@activade/open-workflows 1.0.2 → 2.0.1

package/actions/pr-review/skill.md

@@ -0,0 +1,223 @@
+---
+name: pr-review
+description: AI-powered pull request code review focusing on correctness, security, stability, and maintainability.
+license: MIT
+---
+
+## What I Do
+
+Review pull request changes systematically and post findings as a sticky PR comment. Focus on **real issues that matter** - bugs, security risks, and stability problems that would block a merge in a typical code review.
+
+## Review Philosophy
+
+**Ask yourself before flagging any issue**: "Would a senior engineer in a time-limited code review raise this issue?"
+
+- Flag issues that represent **real risks** or **actual bugs**
+- Skip style preferences and subjective opinions
+- Prioritize signal over noise - fewer, higher-quality findings
+
+## Workflow
+
+1. **Check prior feedback**: Fetch existing PR comments to understand context
+   ```bash
+   gh pr view <number> --json comments --jq '.comments[].body'
+   ```
+
+2. **Gather PR context**: Get PR metadata and changed files
+   ```bash
+   gh pr view <number> --json files,title,body,headRefOid
+   ```
+
+3. **Create validation todo list**: Track previously-flagged issues (if any) using `todowrite`
+   - One item per prior issue: "Validate if [issue] was addressed"
+   - One item per changed file for new review
+
+4. **Analyze each file**:
+   - Mark todo as `in_progress`
+   - Read the file diff and surrounding context
+   - Note ONLY issues that pass the "real issue" test (see Review Priorities)
+   - Mark todo as `completed`
+
+5. **Synthesize review**: After ALL files are analyzed, determine verdict and summary
+   - Acknowledge addressed feedback from prior reviews
+   - Only include NEW issues not previously identified
+
+6. **Post review**: Run the submit-review script (see Posting Review section)
+
+## Review Priorities
+
+Focus on these areas. Each includes concrete examples of what IS and ISN'T worth flagging.
+
+### 1. Correctness (Logic errors that cause wrong behavior)
+
+| Flag This | Skip This |
+|-----------|-----------|
+| Off-by-one errors in loops/bounds | Type confusion that doesn't break runtime |
+| Broken control flow (early returns, missing breaks) | Unused variables (linters catch this) |
+| Incorrect boolean logic | Missing optional chaining on guaranteed-present fields |
+| Wrong comparison operators | Stylistic null checks beyond language guarantees |
+| Missing await on async calls | |
+
+### 2. Security (Exploitable vulnerabilities)
+
+| Flag This | Skip This |
+|-----------|-----------|
+| SQL/NoSQL injection | Hypothetical attack scenarios requiring admin access |
+| XSS vulnerabilities | Missing rate limiting (unless auth-related) |
+| Auth bypass possibilities | Theoretical timing attacks |
+| Secrets/credentials in code | Generic "consider security implications" |
+| Unsafe deserialization | |
+| Path traversal | |
+
+### 3. Stability (Issues causing crashes or data loss)
+
+| Flag This | Skip This |
+|-----------|-----------|
+| Unhandled promise rejections in critical paths | Adding extra try-catch "just in case" |
+| Race conditions with visible effects | Defensive null checks on typed fields |
+| Resource leaks (unclosed handles, listeners) | Missing error logging (non-critical) |
+| Infinite loops / recursion without base case | Optional timeout additions |
+| Division by zero possibilities | |
+
+### 4. Maintainability (Clarity issues causing confusion)
+
+| Flag This | Skip This |
+|-----------|-----------|
+| Misleading function/variable names | Naming preferences (camelCase vs snake_case) |
+| Logic that contradicts its documentation | Minor comment improvements |
+| Dead code that appears intentional | DRY violations without maintenance risk |
+| Inconsistency with adjacent code patterns | Subjective "this could be cleaner" |
+
+## Common Nitpicks to Avoid
+
+**DO NOT flag these issues** - they create noise without value:
+
+1. **Coding style preferences** - Spaces vs tabs, quote styles, trailing commas, line length. Let linters handle this.
+
+2. **Defensive programming suggestions** - Adding null checks, optional chaining, or try-catch blocks beyond what the type system or runtime requires.
+
+3. **DRY violations without real cost** - Small code duplication that doesn't create maintenance burden. Not everything needs abstraction.
+
+4. **Missing code comments** - Unless the code is security-critical or intentionally non-obvious, don't require comments.
+
+5. **Subjective complexity concerns** - "This function is too long" or "Consider breaking this up" without identifying a concrete problem it causes.
+
+6. **Minor refactoring suggestions** - Aesthetic improvements, variable renaming preferences, or "cleaner" alternatives that aren't objectively better.
+
+## Context from Prior Reviews
+
+Before starting your review:
+
+1. **Fetch existing PR comments** to see prior feedback:
+   ```bash
+   gh pr view <number> --json comments,reviews --jq '.comments[].body, .reviews[].body'
+   ```
+
+2. **If previous issues were flagged**:
+   - Create a todo item for each: "Validate: [previous issue title]"
+   - Check if the latest commits address each issue
+   - Mark as completed with status (resolved/still-present)
+
+3. **In your final review**:
+   - Acknowledge issues that were fixed: "Previously flagged X - now resolved"
+   - Only flag issues that are NEW or STILL UNRESOLVED
+   - Don't re-flag the same issue in slightly different words
+
+## Posting Review
+
+The script path is provided in your task message. Run the submit-review script:
+
+```bash
+bun "<script_path>/submit-review.ts" \
+  --repo "owner/repo" \
+  --pr 123 \
+  --commit "abc1234" \
+  --verdict "approve" \
+  --summary "Your overall assessment" \
+  --issues '[{"file":"src/foo.ts","line":42,"severity":"high","title":"Issue title","explanation":"Why this matters","suggestion":"Optional fix"}]'
+```
+
+### Arguments
+
+| Argument | Required | Description |
+|----------|----------|-------------|
+| `--repo` | Yes | Repository in owner/repo format |
+| `--pr` | Yes | Pull request number |
+| `--commit` | No | Commit SHA (first 7 chars shown in review) |
+| `--verdict` | Yes | `approve` or `request_changes` |
+| `--summary` | Yes | 1-3 sentence overall assessment |
+| `--issues` | No | JSON array of issues found |
+
+### Issue Format
+
+Each issue in the array:
+
+```json
+{
+  "file": "src/auth/login.ts",
+  "line": 42,
+  "severity": "critical|high|medium|low",
+  "title": "Short description (~80 chars)",
+  "explanation": "Why this matters, what's wrong",
+  "suggestion": "Optional: replacement code"
+}
+```
+
+## Verdict Rules
+
+**Only use `request_changes` for issues that should BLOCK the merge:**
+
+- `critical`: Security vulnerabilities, data loss risks, complete feature breakage
+- `high`: Bugs that will affect users, significant logic errors
+- `medium`: Edge cases likely to cause issues, unclear but problematic patterns
+
+**Use `approve` generously:**
+
+- If issues are `low` severity only - approve with notes
+- If issues are style/preference-based - approve (and don't flag them)
+- If you're unsure whether something is a real issue - lean toward approve
+
+**Severity guidance:**
+
+- Default to `low` unless the issue clearly meets `medium` or higher criteria
+- `medium` = "This will probably cause a bug in production"
+- `high` = "This will definitely cause problems for users"
+- `critical` = "This is a security hole or will cause data loss"
+
+## Common Mistakes to Avoid
+
+- Do NOT run the script more than once per review
+- Do NOT use line numbers from the left (old) side of the diff
+- Do NOT skip the per-file todo workflow
+- Do NOT guess repository, PR number, or commit SHA - derive from git/gh commands
+- Do NOT re-flag issues from prior reviews that were already addressed
+- Do NOT flag style issues that linters or formatters should handle
+
+## Example Issue
+
+```json
+{
+  "file": "src/auth/login.ts",
+  "line": 42,
+  "severity": "high",
+  "title": "SQL injection vulnerability in user lookup",
+  "explanation": "User input is concatenated directly into the SQL query without sanitization. An attacker could inject malicious SQL to bypass authentication or extract data.",
+  "suggestion": "const user = await db.query('SELECT * FROM users WHERE email = $1', [email])"
+}
+```
+
+## Example of What NOT to Flag
+
+```typescript
+// DON'T flag: "Consider using optional chaining"
+const name = user.profile.name;  // If types guarantee profile exists, this is fine
+
+// DON'T flag: "Variable could be const"
+let count = 0;  // Let linters handle this
+
+// DON'T flag: "Function is too long"
+function processOrder() { /* 80 lines */ }  // Unless there's a concrete bug
+
+// DON'T flag: "Consider adding error handling"
+await saveUser(user);  // Unless errors here would cause data loss
+```

package/actions/pr-review/src/submit-review.ts

@@ -0,0 +1,154 @@
+#!/usr/bin/env bun
+/// <reference types="bun-types" />
+
+/**
+ * Usage: bun submit-review.ts --repo owner/repo --pr 123 --commit abc1234 \
+ *        --verdict approve --summary "Clean code" --issues '[...]'
+ */
+
+import { parseArgs } from "util";
+
+const STICKY_MARKER = '<!-- open-workflows:review-sticky -->';
+
+type Severity = 'critical' | 'high' | 'medium' | 'low';
+type Verdict = 'approve' | 'request_changes';
+
+interface ReviewIssue {
+  file: string;
+  line: number;
+  severity: Severity;
+  title: string;
+  explanation: string;
+  suggestion?: string;
+}
+
+async function withRetry<T>(fn: () => Promise<T>, maxRetries = 3): Promise<T> {
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      const isLast = attempt === maxRetries - 1;
+      const msg = error instanceof Error ? error.message : String(error);
+      const isRetryable = msg.includes('rate limit') || msg.includes('timeout') || 
+                          msg.includes('503') || msg.includes('ECONNRESET');
+      if (isLast || !isRetryable) throw error;
+      await new Promise(r => setTimeout(r, 1000 * Math.pow(2, attempt)));
+    }
+  }
+  throw new Error('Max retries exceeded');
+}
+
+function formatVerdict(verdict: Verdict): string {
+  return verdict === 'request_changes' ? 'REQUEST CHANGES' : 'APPROVE';
+}
+
+function buildCommentBody(summary: string, verdict: Verdict, issues: ReviewIssue[], commitSha?: string): string {
+  let body = `## AI Review Summary\n\n`;
+  body += `**Verdict:** ${formatVerdict(verdict)}\n`;
+  if (commitSha) {
+    body += `**Commit:** \`${commitSha.slice(0, 7)}\`\n`;
+  }
+  body += '\n';
+
+  if (issues.length === 0) {
+    body += `### Findings\n\nNo significant issues found.\n\n`;
+  } else {
+    body += `### Findings\n\n`;
+    for (const issue of issues) {
+      const location = issue.file && issue.line > 0 ? `${issue.file}:${issue.line}` : issue.file || 'unknown';
+      body += `- **[${issue.severity.toUpperCase()}]** \`${location}\` – ${issue.title}\n`;
+      body += `  - ${issue.explanation}\n`;
+      if (issue.suggestion?.trim()) {
+        const suggestion = issue.suggestion.trim();
+        if (suggestion.includes('\n')) {
+          body += `  - **Suggested fix:**\n\n    \`\`\`\n${suggestion.split('\n').map(l => `    ${l}`).join('\n')}\n    \`\`\`\n`;
+        } else {
+          body += `  - **Suggested fix:** ${suggestion}\n`;
+        }
+      }
+    }
+    body += '\n';
+  }
+
+  body += `### Overall Assessment\n\n${summary}\n\n`;
+  body += STICKY_MARKER;
+  return body;
+}
+
+async function main() {
+  const { values } = parseArgs({
+    args: Bun.argv.slice(2),
+    options: {
+      repo: { type: 'string' },
+      pr: { type: 'string' },
+      commit: { type: 'string' },
+      verdict: { type: 'string' },
+      summary: { type: 'string' },
+      issues: { type: 'string' },
+    },
+    strict: true,
+  });
+
+  const { repo, pr, commit, verdict, summary, issues: issuesJson } = values;
+
+  if (!repo || !pr || !verdict || !summary) {
+    console.error('Missing required arguments: --repo, --pr, --verdict, --summary');
+    process.exit(1);
+  }
+
+  const prNumber = parseInt(pr, 10);
+  if (isNaN(prNumber)) {
+    console.error('Invalid PR number');
+    process.exit(1);
+  }
+
+  if (verdict !== 'approve' && verdict !== 'request_changes') {
+    console.error('Verdict must be "approve" or "request_changes"');
+    process.exit(1);
+  }
+
+  let issues: ReviewIssue[] = [];
+  if (issuesJson) {
+    try {
+      issues = JSON.parse(issuesJson);
+    } catch {
+      console.error('Invalid JSON for --issues');
+      process.exit(1);
+    }
+  }
+
+  const body = buildCommentBody(summary, verdict as Verdict, issues, commit);
+
+  let existingCommentId: number | null = null;
+  try {
+    const result = await withRetry(() => 
+      Bun.$`gh api /repos/${repo}/issues/${prNumber}/comments --paginate`.text()
+    );
+    const comments = JSON.parse(result) as Array<{ id: number; body: string }>;
+    const existing = comments.find(c => c.body.includes(STICKY_MARKER));
+    if (existing) existingCommentId = existing.id;
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    console.error('Warning: Failed to fetch existing comments:', msg);
+  }
+
+  const payload = JSON.stringify({ body });
+  const input = new Response(payload);
+
+  if (existingCommentId) {
+    await withRetry(() =>
+      Bun.$`gh api --method PATCH /repos/${repo}/issues/comments/${existingCommentId} --input - < ${input}`.quiet()
+    );
+    console.log('Updated existing review comment');
+  } else {
+    await withRetry(() =>
+      Bun.$`gh api --method POST /repos/${repo}/issues/${prNumber}/comments --input - < ${input}`.quiet()
+    );
+    console.log('Posted new review comment');
+  }
+}
+
+main().catch(err => {
+  console.error('Error:', err.message);
+  process.exit(1);
+});

package/actions/release/action.yml

@@ -0,0 +1,59 @@
+name: 'Release'
+description: 'Automated releases with semantic versioning, changelog, and npm provenance'
+author: 'activadee'
+
+inputs:
+  bump:
+    description: 'Version bump type: major, minor, or patch'
+    required: false
+  version:
+    description: 'Override version (e.g., 1.2.3). Takes precedence over bump.'
+    required: false
+  skip-build:
+    description: 'Skip build step (if already built)'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Validate inputs
+      shell: bash
+      run: |
+        if [ -z "${{ inputs.bump }}" ] && [ -z "${{ inputs.version }}" ]; then
+          echo "Error: Either 'bump' or 'version' input is required"
+          exit 1
+        fi
+
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v2
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '*'
+
+    - name: Upgrade npm for provenance support
+      shell: bash
+      run: npm install -g npm@latest
+
+    - name: Install dependencies
+      shell: bash
+      run: bun install --frozen-lockfile
+
+    - name: Run publish script
+      shell: bash
+      run: |
+        ARGS="--repo ${{ github.repository }}"
+        if [ -n "${{ inputs.version }}" ]; then
+          ARGS="$ARGS --version ${{ inputs.version }}"
+        elif [ -n "${{ inputs.bump }}" ]; then
+          ARGS="$ARGS --bump ${{ inputs.bump }}"
+        fi
+        if [ "${{ inputs.skip-build }}" = "true" ]; then
+          ARGS="$ARGS --skip-build"
+        fi
+        bun "${{ github.action_path }}/src/publish.ts" $ARGS
+      env:
+        CI: true
+        GITHUB_TOKEN: ${{ github.token }}

package/actions/release/src/publish.ts

@@ -0,0 +1,235 @@
+#!/usr/bin/env bun
+/// <reference types="bun-types" />
+
+import { parseArgs } from "util"
+
+const PACKAGE_NAME = process.env.PACKAGE_NAME || ""
+
+async function getCurrentNpmVersion(): Promise<string> {
+  if (!PACKAGE_NAME) {
+    const pkg = await Bun.file("package.json").json()
+    return pkg.version || "0.0.0"
+  }
+  
+  try {
+    const result = await Bun.$`npm view ${PACKAGE_NAME} version`.text()
+    return result.trim()
+  } catch {
+    return "0.0.0"
+  }
+}
+
+function bumpVersion(version: string, type: "major" | "minor" | "patch"): string {
+  const [major, minor, patch] = version.split(".").map(Number)
+  switch (type) {
+    case "major":
+      return `${major + 1}.0.0`
+    case "minor":
+      return `${major}.${minor + 1}.0`
+    case "patch":
+      return `${major}.${minor}.${patch + 1}`
+  }
+}
+
+async function updatePackageVersion(newVersion: string): Promise<void> {
+  const pkgPath = "package.json"
+  let pkg = await Bun.file(pkgPath).text()
+  pkg = pkg.replace(/"version": "[^"]+"/, `"version": "${newVersion}"`)
+  await Bun.write(pkgPath, pkg)
+  console.log(`Updated package.json to v${newVersion}`)
+}
+
+async function generateChangelog(previousVersion: string): Promise<string[]> {
+  const notes: string[] = []
+
+  try {
+    const tagExists = await Bun.$`git rev-parse v${previousVersion} 2>/dev/null`.nothrow()
+    if (tagExists.exitCode !== 0) {
+      console.log("No previous tag found, skipping changelog")
+      return notes
+    }
+
+    const log = await Bun.$`git log v${previousVersion}..HEAD --oneline --format="%h %s"`.text()
+    const commits = log
+      .split("\n")
+      .filter((line) => line.trim())
+      .filter((line) => !line.match(/^\w+ (chore:|test:|ci:|docs:|release:|Merge )/i))
+
+    if (commits.length > 0) {
+      for (const commit of commits) {
+        notes.push(`- ${commit}`)
+      }
+    }
+  } catch (error) {
+    console.log("Failed to generate changelog:", error)
+  }
+
+  return notes
+}
+
+async function getContributors(previousVersion: string, repo: string): Promise<string[]> {
+  const notes: string[] = []
+  const excludeUsers = ["github-actions[bot]", "actions-user", "dependabot[bot]"]
+
+  try {
+    const tagExists = await Bun.$`git rev-parse v${previousVersion} 2>/dev/null`.nothrow()
+    if (tagExists.exitCode !== 0) return notes
+
+    const compare = await Bun.$`gh api "/repos/${repo}/compare/v${previousVersion}...HEAD" --jq '.commits[] | {login: .author.login, message: .commit.message}' 2>/dev/null`.text()
+    const contributors = new Map<string, string[]>()
+
+    for (const line of compare.split("\n").filter(Boolean)) {
+      try {
+        const { login, message } = JSON.parse(line) as { login: string | null; message: string }
+        const title = message.split("\n")[0] ?? ""
+        if (title.match(/^(chore:|test:|ci:|docs:|release:)/i)) continue
+
+        if (login && !excludeUsers.includes(login)) {
+          if (!contributors.has(login)) contributors.set(login, [])
+          contributors.get(login)?.push(title)
+        }
+      } catch {
+        continue
+      }
+    }
+
+    if (contributors.size > 0) {
+      notes.push("")
+      notes.push(`**Contributors:**`)
+      for (const [username] of contributors) {
+        notes.push(`- @${username}`)
+      }
+    }
+  } catch {}
+
+  return notes
+}
+
+async function buildProject(): Promise<void> {
+  console.log("\nBuilding project...")
+  await Bun.$`bun run build`
+}
+
+async function packProject(): Promise<string> {
+  console.log("\nPacking project...")
+  const output = await Bun.$`bun pm pack`.text()
+  const tarball = output.split("\n").find(line => line.trim().endsWith(".tgz"))?.trim()
+  if (!tarball) {
+    throw new Error("Failed to get tarball name from bun pm pack")
+  }
+  console.log(`Created: ${tarball}`)
+  return tarball
+}
+
+async function publishToNpm(tarball: string): Promise<void> {
+  console.log("\nPublishing to npm...")
+  
+  if (process.env.CI) {
+    await Bun.$`npm publish ${tarball} --access public --provenance`
+  } else {
+    await Bun.$`npm publish ${tarball} --access public`
+  }
+}
+
+async function gitTagAndRelease(newVersion: string, notes: string[], repo: string): Promise<void> {
+  if (!process.env.CI) {
+    console.log("\nSkipping git operations (not in CI)")
+    return
+  }
+
+  console.log("\nCommitting and tagging...")
+  await Bun.$`git config user.email "github-actions[bot]@users.noreply.github.com"`
+  await Bun.$`git config user.name "github-actions[bot]"`
+  await Bun.$`git add package.json`
+
+  const hasStagedChanges = await Bun.$`git diff --cached --quiet`.nothrow()
+  if (hasStagedChanges.exitCode !== 0) {
+    await Bun.$`git commit -m "release: v${newVersion} [skip ci]"`
+  } else {
+    console.log("No changes to commit (version already updated)")
+  }
+
+  const tagExists = await Bun.$`git rev-parse v${newVersion} 2>/dev/null`.nothrow()
+  if (tagExists.exitCode !== 0) {
+    await Bun.$`git tag v${newVersion}`
+  } else {
+    console.log(`Tag v${newVersion} already exists`)
+  }
+
+  await Bun.$`git push origin HEAD --tags`
+
+  console.log("\nCreating GitHub release...")
+  const releaseNotes = notes.length > 0 ? notes.join("\n") : "No notable changes"
+  const releaseExists = await Bun.$`gh release view v${newVersion} 2>/dev/null`.nothrow()
+  if (releaseExists.exitCode !== 0) {
+    await Bun.$`gh release create v${newVersion} --title "v${newVersion}" --notes ${releaseNotes}`
+  } else {
+    console.log(`Release v${newVersion} already exists`)
+  }
+}
+
+async function main() {
+  const { values } = parseArgs({
+    args: Bun.argv.slice(2),
+    options: {
+      bump: { type: "string" },
+      version: { type: "string" },
+      repo: { type: "string" },
+      "skip-build": { type: "boolean", default: false },
+    },
+    strict: true,
+  })
+
+  const { bump, version: overrideVersion, repo, "skip-build": skipBuild } = values
+
+  if (!bump && !overrideVersion) {
+    console.error("Either --bump (major|minor|patch) or --version is required")
+    process.exit(1)
+  }
+
+  if (!repo) {
+    console.error("--repo is required (e.g., owner/repo)")
+    process.exit(1)
+  }
+
+  const currentVersion = await getCurrentNpmVersion()
+  console.log(`Current version: ${currentVersion}`)
+
+  let newVersion: string
+  if (overrideVersion) {
+    newVersion = overrideVersion.replace(/^v/, "")
+  } else if (bump === "major" || bump === "minor" || bump === "patch") {
+    newVersion = bumpVersion(currentVersion, bump)
+  } else {
+    console.error("Invalid bump type. Use major, minor, or patch")
+    process.exit(1)
+  }
+
+  console.log(`New version: ${newVersion}`)
+
+  await updatePackageVersion(newVersion)
+
+  const changelog = await generateChangelog(currentVersion)
+  const contributors = await getContributors(currentVersion, repo)
+  const notes = [...changelog, ...contributors]
+
+  if (notes.length > 0) {
+    console.log("\nRelease notes:")
+    console.log(notes.join("\n"))
+  }
+
+  if (!skipBuild) {
+    await buildProject()
+  }
+
+  const tarball = await packProject()
+  await publishToNpm(tarball)
+  await gitTagAndRelease(newVersion, notes, repo)
+
+  console.log(`\nRelease v${newVersion} complete!`)
+}
+
+main().catch((err) => {
+  console.error("Release failed:", err.message || err)
+  process.exit(1)
+})