feat(bots): onboard reviewer-bot to pinned databricks-bot-engine #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Engineer Bot — follow-up. | |
| # | |
| # When someone replies to a review thread on a PR carrying the `engineer-bot` | |
| # label (or the label is applied), the bot re-evaluates the open threads in | |
| # catch-up mode, applies a fixup (or replies / marks blocked), and pushes to the | |
| # PR branch. Driven by this repo's .bot/ prompts. | |
| # | |
| # Like the author, this builds/runs the product, so it keeps its own job and | |
| # interleaves `poetry install` before the shared bot-run composite. Consumer | |
| # differences vs the engine dogfood: REF-mode install pinned to an engine SHA, | |
| # authenticated PAT-free by an engine-scoped App token minted below. | |
| # | |
| # The gate below is the canonical label-gated form copied verbatim from the | |
| # engine dogfood (the single source of truth). It ANDs with the engine-side | |
| # floor; do not weaken it. | |
| name: Engineer Bot — Follow-up | |
| on: | |
| pull_request_review_comment: | |
| types: [created] | |
| # `engineer-bot` label applied → catch-up over pre-existing review threads. | |
| pull_request: | |
| types: [labeled] | |
| permissions: | |
| contents: write # push fixup commits to the PR branch | |
| pull-requests: write # post inline replies | |
| id-token: write # JFrog OIDC exchange for the engine/SDK/CLI install | |
| jobs: | |
| followup: | |
| # SECURITY + scope (CANONICAL label-gated model — verbatim from the engine): | |
| # - skip fork PRs — keep the model + App token out of untrusted code's reach; | |
| # - operate only on non-fork OPEN PRs carrying the `engineer-bot` label | |
| # (maintainer-applied opt-in; label requires triage+); | |
| # - comment path: trusted commenters only (OWNER/MEMBER/COLLABORATOR, or a | |
| # bot — reviewer-bot/Copilot), never the engineer-bot's own comments, and | |
| # never a reviewer-bot reconcile loopback; | |
| # - labeled path: the `engineer-bot` label was just applied by a human. | |
| if: >- | |
| github.event.pull_request.head.repo.fork == false | |
| && github.event.pull_request.state == 'open' | |
| && ( | |
| ( | |
| github.event_name == 'pull_request_review_comment' | |
| && contains(github.event.pull_request.labels.*.name, 'engineer-bot') | |
| && !startsWith(github.event.comment.user.login, 'peco-engineer-bot') | |
| && !contains(github.event.comment.body, '<!-- pr-review-bot:v1 reconcile -->') | |
| && ( | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | |
| || ( | |
| github.event.comment.user.type == 'Bot' | |
| && ( | |
| startsWith(github.event.comment.user.login, 'peco-review-bot') | |
| || startsWith(github.event.comment.user.login, 'Copilot') | |
| || startsWith(github.event.comment.user.login, 'copilot') | |
| ) | |
| ) | |
| ) | |
| ) | |
| || ( | |
| github.event_name == 'pull_request' | |
| && github.event.action == 'labeled' | |
| && github.event.label.name == 'engineer-bot' | |
| && github.event.sender.type != 'Bot' | |
| && !startsWith(github.event.sender.login, 'peco-engineer-bot') | |
| ) | |
| ) | |
| environment: azure-prod # DATABRICKS_HOST / DATABRICKS_TOKEN live here | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: [linux-ubuntu-latest] | |
| timeout-minutes: 30 | |
| concurrency: | |
| group: engineer-bot-followup-pr-${{ github.event.pull_request.number }} | |
| cancel-in-progress: false | |
| steps: | |
| # Checkout FIRST (remote action) so the local `./` composites resolve. | |
| # Check out the PR head BRANCH (not the merge ref) so fixups push back to | |
| # it; bot-run re-establishes the authenticated push remote. | |
| - name: Checkout PR head branch | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| # Mint the engineer-bot token (this repo — pushes fixup commits, posts replies). | |
| - name: Mint engineer-bot App token | |
| id: setup | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.ENGINEER_BOT_APP_ID }} | |
| private-key: ${{ secrets.ENGINEER_BOT_APP_PRIVATE_KEY }} | |
| # Python + connector deps via the repo's OWN setup-poetry action (JFrog | |
| # mirror + poetry lock + install) — egress-safe, tolerates a stale lock. | |
| # The agent runs `poetry run python -m pytest tests/unit` to verify fixups. | |
| - name: Setup Poetry + connector deps (for pytest self-verify) | |
| uses: ./.github/actions/setup-poetry | |
| with: | |
| python-version: '3.11' | |
| - name: Setup Node (for the Claude Code CLI the SDK spawns) | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: '20' | |
| # PAT-free engine install: engine-scoped token (contents:read) from the | |
| # same App creds. | |
| - name: Mint engine-scoped install token | |
| id: engine-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ secrets.ENGINEER_BOT_APP_ID }} | |
| private-key: ${{ secrets.ENGINEER_BOT_APP_PRIVATE_KEY }} | |
| owner: databricks | |
| repositories: databricks-bot-engine | |
| permission-contents: read | |
| # LOCAL composite (cross-repo `uses:` of the engine won't resolve here). | |
| - name: Install engine + Claude SDK/CLI | |
| uses: ./.github/actions/install-bot-engine | |
| with: | |
| engine-ref: b6205fb502566d617a456ccf3c37f3e4e3072ccd | |
| engine-token: ${{ steps.engine-token.outputs.token }} | |
| # Run the follow-up. Inlines the engine's bot-run env contract for | |
| # engineer:followup, plus the authenticated push remote bot-run would set | |
| # up (followup pushes fixup commits via a plain `git push`, which doesn't | |
| # consult GH_TOKEN; the checkout is persist-credentials:false). | |
| - name: Run engineer follow-up (catch-up over all unaddressed threads) | |
| env: | |
| GH_TOKEN: ${{ steps.setup.outputs.token }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| HEAD_BRANCH: ${{ github.event.pull_request.head.ref }} | |
| PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| PR_TITLE: ${{ github.event.pull_request.title }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| TRIGGER_COMMENT_ID: ${{ github.event.comment.id }} | |
| MODEL_ENDPOINT: https://${{ secrets.DATABRICKS_HOST }}/serving-endpoints/databricks-claude-opus-4-8/invocations | |
| DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }} | |
| RUNNER_TEMP: ${{ runner.temp }} | |
| run: | | |
| git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" | |
| python -m databricks_bot_engine.engineer_bot.run --phase followup \ | |
| --system-prompt "$GITHUB_WORKSPACE/.bot/prompts/engineer-followup/system.md" |