|
| 1 | +# Engineer Bot — follow-up. |
| 2 | +# |
| 3 | +# When someone replies to a review thread on a PR carrying the `engineer-bot` |
| 4 | +# label (or the label is applied), the bot re-evaluates the open threads in |
| 5 | +# catch-up mode, applies a fixup (or replies / marks blocked), and pushes to the |
| 6 | +# PR branch. Driven by this repo's .bot/ prompts. |
| 7 | +# |
| 8 | +# Like the author, this builds/runs the product (setup-poetry). Shared setup |
| 9 | +# (tokens + Node + engine install, PAT-free via an engine-scoped App token) is in |
| 10 | +# the local ./.github/actions/bot-prelude composite; this file owns checkout, |
| 11 | +# setup-poetry, and the followup run. Engine installed in REF mode pinned to a SHA. |
| 12 | +# |
| 13 | +# The gate below is the canonical label-gated form copied verbatim from the |
| 14 | +# engine dogfood (the single source of truth). It ANDs with the engine-side |
| 15 | +# floor; do not weaken it. |
| 16 | +name: Engineer Bot — Follow-up |
| 17 | + |
| 18 | +on: |
| 19 | + pull_request_review_comment: |
| 20 | + types: [created] |
| 21 | + # `engineer-bot` label applied → catch-up over pre-existing review threads. |
| 22 | + pull_request: |
| 23 | + types: [labeled] |
| 24 | + |
| 25 | +permissions: |
| 26 | + contents: write # push fixup commits to the PR branch |
| 27 | + pull-requests: write # post inline replies |
| 28 | + id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install |
| 29 | + |
| 30 | +jobs: |
| 31 | + followup: |
| 32 | + # SECURITY + scope (CANONICAL label-gated model — verbatim from the engine): |
| 33 | + # - skip fork PRs — keep the model + App token out of untrusted code's reach; |
| 34 | + # - operate only on non-fork OPEN PRs carrying the `engineer-bot` label |
| 35 | + # (maintainer-applied opt-in; label requires triage+); |
| 36 | + # - comment path: trusted commenters only (OWNER/MEMBER/COLLABORATOR, or a |
| 37 | + # bot — reviewer-bot/Copilot), never the engineer-bot's own comments, and |
| 38 | + # never a reviewer-bot reconcile loopback; |
| 39 | + # - labeled path: the `engineer-bot` label was just applied by a human. |
| 40 | + if: >- |
| 41 | + github.event.pull_request.head.repo.fork == false |
| 42 | + && github.event.pull_request.state == 'open' |
| 43 | + && ( |
| 44 | + ( |
| 45 | + github.event_name == 'pull_request_review_comment' |
| 46 | + && contains(github.event.pull_request.labels.*.name, 'engineer-bot') |
| 47 | + && !startsWith(github.event.comment.user.login, 'peco-engineer-bot') |
| 48 | + && !contains(github.event.comment.body, '<!-- pr-review-bot:v1 reconcile -->') |
| 49 | + && ( |
| 50 | + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) |
| 51 | + || ( |
| 52 | + github.event.comment.user.type == 'Bot' |
| 53 | + && ( |
| 54 | + startsWith(github.event.comment.user.login, 'peco-review-bot') |
| 55 | + || startsWith(github.event.comment.user.login, 'Copilot') |
| 56 | + || startsWith(github.event.comment.user.login, 'copilot') |
| 57 | + ) |
| 58 | + ) |
| 59 | + ) |
| 60 | + ) |
| 61 | + || ( |
| 62 | + github.event_name == 'pull_request' |
| 63 | + && github.event.action == 'labeled' |
| 64 | + && github.event.label.name == 'engineer-bot' |
| 65 | + && github.event.sender.type != 'Bot' |
| 66 | + && !startsWith(github.event.sender.login, 'peco-engineer-bot') |
| 67 | + ) |
| 68 | + ) |
| 69 | + environment: azure-prod # DATABRICKS_HOST / DATABRICKS_TOKEN live here |
| 70 | + runs-on: |
| 71 | + group: databricks-protected-runner-group |
| 72 | + labels: [linux-ubuntu-latest] |
| 73 | + timeout-minutes: 30 |
| 74 | + concurrency: |
| 75 | + group: engineer-bot-followup-pr-${{ github.event.pull_request.number }} |
| 76 | + cancel-in-progress: false |
| 77 | + steps: |
| 78 | + # Checkout FIRST (remote action) so the local `./` composites resolve. |
| 79 | + # Check out the PR head BRANCH (not the merge ref) so fixups push back to |
| 80 | + # it. persist-credentials:false; the run step below sets an authenticated |
| 81 | + # push remote from the minted App token. |
| 82 | + - name: Checkout PR head branch |
| 83 | + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
| 84 | + with: |
| 85 | + ref: ${{ github.event.pull_request.head.ref }} |
| 86 | + fetch-depth: 0 |
| 87 | + persist-credentials: false |
| 88 | + |
| 89 | + # Python + connector deps via the repo's OWN setup-poetry action (JFrog |
| 90 | + # mirror + poetry lock + install) — egress-safe, tolerates a stale lock. |
| 91 | + # The agent runs `poetry run python -m pytest tests/unit` to verify fixups. |
| 92 | + - name: Setup Poetry + connector deps (for pytest self-verify) |
| 93 | + uses: ./.github/actions/setup-poetry |
| 94 | + with: |
| 95 | + python-version: '3.11' |
| 96 | + |
| 97 | + # Shared prelude: mint the engineer-bot token (pushes fixup commits, posts |
| 98 | + # replies) + the engine-scoped token, set up Node, install the engine. |
| 99 | + - name: Bot prelude (tokens + Node + engine install) |
| 100 | + id: prelude |
| 101 | + uses: ./.github/actions/bot-prelude |
| 102 | + with: |
| 103 | + app-id: ${{ secrets.ENGINEER_BOT_APP_ID }} |
| 104 | + private-key: ${{ secrets.ENGINEER_BOT_APP_PRIVATE_KEY }} |
| 105 | + # Engine pin lives in ONE place: bot-prelude's `engine-ref` default. |
| 106 | + # Bump it there to move all four bots in lockstep; override here only |
| 107 | + # to run this workflow against a different engine commit. |
| 108 | + |
| 109 | + # Run the follow-up. Inlines the engine's bot-run env contract for |
| 110 | + # engineer:followup, plus the authenticated push remote bot-run would set |
| 111 | + # up (followup pushes fixup commits via a plain `git push`, which doesn't |
| 112 | + # consult GH_TOKEN; the checkout is persist-credentials:false). |
| 113 | + - name: Run engineer follow-up (catch-up over all unaddressed threads) |
| 114 | + env: |
| 115 | + GH_TOKEN: ${{ steps.prelude.outputs.token }} |
| 116 | + GITHUB_REPOSITORY: ${{ github.repository }} |
| 117 | + PR_NUMBER: ${{ github.event.pull_request.number }} |
| 118 | + HEAD_SHA: ${{ github.event.pull_request.head.sha }} |
| 119 | + HEAD_BRANCH: ${{ github.event.pull_request.head.ref }} |
| 120 | + PR_TITLE: ${{ github.event.pull_request.title }} |
| 121 | + PR_URL: ${{ github.event.pull_request.html_url }} |
| 122 | + TRIGGER_COMMENT_ID: ${{ github.event.comment.id }} |
| 123 | + MODEL_ENDPOINT: https://${{ secrets.DATABRICKS_HOST }}/serving-endpoints/databricks-claude-opus-4-8/invocations |
| 124 | + DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} |
| 125 | + RUNNER_TEMP: ${{ runner.temp }} |
| 126 | + # The agent's working tree AND the .bot/ lookup root. run.py resolves |
| 127 | + # the config at <REPO_ROOT>/.bot/config.yaml. The engine has NO path |
| 128 | + # default — it fails with a clear error if this is unset — so it MUST be |
| 129 | + # set (we check out at the workspace root, not the driver-repo layout's |
| 130 | + # `internal-repo/`). (`TEST_REPO_ROOT` is the deprecated alias.) |
| 131 | + REPO_ROOT: ${{ github.workspace }} |
| 132 | + run: | |
| 133 | + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" |
| 134 | + python -m databricks_bot_engine.engineer_bot.run --phase followup \ |
| 135 | + --system-prompt "$GITHUB_WORKSPACE/.bot/prompts/engineer-followup/system.md" |
0 commit comments