add 'ai-push-review' to check for changes done on main #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AI-powered push review workflow | |
| # Runs on direct pushes to protected branches to summarise risks without a PR | |
| name: AI Push Review | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ai-review-${{ github.repository }} | |
| cancel-in-progress: false | |
| jobs: | |
| review: | |
| name: AI Review Push Diff | |
| runs-on: ubuntu-latest | |
| environment: development | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Determine base commit | |
| id: diff-base | |
| run: | | |
| BASE_COMMIT="${{ github.event.before }}" | |
| if [ -z "$BASE_COMMIT" ] || [ "$BASE_COMMIT" = "0000000000000000000000000000000000000000" ]; then | |
| BASE_COMMIT="$(git rev-parse HEAD^)" | |
| fi | |
| echo "base_commit=$BASE_COMMIT" >> "$GITHUB_OUTPUT" | |
| - name: Collect push diff and file list | |
| run: | | |
| BASE_COMMIT="${{ steps.diff-base.outputs.base_commit }}" | |
| git fetch origin "$BASE_COMMIT" --depth=1 || true | |
| git diff --name-only "$BASE_COMMIT" HEAD > changed_files.txt | |
| git diff --unified=0 --no-color "$BASE_COMMIT" HEAD > push.diff | |
| head -c 900000 push.diff > push.diff.truncated || true | |
| - name: Build push review prompt | |
| run: | | |
| python3 .github/workflows/ai-push-review/build_push_prompt.py \ | |
| --files changed_files.txt \ | |
| --branch "$GITHUB_REF_NAME" \ | |
| --output prompt.txt | |
| - name: Call OpenAI Chat Completions API | |
| id: ai | |
| env: | |
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} | |
| run: | | |
| python3 .github/workflows/ai-push-review/run_push_ai_review.py \ | |
| --prompt prompt.txt \ | |
| --diff push.diff.truncated \ | |
| --output review.json | |
| verdict=$(jq -r '.verdict // "changes-requested"' review.json 2>/dev/null || echo "changes-requested") | |
| echo "verdict=${verdict}" >> "$GITHUB_OUTPUT" | |
| - name: Publish review summary | |
| if: always() | |
| run: | | |
| python3 .github/workflows/ai-push-review/write_push_summary.py \ | |
| --review review.json \ | |
| --files changed_files.txt \ | |
| --branch "$GITHUB_REF_NAME" | |
| - name: Fail CI when AI requests changes | |
| if: steps.ai.outputs.verdict == 'changes-requested' | |
| run: | | |
| echo "AI requested changes on push → failing job." | |
| exit 1 |