gha: Add docker cagent PR reviewer workflows#7014
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
| review: | ||
| if: | | ||
| (github.event_name == 'issue_comment' && | ||
| github.event.comment.user.login != 'docker-agent' && | ||
| github.event.comment.user.login != 'docker-agent[bot]' && | ||
| github.event.comment.user.type != 'Bot' && | ||
| !contains(github.event.comment.body, '<!-- cagent-review -->') && | ||
| !contains(github.event.comment.body, '<!-- cagent-review-reply -->')) || | ||
| github.event.workflow_run.conclusion == 'success' | ||
| uses: docker/cagent-action/.github/workflows/review-pr.yml@3f5dc9969f307d3c76acb7e9ccaefdd96bd62f4b # v1.5.4 |
There was a problem hiding this comment.
Makes me wonder if these kind of conditions could be handled by the action itself, but I guess that's a chicken and egg case (action would always run, but then to find it didn't have to run) 🤔
There was a problem hiding this comment.
They are, you don't need to include them.
There was a problem hiding this comment.
I don't know why the readme says they're necessary again, I've removed them before
There was a problem hiding this comment.
Ah! So they can all be removed, or still some that should be ?
FWIW; I was wondering if we wanted to advertise this action for our users, and to add a section in our docs? I know we have a section on our other actions (so was searching if we did for this one as well) https://docs.docker.com/build/ci/github-actions/
There was a problem hiding this comment.
Not yet, the plan is to move most of it into the agentic platform, then slim this down into something less complex for users
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM
do we need someone else to give it a second glance?
|
Perhaps @crazy-max wants to take a look? |
|
Hmm don't we have zizmor check here? I see it complains about it on moby; moby/moby#52727 (comment) |
|
No, don't think we have it here (we should add it though) |
| issues: write # Create security incident issues if secrets detected | ||
| checks: write # (Optional) Show review progress as a check run | ||
| id-token: write # Required for OIDC authentication to AWS Secrets Manager | ||
| actions: read # Download artifacts from trigger workflow |
There was a problem hiding this comment.
only necessary on private repo but doesn't hurt to keep it
Yes would be nice to have zizmor setup here, I'm not yet sure of the impact, specially Edit: Ah didn't read moby/moby#52727 (comment) but yeah this is by design |
Is that something we need to review before merging this? Looks like a similar flow is already running in docker/compose; https://github.com/docker/compose/blob/7eeb7de7a20b8d1e3e319e1499ae4b62d6fc2af9/.github/workflows/pr-review.yml#L5-L17 |
|
FWIW, this is idiom is described in GitHub's |
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
6 participants
Based on https://github.com/docker/cagent-action/blob/main/review-pr/README.md