Add Octopus AI code review workflow#23177
Conversation
Octopus is a free, open-source AI code review tool that indexes the codebase and posts context-aware inline review comments with severity levels on pull requests. It is free and unlimited for public OSI-licensed repositories with no API key required. This is a follow-up to kubernetes#23143 (closed because GITHUB_TOKEN is read-only on fork PRs). The workflow now uses pull_request_target so the token has the write access needed to post reviews on fork PRs. The Octopus action only reads the PR diff via the GitHub API; it never checks out or runs PR code, so no untrusted code executes in the privileged context. - https://octopus-review.ai/open-source - https://github.com/octopusreview/octopus - Docs: https://octopus-review.ai/docs/github-action#fork-pull-requests Signed-off-by: Ferit <ferit@weezboo.com>
|
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: redoh The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @redoh! |
|
Hi @redoh. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Can one of the admins verify this patch? |
|
@redoh Thanks for following up. I know that this can work with pull_request_target, but I'm not happy to run 3rd party code with write access in the context of pull_request_target. What I need is a way to review pull requests with fine grain permissions allowing the reviewer to add comments. Anything else should be blocked by the system so I don't need to trust the review provider. Ideally the reviewer will have operate as a GitHub account - any GitHub user can review minikube PRs, no special permissions are needed. |
| types: [opened, synchronize] | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
|
@nirs you were right, and thanks for pushing on this. Two things you pointed out can't be solved within the Actions model:
So we're building the model you actually described, the reviewer operating as a plain GitHub account:
It's actively in progress (not shipped yet):
Once it's live I'll update this PR to that model. Does this approach address your concerns? Happy to adjust before we finalize. |
Sounds good for public projects.
You read Minikube does not use release branches but many projects use them and reviewing backports to release branch is very useful.
If you run this in pull_request event, an attacker can trigger a review on octopus side by modifying a workflow or adding a new workflow. This should be fine if you check .github/octopus.yml` from the main branch so an attacker cannot control it. Let's move this discussion to https://github.com/octopusreview/. |
Summary
Adds a GitHub Actions workflow that runs Octopus, a free, open-source AI code review tool, on pull requests. Octopus indexes the codebase and posts context-aware inline review comments with severity levels. It is free and unlimited for public OSI-licensed repositories, with no API key required.
This is a follow-up to #23143 (opened by @nirs, then closed because Octopus could not post reviews —
GITHUB_TOKENis read-only on pull requests from forks).What changed since #23143
The earlier attempt used the
pull_requestevent, where GitHub restrictsGITHUB_TOKENto read-only for fork PRs, so the action could not post comments and failed silently. This PR resolves that:pull_request_target, which gives the token thepull-requests: writeaccess needed to post reviews on fork PRs.if: github.repository == 'kubernetes/minikube'so it does not run on forks of this repo.Notes
Happy to adjust the trigger, permissions, or scoping to match maintainer preferences.