@diffpal/diffpal-darwin-x64 0.1.20 → 0.1.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +41 -19
  2. package/bin/diffpal +0 -0
  3. package/package.json +1 -4
package/README.md CHANGED
@@ -18,10 +18,9 @@ review platform they rent. It runs in your CI, uses the AI provider you choose,
18
18
  and turns every pull request into clear summaries, actionable inline feedback,
19
19
  review artifacts, and merge gates.
20
20
 
21
- Bring your own provider account, keep your costs and credentials with you, and
22
- keep the review workflow in your repository. DiffPal's goal is to make AI PR
23
- review portable, affordable, and enforceable across GitHub, GitLab, and Azure
24
- DevOps.
21
+ Use the provider path that already works for your team and keep the review
22
+ workflow in your repository. DiffPal's goal is to make AI PR review portable,
23
+ affordable, and enforceable across GitHub, GitLab, and Azure DevOps.
25
24
 
26
25
  | Works with | Publishes | Gates on |
27
26
  | --- | --- | --- |
@@ -56,9 +55,9 @@ Codex, Copilot, OpenCode, Gemini, Claude Code, a hosted API provider, an ordered
56
55
  provider pool, or any ACP-compatible CLI without rebuilding your PR review
57
56
  workflow.
58
57
 
59
- That model keeps cost and account control in your provider account. DiffPal
60
- does not require a hosted review service or per-seat platform subscription to
61
- collect diffs, publish PR feedback, write artifacts, or enforce merge gates.
58
+ That model keeps cost control with your team. DiffPal does not require a hosted
59
+ review service or per-seat platform subscription to collect diffs, publish PR
60
+ feedback, write artifacts, or enforce merge gates.
62
61
 
63
62
  ## Quick Start: GitHub Actions
64
63
 
@@ -82,6 +81,12 @@ files are kept unless you pass `--force`.
82
81
  | --- | --- |
83
82
  | `OPENAI_API_KEY` | Authenticates Codex for the review provider. |
84
83
 
84
+ For public open-source repositories, keep provider credentials away from fork PR
85
+ code. GitHub's fork workflow approval settings control whether outside
86
+ contributors' fork workflows run automatically; they do not make it safe to
87
+ release provider secrets to fork code. Keep DiffPal's secret-backed review job
88
+ limited to same-repository pull requests. Fork PRs should run no-secret CI only.
89
+
85
90
  3. Add the workflow:
86
91
 
87
92
  ```bash
@@ -117,13 +122,25 @@ DiffPal.
117
122
  | GitLab CI | [`examples/ci/gitlab`](examples/ci/gitlab) | MR summary, discussions, Code Quality, SARIF |
118
123
  | Azure Pipelines | [`examples/ci/azure-pipelines`](examples/ci/azure-pipelines) | PR summary thread, PR threads, PR status |
119
124
 
125
+ ## GitHub Action
126
+
127
+ GitHub Actions users can install the
128
+ [DiffPal Review action](https://github.com/marketplace/actions/diffpal-review)
129
+ with `uses: diffpal/action@v1`. The action source and release automation live in
130
+ the separate [diffpal/action](https://github.com/diffpal/action) repository.
131
+
132
+ The action installs `@diffpal/diffpal` by default, then runs
133
+ `diffpal review github`. You still own provider setup and authentication in the
134
+ workflow, so switching provider recipes does not require switching PR review
135
+ platforms.
136
+
120
137
  ## Azure DevOps Marketplace Extension
121
138
 
122
139
  Azure Pipelines users can install the public
123
140
  [DiffPal Review extension](https://marketplace.visualstudio.com/items?itemName=diffpal.diffpal)
124
141
  from the Azure DevOps Marketplace and add the `DiffPalReview@1` task to PR
125
142
  validation pipelines. Extension source and release automation live in the
126
- separate [diffpal-azure-devops](https://github.com/diffpal/azure-devops)
143
+ separate [diffpal-azure-devops](https://github.com/diffpal/diffpal-azure-devops)
127
144
  repository.
128
145
 
129
146
  The task installs `@diffpal/diffpal` by default, then runs `diffpal review ado`.
@@ -132,8 +149,7 @@ You still need a committed DiffPal config, a provider credential such as
132
149
  checkout. See the [Azure Pipelines setup guide](docs/ci-examples.md#azure-pipelines)
133
150
  for copy-paste examples.
134
151
 
135
- GitHub Actions users can use the
136
- [DiffPal Review action](https://github.com/marketplace/actions/diffpal-review):
152
+ Example GitHub Actions workflow:
137
153
 
138
154
  ```yaml
139
155
  name: diffpal
@@ -145,6 +161,8 @@ on:
145
161
  jobs:
146
162
  review:
147
163
  name: review
164
+ # Provider credentials are only exposed to same-repository PRs.
165
+ # Fork PRs should run no-secret CI only.
148
166
  if: ${{ !github.event.pull_request.draft && github.event.pull_request.head.repo.full_name == github.repository }}
149
167
  runs-on: ubuntu-latest
150
168
  permissions:
@@ -179,6 +197,12 @@ jobs:
179
197
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
180
198
  ```
181
199
 
200
+ `pull_request_target` runs from the default branch of the base repository and is
201
+ useful for trusted automation such as labeling or commenting. Do not combine it
202
+ with checking out the PR head or running package installs, tests, build scripts,
203
+ hooks, provider CLIs, or other fork code. That pattern can expose privileged
204
+ tokens or secrets to untrusted code.
205
+
182
206
  If you prefer copying files manually, use
183
207
  [`examples/configs/codex-api-key/config.yaml`](examples/configs/codex-api-key/config.yaml).
184
208
  For full copy-paste files and host-specific notes, read
@@ -270,6 +294,9 @@ Ready-made config recipes. These are the same names accepted by
270
294
  | Copilot fine-grained PAT | [`examples/configs/copilot-github-token/config.yaml`](examples/configs/copilot-github-token/config.yaml) | `COPILOT_GITHUB_TOKEN` |
271
295
  | OpenCode ACP | [`examples/configs/opencode-acp/config.yaml`](examples/configs/opencode-acp/config.yaml) | OpenCode-specific |
272
296
 
297
+ For Codex subscription auth, generate a fresh `CODEX_AUTH_JSON_B64` value with
298
+ the command recipe in [`examples/README.md`](examples/README.md#generate-codex_auth_json_b64).
299
+
273
300
  Use `generic_acp` for any CLI that can start an ACP stdio server:
274
301
 
275
302
  ```yaml
@@ -298,15 +325,10 @@ authenticated:
298
325
  | `openai`, `aistudio` | Hosted API providers |
299
326
  | `pool` | Ordered provider failover |
300
327
 
301
- Hosted providers receive DiffPal's read-only review tools during each review:
302
- `git_changed_files`, `git_diff`, `list_files`, `read_file`, and
303
- `search_files`. These are request-level tools, not provider config. ACP
304
- providers keep their own tool surface.
305
-
306
- For hosted providers, DiffPal records review tool usage in the findings bundle
307
- and rejects a result when the provider did not inspect the diff with `git_diff`.
308
- ACP providers use their native Git and filesystem tools, so DiffPal records that
309
- runtime inspection proof is not available for that provider class.
328
+ DiffPal passes the review task snapshot with base and head revisions. Providers
329
+ inspect the repository diff and supporting code through their available Git and
330
+ filesystem tools, then DiffPal validates the structured findings against the
331
+ changed ranges it collected internally.
310
332
 
311
333
  ## MCP Servers
312
334
 
package/bin/diffpal CHANGED
Binary file
package/package.json CHANGED
@@ -1,7 +1,4 @@
1
1
  {
2
- "bin": {
3
- "diffpal": "bin/diffpal"
4
- },
5
2
  "cpu": [
6
3
  "x64"
7
4
  ],
@@ -16,5 +13,5 @@
16
13
  "os": [
17
14
  "darwin"
18
15
  ],
19
- "version": "0.1.20"
16
+ "version": "0.1.22"
20
17
  }