feat: add reusable cursor-review workflow + centralized assets#1
Merged
Conversation
Extracts the label-triggered multi-model Cursor review out of the private consumer repos (cloud, comfy-cloud-mcp-server) into one shared, versioned reusable workflow so there's a single source of truth and no per-repo drift. - .github/workflows/cursor-review.yml — reusable `workflow_call` workflow. Same job graph as the private original (gate → diff-size → 8-cell panel → judge consolidate → Slack notify). Repo-specific knobs are now inputs: judge_model, diff_size_cap, review_label, diff_excludes, workflows_ref. Secrets: CURSOR_API_KEY (required), SLACK_BOT_TOKEN (optional). - .github/cursor-review/ — the prompts (adversarial / edge-case / judge), extract-findings.py, post-review.py, slack-notify.sh. These are the trusted review logic. The workflow loads them by checking out THIS repo (public, pinned via workflows_ref) rather than git-show'ing them from the consumer's base SHA — a tighter trust boundary (a PR in the consumer repo can't touch what runs) and the thing that ends the copy-drift. - post-review.py / prompts carry the CodeRabbit-style severity categorization (critical/high/medium/low/nit badges + summary table). Validated with actionlint (clean) and py_compile. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extracts the label-triggered multi-model Cursor review out of the private consumer repos (
cloud,comfy-cloud-mcp-server) into one shared reusable workflow here — single source of truth, no per-repo drift.Why
cursor-review was copy-ported into each consumer repo. The copies drift (e.g. the severity feature landed in
cloudbut notcomfy-cloud-mcp-server, and a verbatim re-copy then failed the consumer's markdown formatter). Centralizing ends that: consumers carry only a thin caller.What's here
.github/workflows/cursor-review.yml— reusableworkflow_callworkflow. Same job graph as the private original: gate → diff-size → 8-cell panel (4 labs × adversarial/edge-case) → judge consolidate → Slack start/complete DMs. Repo-specific knobs are now inputs:judge_model(defaultclaude-opus-4-7-thinking-xhigh)diff_size_cap(default 5000)review_label(defaultcursor-review)diff_excludes(generic default; consumers pass their generated/vendored paths)workflows_ref(which ref of this repo to load assets from)CURSOR_API_KEY(required),SLACK_BOT_TOKEN(optional).github/cursor-review/— the trusted review logic:prompt-adversarial.md,prompt-edge-case.md,prompt-judge.md,extract-findings.py,post-review.py,slack-notify.sh.Trust model (improved)
The private original
git show'd the prompts/scripts from the consumer's base SHA (trusted-but-in-PR-repo). Here the workflow loads them by checking out this repo (public, pinned viaworkflows_ref), so a PR in the consumer repo can't influence what runs at all. The diff under review still comes from the PR head; the logic doesn't.Severity
The bundled
post-review.py+ prompts include the CodeRabbit-style severity categorization (🔴 critical / 🟠 high / 🟡 medium / 🟢 low / ⚪ nit badges + a summary count table), so this is the latest version — it supersedes the in-flight per-repo severity port.Validation
actionlintclean (exit 0);post-review.py/extract-findings.pycompile.Rollout
comfy-cloud-mcp-servermigrates to a thin caller (separate PR, depends on this) and deletes its local copies.cloudmigrates next (follow-up; cloud-team review).v1tag once reviewed so callers can pin to@v1.🤖 Generated with Claude Code