durabletask-python/.github/workflows/daily-code-review.yaml at main · microsoft/durabletask-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
name: 🔍 Daily Code Review Agent

on:
  # Run every day at 08:00 UTC
  schedule:
    - cron: "0 8 * * *"
  # Allow manual trigger for testing
  workflow_dispatch:

permissions:
  contents: write
  issues: write
  pull-requests: write

jobs:
  daily-code-review:
    runs-on: ubuntu-latest
    timeout-minutes: 30

    env:
      PYTHON_VER: "3.12"

    steps:
      - name: 📥 Checkout code (full history for better analysis)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: ⚙️ Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VER }}

      - name: 📦 Install dependencies
        run: |
          pip install -e . -e ./durabletask-azuremanaged
          pip install -r dev-requirements.txt

      - name: 🔍 Collect existing work to avoid duplicates
        id: dedup
        run: |
          echo "Fetching open PRs and issues with copilot-finds label..."

          # Get open PRs with copilot-finds label (--limit ensures we don't miss any)
          OPEN_PRS=$(gh pr list \
            --label "copilot-finds" \
            --state open \
            --limit 200 \
            --json title,url,headRefName,files \
            --jq '[.[] | {title: .title, url: .url, branch: .headRefName, files: [.files[].path]}]' \
            2>/dev/null || echo "[]")

          # Get open issues with copilot-finds label
          OPEN_ISSUES=$(gh issue list \
            --label "copilot-finds" \
            --state open \
            --limit 200 \
            --json title,url,body \
            --jq '[.[] | {title: .title, url: .url}]' \
            2>/dev/null || echo "[]")

          # Get recently merged PRs (last 14 days) with copilot-finds label
          # Use jq numeric timestamp comparison (fromdateiso8601) to avoid string/timezone issues
          RECENT_MERGED=$(gh pr list \
            --label "copilot-finds" \
            --state merged \
            --limit 200 \
            --json title,url,mergedAt,files \
            --jq '[.[] | select((.mergedAt | fromdateiso8601) > (now - 14*86400)) | {title: .title, url: .url, files: [.files[].path]}]' \
            2>/dev/null || echo "[]")

          # Get all open PRs by bots
          BOT_PRS=$(gh pr list \
            --author "app/github-actions" \
            --state open \
            --limit 200 \
            --json title,url,headRefName \
            --jq '[.[] | {title: .title, url: .url, branch: .headRefName}]' \
            2>/dev/null || echo "[]")

          # Combine into exclusion context
          EXCLUSION_CONTEXT=$(cat <<DEDUP_EOF
          === EXISTING WORK (DO NOT DUPLICATE) ===

          ## Open PRs with copilot-finds label:
          $OPEN_PRS

          ## Open issues with copilot-finds label:
          $OPEN_ISSUES

          ## Recently merged copilot-finds PRs (last 14 days):
          $RECENT_MERGED

          ## Open PRs by bots:
          $BOT_PRS

          === END EXISTING WORK ===
          DEDUP_EOF
          )

          # Write to file for the agent to read
          echo "$EXCLUSION_CONTEXT" > /tmp/exclusion-context.txt

          echo "Dedup context collected:"
          echo "- Open copilot-finds PRs: $(echo "$OPEN_PRS" | jq 'length')"
          echo "- Open copilot-finds issues: $(echo "$OPEN_ISSUES" | jq 'length')"
          echo "- Recently merged: $(echo "$RECENT_MERGED" | jq 'length')"
          echo "- Bot PRs: $(echo "$BOT_PRS" | jq 'length')"
        env:
          GH_TOKEN: ${{ github.token }}
          GH_REPO: ${{ github.repository }}

      - name: ✅ Verify tests pass before analysis
        run: |
          pytest -m "not e2e" --verbose || echo "::warning::Some pre-existing unit test failures detected"

      - name: 🏷️ Ensure copilot-finds label exists
        run: |
          gh label create "copilot-finds" \
            --description "Findings from daily automated code review agent" \
            --color "7057ff" \
            --force
        env:
          GH_TOKEN: ${{ github.token }}
          GH_REPO: ${{ github.repository }}

      - name: 🤖 Install GitHub Copilot CLI
        run: npm install -g @github/copilot
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
          GH_TOKEN: ${{ github.token }}

      - name: 🔍 Run Daily Code Review Agent
        run: |
          EXCLUSION_CONTEXT=$(cat /tmp/exclusion-context.txt)
          AGENT_PROMPT=$(cat .github/agents/daily-code-review.agent.md)

          FULL_PROMPT=$(cat <<PROMPT_EOF
          $AGENT_PROMPT

          ---

          ## Pre-loaded Deduplication Context

          The following items are already tracked. DO NOT create PRs that overlap with any of these:

          $EXCLUSION_CONTEXT

          ---

          ## Execution Instructions

          You are running in CI. Today's date is $(date +%Y-%m-%d).
          Repository: ${{ github.repository }}

          Execute the full workflow described above:
          1. Review the deduplication context above
          2. Analyze the codebase for bugs, missing tests, and improvements
          3. Select the single highest-impact finding
          4. Create a branch, make the fix, add tests, verify tests pass, open a PR
          5. Label each PR with "copilot-finds"

          Remember:
          - Only open PRs for findings you are confident about
          - Every PR must include new tests
          - Run "pytest -m 'not e2e' --verbose" and "flake8" before opening each PR
          - If tests fail due to your changes, fix them or skip the finding
          - Maximum 1 PR total
          PROMPT_EOF
          )

          # Security notes on flags:
          # --allow-all-tools: Required for non-interactive CI — CLI would hang waiting for
          #   user confirmation otherwise. Safe here because the prompt is hardcoded (not
          #   sourced from external/untrusted input) and PRs require human review to merge.
          # --allow-all-paths: Required so CLI can read source files for analysis.
          # The GITHUB_TOKEN is repo-scoped and branch protections prevent direct pushes
          # to main. The agent can only create PRs, not merge them.
          EXIT_CODE=0
          timeout --foreground --signal=TERM --kill-after=30s 1200s \
            copilot \
              --prompt "$FULL_PROMPT" \
              --model "claude-opus-4.6" \
              --allow-all-tools \
              --allow-all-paths \
              < /dev/null 2>&1 || EXIT_CODE=$?

          if [ $EXIT_CODE -eq 124 ]; then
            echo "::warning::Agent timed out after 20 minutes"
          elif [ $EXIT_CODE -ne 0 ]; then
            echo "::warning::Agent exited with code $EXIT_CODE"
          fi

          echo "Daily code review agent completed."
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
          GH_TOKEN: ${{ github.token }}
          CI: "true"
          NO_COLOR: "1"