ci(ai-review): add AI review workflow#5
Conversation
![jitsu-code-review[bot]](https://avatars.githubusercontent.com/in/3391383?s=60&v=4){kind=small}
There was a problem hiding this comment.
Reviewed .github/workflows/ai-review.yml for workflow correctness and security posture. I found two actionable issues:
- The reusable workflow is referenced by a mutable tag rather than an immutable commit SHA.
- The caller workflow does not declare token permissions, which can cap the called workflow and break review/comment posting in repos configured with read-only defaults.
|
|
||
| jobs: | ||
| ai-review: | ||
| uses: jitsucom/github-workflows/.github/workflows/ai-review.yml@1.28.20260529 |
There was a problem hiding this comment.
This uses: pin is a mutable tag. If the upstream tag is moved, this repo will execute different workflow code without any change in this repository. For supply-chain safety and reproducibility, pin to an immutable commit SHA (optionally keep the tag in a comment for readability).
| required: false | ||
|
|
||
| jobs: | ||
| ai-review: |
There was a problem hiding this comment.
Could we add an explicit permissions: block in the caller workflow? In workflow_call, the called workflow permissions are capped by the caller token permissions. If this repo/org default is read-only, the called workflow can fail when it tries to publish commit comments/reviews.
1 participant
Add the shared AI review workflow (pinned to
1.28.20260529), matching the documented policy for this repo. Runs on every PR and on direct pushes tomaster.