to two-dot diff — three-dot requires merge base unavailable in shallow clone All checks were successful PR Review Automation / review (pull_request) Successful in 3m46s Details Test / rust-clippy (pull_request) Successful in 19m24s Details Test / frontend-typecheck (pull_request) Successful in 1m15s Details Test / rust-tests (pull_request) Successful in 20m43s Details Test / frontend-tests (pull_request) Successful in 1m13s Details Test / rust-fmt-check (pull_request) Successful in 2m46s Details	2026-04-12 17:40:12 -05:00
Shaun Arman	47b2e824e0	fix: replace github.server_url with hardcoded gogs.tftsr.com for container access	2026-04-12 17:40:12 -05:00
Shaun Arman	82aae00858	fix: resolve AI review false positives and address high/medium issues Root cause of false-positive "critical" errors: - sed pattern was matching api_key/token within YAML variable names (e.g. OLLAMA_API_KEY:) and redacting the ${{ secrets.X }} value, producing mangled syntax that confused the AI reviewer - Fix: use [^$[:space:]] to skip values starting with $ (template expressions and shell variable references) Other fixes: - Replace --retry-all-errors with --retry-connrefused --retry-max-time 120 to avoid wasting retries on unrecoverable 4xx errors - Check HTTP_CODE before jq validation so error messages are meaningful - Add permissions: pull-requests: write to job - Add edited to pull_request.types so title changes trigger re-review - Change git diff .. to git diff ... (three-dot merge-base diff) - Replace hardcoded server/repo URLs with github.server_url and github.repository context variables (portability) - Log review length before posting to detect truncation	2026-04-12 17:40:12 -05:00
Shaun Arman	1a4c6df6c9	fix: harden pr-review workflow — URLs, DNS, correctness and reliability Security: - Replace http://172.0.0.29:3000 git remote with https://gogs.tftsr.com - Replace http://172.0.0.29:3000 Gitea API URL with https://gogs.tftsr.com - Remove internal 172.0.0.29 from container DNS (keep 8.8.8.8, 1.1.1.1) - Move PR_TITLE and PR_NUMBER to env vars to prevent shell injection Correctness: - Fix diff_size comparison from lexicographic > '0' to != '0' - Strip leading whitespace from wc -l output via tr -d ' ' - Switch diff truncation from head -c 20000 to head -n 500 (line-safe) - Add jq empty validation before parsing Ollama response Reliability: - Add --connect-timeout 30 and --retry 3 --retry-delay 5 to Ollama curl - Add --connect-timeout 10 to review POST curl - Change Post review comment to if: always() so it runs on analysis failure - Post explicit failure comment when analysis produces no output	2026-04-12 17:40:12 -05:00
Shaun Arman	2d0f95e9db	fix: configure container DNS to resolve ollama-ui.tftsr.com	2026-04-12 17:40:12 -05:00
Shaun Arman	61cb5db63e	fix: harden pr-review workflow and sync versions to 0.2.50 Workflow changes: - Switch Ollama to https://ollama-ui.tftsr.com/ollama/v1 (OpenAI-compat) with OLLAMA_API_KEY secret — removes hardcoded internal IP - Update endpoint to /chat/completions and response parsing to .choices[0].message.content for OpenAI-compat format - Add concurrency block to prevent racing on same PR number - Add shell: bash + set -euo pipefail to all steps - Add TF_TOKEN presence validation before posting review - Add --max-time 30 and HTTP status check to comment POST curl - Redact common secret patterns from diff before sending to Ollama - Add binary diff warning via grep for "^Binary files" - Add UTC timestamps to Ollama call and review post log lines - Add always-run Cleanup step to remove /tmp artifacts Version consistency: - Sync Cargo.toml and package.json from 0.1.0 to 0.2.50 to match tauri.conf.json	2026-04-12 17:40:12 -05:00
Shaun Arman	44584d6302	fix: restore migration 014, bump version to 0.2.50, harden pr-review workflow - Restore 014_create_ai_providers migration and tests missing due to branch diverging from master before PR #34 merged - Bump version from 0.2.10 to 0.2.50 to match master and avoid regression - Trim diff input to 20 KB to prevent Ollama token overflow - Add --max-time 120 to curl to prevent workflow hanging indefinitely	2026-04-12 17:40:12 -05:00
Shaun Arman	1db1b20762	fix: use bash shell and remove bash-only substring expansion in pr-review	2026-04-12 17:39:45 -05:00
Shaun Arman	8f73a7d017	fix: add diagnostics to identify empty Ollama response root cause	2026-04-12 17:39:45 -05:00
Shaun Arman	5e61d4f550	fix: correct Ollama URL, API endpoint, and JSON construction in pr-review workflow - Fix OLLAMA_URL to point at actual Ollama server (172.0.1.42:11434) - Fix API path from /v1/chat to /api/chat (Ollama native endpoint) - Fix response parsing from OpenAI format to Ollama native (.message.content) - Use jq to safely construct JSON bodies in both Analyze and Post steps - Add HTTP status code check and response body logging for diagnostics	2026-04-12 17:39:45 -05:00
Shaun Arman	d759486b51	fix: add debugging output for Ollamaresponse	2026-04-12 17:39:45 -05:00
Shaun Arman	63a055d4fe	fix: simplified workflow syntax	2026-04-12 17:39:45 -05:00
Shaun Arman	98a0f908d7	fix: use IP addresses for internal services	2026-04-12 17:39:45 -05:00
Shaun Arman	f47dcf69a3	fix: use actions/checkout with token auth and self-hosted runner	2026-04-12 17:39:45 -05:00
Shaun Arman	0b85258e7d	fix: use ubuntu container with git installed	2026-04-12 17:39:45 -05:00
Shaun Arman	8cee1c5655	fix: remove actions/checkout to avoid Node.js dependency	2026-04-12 17:39:45 -05:00
Shaun Arman	de59684432	fix: rename GITEA_TOKEN to TF_TOKEN to comply with naming restrictions	2026-04-12 17:39:45 -05:00
Shaun Arman	849d3176fd	feat: add automated PR review workflow with Ollama AI	2026-04-12 17:39:45 -05:00