Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/base.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,4 @@ jobs:
pip install poetry==1.7.1
poetry install
poetry run pip install pyspark==$SPARK_VERSION
poetry run python -m pytest -s tests --ignore=tests/test_bot.py
poetry run python -m pytest -s tests

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BUG: Removing --ignore=tests/test_bot.py without the corresponding deletion of tests/test_bot.py being reflected in the same commit would cause CI to fail if the file still existed. However, the diff shows tests/test_bot.py IS deleted in this PR, so the ignore removal is correct. The real concern is different: the CI matrix will now attempt to import scripts/issue_bot modules (since test_bot.py no longer exists, this is fine). DISPROVED — no issue here.

tests/test_bot.py is deleted in the same PR diff, so removing --ignore is consistent.

137 changes: 33 additions & 104 deletions .github/workflows/issue-bot.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
name: PyDeequ Bot
name: PyDeequ Bot # load-bearing: auto-approve.yml keys on this exact name
# To upgrade the engine, bump the SHA in BOTH `uses:` and `shadow_ref` below
# (GitHub forbids expressions in `uses:`, so they can't share a variable).

on:
issues:
types: [opened, reopened]
pull_request_target: # Runs base branch code with secrets; safe because bot fetches diff via API, never executes PR code. NEVER add ref: to checkout.
pull_request_target: # base-branch checkout only; never add ref: (see SECURITY A1)
types: [opened, reopened, synchronize]
issue_comment:
types: [created]
Expand All @@ -17,114 +19,41 @@ on:
type: boolean
default: true

# Serialize per issue/PR to prevent duplicate comments
# Union of the reusable workflow's nested-job permissions; a caller must grant
# these or the call fails at startup (each nested job still narrows its own set).
permissions:
contents: read
id-token: write
pull-requests: write
issues: write

# inputs.issue_number fallback: workflow_dispatch has no event PR/issue number.
concurrency:
group: bot-${{ github.event.issue.number || github.event.pull_request.number || inputs.issue_number }}
cancel-in-progress: false

jobs:
analyze:
runs-on: ubuntu-latest
timeout-minutes: 10
shadow:
# Skip bot-authored events and issue_comment on PRs (PR review runs via
# pull_request_target); always run on manual dispatch.
if: >-
(github.event_name == 'workflow_dispatch') ||
(github.actor != 'github-actions[bot]' &&
(github.event.issue.pull_request == null || github.event_name == 'pull_request_target'))
permissions:
contents: read
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1

- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.12"

- name: Install dependencies
run: pip install requests==2.33.1 boto3==1.42.94

- name: Run analysis
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
ISSUE_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number || inputs.issue_number }}
EVENT_TYPE: ${{ github.event_name }}
EVENT_ACTION: ${{ github.event.action }}
EVENT_BEFORE: ${{ github.event.before }}
EVENT_AFTER: ${{ github.event.pull_request.head.sha || github.event.after }}
GITHUB_ACTOR: ${{ github.actor }}
KB_S3_BUCKET: ${{ secrets.KB_S3_BUCKET }}
KB_S3_KEY: ${{ secrets.KB_S3_KEY }}
BEDROCK_MODEL_ID: ${{ secrets.BEDROCK_MODEL_ID }}
GUARDRAIL_ID: ${{ secrets.GUARDRAIL_ID }}
GUARDRAIL_VERSION: ${{ secrets.GUARDRAIL_VERSION }}
SM_ISSUE_CLASSIFY_PROMPT: pydeequ-bot/issue-classify-prompt
SM_ISSUE_RESPOND_PROMPT: pydeequ-bot/issue-respond-prompt
SM_PR_FILE_REVIEW_PROMPT: pydeequ-bot/pr-file-review-prompt
SM_FOLLOWUP_PROMPT: pydeequ-bot/followup-prompt
CODEBASE_SRC_DIR: pydeequ
CODEBASE_FILE_EXT: .py
DRY_RUN: ${{ inputs.dry_run || 'false' }}
ARTIFACT_PATH: ${{ runner.temp }}/bot_result.json
run: python -m issue_bot.main analyze
working-directory: scripts

- name: Upload artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: bot-result
path: ${{ runner.temp }}/bot_result.json
retention-days: 30

act:
runs-on: ubuntu-latest
timeout-minutes: 1
needs: analyze
permissions:
contents: read
issues: write
pull-requests: write

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.12"

- name: Install dependencies
run: pip install requests==2.33.1 boto3==1.42.94

- name: Download artifact
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: bot-result
path: ${{ runner.temp }}

- name: Execute actions
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
ISSUE_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number || inputs.issue_number }}
EVENT_TYPE: ${{ github.event_name }}
EVENT_ACTION: ${{ github.event.action }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
DRY_RUN: ${{ inputs.dry_run || 'false' }}
ARTIFACT_PATH: ${{ runner.temp }}/bot_result.json
run: python -m issue_bot.main act
working-directory: scripts
uses: sudsali/shadow/.github/workflows/shadow-review.yml@54ec94e0ca8c90d9b58ff95a2a06b175a115784e
with:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDGE_CASE: pr_number: ${{ inputs.issue_number }} is only populated during workflow_dispatch. For issues, pull_request_target, and issue_comment events, inputs.issue_number is empty/null, so pr_number will be passed as an empty string. The reusable workflow must handle this gracefully (e.g., by falling back to the event's own issue/PR number). If the reusable workflow requires a non-empty pr_number, the bot will fail on all non-dispatch triggers.

Line 44: pr_number: ${{ inputs.issue_number }}inputs.* context is only available for workflow_dispatch; for other event types it evaluates to empty string.

pr_number: ${{ inputs.issue_number }}
dry_run: ${{ inputs.dry_run && 'true' || 'false' }}
shadow_ref: 54ec94e0ca8c90d9b58ff95a2a06b175a115784e
aws_region: us-east-1
prompt_sm_prefix: pydeequ-bot
secrets:
AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
GUARDRAIL_ID: ${{ secrets.GUARDRAIL_ID }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDGE_CASE: BEDROCK_REPORTER_MODEL_ID and BEDROCK_CRITIC_MODEL_ID are passed via ${{ vars.* }} (repository variables) but placed under the secrets: block. GitHub Actions allows passing vars as secret inputs (they're just strings), but if the reusable workflow declares these as secrets with required: true, the workflow will fail at startup if the repository variables are not set. Since these are new inputs not present in the old workflow, they must be configured before merge or the bot will break on every trigger.

Lines 57-58: BEDROCK_REPORTER_MODEL_ID: ${{ vars.BEDROCK_REPORTER_MODEL_ID }} and BEDROCK_CRITIC_MODEL_ID: ${{ vars.BEDROCK_CRITIC_MODEL_ID }} use vars.* context. If the reusable workflow marks these as required secrets and the vars are not configured, the workflow fails.

GUARDRAIL_VERSION: ${{ secrets.GUARDRAIL_VERSION }}
KB_S3_BUCKET: ${{ secrets.KB_S3_BUCKET }}
KB_S3_KEY: ${{ secrets.KB_S3_KEY }}
BEDROCK_MODEL_ID: ${{ secrets.BEDROCK_MODEL_ID }}
BEDROCK_REPORTER_MODEL_ID: ${{ vars.BEDROCK_REPORTER_MODEL_ID }}
BEDROCK_CRITIC_MODEL_ID: ${{ vars.BEDROCK_CRITIC_MODEL_ID }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
2 changes: 0 additions & 2 deletions .github/workflows/update-kb.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ on:
branches: [master]
paths-ignore:
- '.github/workflows/**'
- 'scripts/issue_bot/**'
- 'tests/test_bot.py'
workflow_dispatch:

jobs:
Expand Down
20 changes: 20 additions & 0 deletions .shadow.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Shadow engine config for awslabs/python-deequ.

codebase:
src_dir: pydeequ
file_ext: .py
test_dir: tests
language: python

bot:
name: deequ-bot # not pydeequ-bot: must render the <!-- deequ-bot:clean --> marker auto-approve.yml greps for
attribution: "Reviewed by Shadow · github.com/sudsali/shadow"
escalate_label: needs-human
max_replies: 2
max_runs_per_hour: 20

models:
investigator: us.anthropic.claude-opus-4-7
critic: us.anthropic.claude-opus-4-7
reporter: us.anthropic.claude-haiku-4-5-20251001-v1:0
issue: us.anthropic.claude-sonnet-4-6
1 change: 0 additions & 1 deletion scripts/issue_bot/.gitignore

This file was deleted.

1 change: 0 additions & 1 deletion scripts/issue_bot/__init__.py

This file was deleted.

105 changes: 0 additions & 105 deletions scripts/issue_bot/bedrock_client.py

This file was deleted.

55 changes: 0 additions & 55 deletions scripts/issue_bot/config.py

This file was deleted.

Loading
Loading