PyPI - cicaddy-github - Versions diffs - 0.2.0__tar.gz → 0.3.1__tar.gz - Mend

cicaddy-github 0.2.0tar.gz → 0.3.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/.claude/skills/cicaddy-action/SKILL.md RENAMED Viewed

@@ -219,15 +219,19 @@ context: |
 ## Workflow Usage
+The PR review workflow uses `pull_request_target` so secrets are available for
+fork PRs. Internal PRs run automatically; fork PRs require a maintainer to add
+the `safe-to-review` label. The label is auto-removed on new pushes to prevent
+TOCTOU bypasses.
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
   with:
     ai_provider: gemini
     ai_model: gemini-3-flash-preview
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
-    github_token: ${{ secrets.GITHUB_TOKEN }}
 ```
 ## Running Locally

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/.github/workflows/pr-review.yml RENAMED Viewed

@@ -1,16 +1,35 @@
 name: AI PR Review
 on:
-  pull_request:
-    types: [opened, synchronize]
+  pull_request_target:
+    types: [opened, synchronize, labeled]
 permissions:
   contents: read
   pull-requests: write
 jobs:
+  remove-label-on-push:
+    if: >-
+      github.event.action == 'synchronize' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      contains(github.event.pull_request.labels.*.name, 'safe-to-review')
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Remove safe-to-review label on new push from fork
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr edit "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --remove-label "safe-to-review"
   review:
-    if: ${{ github.actor != 'dependabot[bot]' }}
+    if: >-
+      github.actor != 'dependabot[bot]' &&
+      (
+        (github.event.pull_request.head.repo.full_name == github.repository && github.event.action != 'labeled') ||
+        (github.event.action == 'labeled' && github.event.label.name == 'safe-to-review')
+      )
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -38,7 +57,6 @@ jobs:
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           mcp_servers_config: ${{ steps.mcp.outputs.config }}
         env:
           ANALYSIS_FOCUS: "general"

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/CLAUDE.md RENAMED Viewed

@@ -27,5 +27,15 @@ GitHub Action that wraps cicaddy for running AI agent tasks in GitHub Actions wo
 - Test files in `tests/unit/`
 - Fixtures in `tests/conftest.py`
+## Release Checklist
+- **Bump `version` in `pyproject.toml` BEFORE tagging** — the release workflow builds from the checked-out source, so the `pyproject.toml` version must match the git tag. If the version doesn't match, PyPI will reject the upload (either as a duplicate or a mismatch).
+- When bumping the version for a release, also update all `cicaddy-action@vX.Y.Z` version references in `README.md` and `.claude/skills/cicaddy-action/SKILL.md` to match the new version.
+## PR Review Workflow Security
+- The PR review workflow uses `pull_request_target` so secrets are available for fork PRs.
+- Internal PRs (same repo) run automatically; fork PRs require the `safe-to-review` label.
+- The label is auto-removed on `synchronize` (new pushes from forks) to prevent TOCTOU bypasses.
+- The workflow never checks out or executes untrusted PR code — cicaddy fetches the diff via the GitHub API.
 ## Reference Repos
 - [cicaddy core](https://github.com/waynesun09/cicaddy)

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/Dockerfile RENAMED Viewed

@@ -1,4 +1,4 @@
-FROM python:3.12-slim
+FROM python:3.14-slim
 WORKDIR /app

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.2.0
+Version: 0.3.1
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
@@ -9,7 +9,7 @@ Author: Wayne Sun
 License: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
-Requires-Dist: cicaddy==0.3.0
+Requires-Dist: cicaddy>=0.3.0
 Requires-Dist: detect-secrets>=1.4.0
 Requires-Dist: pygithub>=2.1.0
 Provides-Extra: test
@@ -32,59 +32,63 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 ## Quick Start
-### Changelog Report on Release
+### AI PR Review
+This example uses the `pull_request` trigger, which works for in-repo PRs
+(branches pushed to the same repository). For fork PR support, see
+`.github/workflows/pr-review.yml` which uses `pull_request_target` with
+a `safe-to-review` label gate.
 ```yaml
-name: Generate Changelog
+name: PR Review
 on:
-  release:
-    types: [published]
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  pull-requests: write
 jobs:
-  changelog:
+  review:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
-          ai_model: gemini-2.5-flash
+          ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/changelog_report.yml
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
 ```
-### AI PR Review
+### Changelog Report on Release
 ```yaml
-name: PR Review
+name: Generate Changelog
 on:
-  pull_request:
-    types: [opened, synchronize]
-permissions:
-  pull-requests: write
+  release:
+    types: [published]
 jobs:
-  review:
+  changelog:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
           ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          task_file: tasks/changelog_report.yml
 ```
 ## Inputs

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/README.md RENAMED Viewed

@@ -12,59 +12,63 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 ## Quick Start
-### Changelog Report on Release
+### AI PR Review
+This example uses the `pull_request` trigger, which works for in-repo PRs
+(branches pushed to the same repository). For fork PR support, see
+`.github/workflows/pr-review.yml` which uses `pull_request_target` with
+a `safe-to-review` label gate.
 ```yaml
-name: Generate Changelog
+name: PR Review
 on:
-  release:
-    types: [published]
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  pull-requests: write
 jobs:
-  changelog:
+  review:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
-          ai_model: gemini-2.5-flash
+          ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/changelog_report.yml
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
 ```
-### AI PR Review
+### Changelog Report on Release
 ```yaml
-name: PR Review
+name: Generate Changelog
 on:
-  pull_request:
-    types: [opened, synchronize]
-permissions:
-  pull-requests: write
+  release:
+    types: [published]
 jobs:
-  review:
+  changelog:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
           ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          task_file: tasks/changelog_report.yml
 ```
 ## Inputs

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/entrypoint.sh RENAMED Viewed

@@ -50,6 +50,13 @@ export POST_PR_COMMENT="${INPUT_POST_PR_COMMENT:-false}"
 # Extract PR number from GITHUB_REF (e.g. refs/pull/123/merge -> 123)
 if [[ "${GITHUB_REF}" =~ ^refs/pull/([0-9]+)/ ]]; then
   export GITHUB_PR_NUMBER="${BASH_REMATCH[1]}"
+elif [[ -n "${GITHUB_EVENT_PATH}" && -f "${GITHUB_EVENT_PATH}" ]]; then
+  # For pull_request_target, GITHUB_REF is the base branch, not refs/pull/N/merge.
+  # Extract PR number from the event payload JSON instead.
+  PR_NUM=$(python3 -c "import json,sys; e=json.load(open(sys.argv[1])); print(e.get('pull_request',{}).get('number',''))" "${GITHUB_EVENT_PATH}" 2>/dev/null || true)
+  if [[ -n "${PR_NUM}" ]]; then
+    export GITHUB_PR_NUMBER="${PR_NUM}"
+  fi
 fi
 # Enable local tools (git operations) and set working directory

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/pyproject.toml RENAMED Viewed

@@ -4,14 +4,14 @@ build-backend = "hatchling.build"
 [project]
 name = "cicaddy-github"
-version = "0.2.0"
+version = "0.3.1"
 description = "GitHub Actions plugin for cicaddy AI agent framework"
 readme = "README.md"
 requires-python = ">=3.11"
 license = {text = "Apache-2.0"}
 authors = [{name = "Wayne Sun"}]
 dependencies = [
-    "cicaddy==0.3.0",
+    "cicaddy>=0.3.0",
     "PyGithub>=2.1.0",
     "detect-secrets>=1.4.0",
 ]

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/src/cicaddy_github/github_integration/agents.py RENAMED Viewed

@@ -43,6 +43,26 @@ def dedent_code_blocks(text: str) -> str:
     return _FENCED_CODE_BLOCK.sub(_dedent, text)
+# Matches output wrapped in a single ```markdown ... ``` fence.
+_MARKDOWN_WRAPPER = re.compile(
+    r"^\s*```(?:markdown|md)\s*\n(.*?)\n\s*```\s*$",
+    re.DOTALL | re.IGNORECASE,
+)
+def strip_markdown_wrapper(text: str) -> str:
+    """Strip a wrapping ```markdown fence from the entire AI output.
+    Some models interpret ``output_format: markdown`` as "wrap the response
+    in a markdown code fence", which causes GitHub to render the comment as
+    a literal code block instead of formatted markdown.
+    """
+    m = _MARKDOWN_WRAPPER.match(text.strip())
+    if m:
+        return m.group(1)
+    return text
 class GitHubTaskAgent(BaseAIAgent):
     """AI Agent for scheduled tasks and changelog generation."""
@@ -280,7 +300,8 @@ Please provide your comprehensive analysis in markdown format.
         comment = f"{BOT_COMMENT_MARKER_PR_REVIEW}\n"
         if "ai_analysis" in analysis_result:
-            comment += dedent_code_blocks(analysis_result["ai_analysis"]) + "\n"
+            cleaned = strip_markdown_wrapper(analysis_result["ai_analysis"])
+            comment += dedent_code_blocks(cleaned) + "\n"
         comment += (
             "\n<!-- cicaddy-footer -->\n---\n"

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/src/cicaddy_github/github_integration/detector.py RENAMED Viewed

@@ -10,7 +10,7 @@ logger = get_logger(__name__)
 def _detect_github_agent_type(settings) -> str | None:
     """Detect GitHub-specific agent types from Actions environment variables."""
     event = os.getenv("GITHUB_EVENT_NAME")
-    if event == "pull_request":
+    if event in ("pull_request", "pull_request_target"):
         logger.info(f"Detected pull request context: GITHUB_EVENT_NAME={event}")
         return "github_pr"

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/tests/unit/test_agents.py RENAMED Viewed

@@ -1,6 +1,6 @@
-"""Tests for dedent_code_blocks in agents module."""
+"""Tests for dedent_code_blocks and strip_markdown_wrapper in agents module."""
-from cicaddy_github.github_integration.agents import dedent_code_blocks
+from cicaddy_github.github_integration.agents import dedent_code_blocks, strip_markdown_wrapper
 class TestDedentCodeBlocks:
@@ -72,3 +72,42 @@ class TestDedentCodeBlocks:
         assert result.startswith("* Item one\n")
         assert result.endswith("* Item two")
         assert "+added line" in result
+class TestStripMarkdownWrapper:
+    """Test stripping wrapping ```markdown fences from AI output."""
+    def test_strips_markdown_wrapper(self):
+        """Output wrapped in ```markdown is unwrapped."""
+        text = "```markdown\n### Summary\nSome analysis.\n```"
+        result = strip_markdown_wrapper(text)
+        assert result == "### Summary\nSome analysis."
+    def test_strips_md_wrapper(self):
+        """Output wrapped in ```md is also unwrapped."""
+        text = "```md\n## Title\nContent.\n```"
+        result = strip_markdown_wrapper(text)
+        assert result == "## Title\nContent."
+    def test_strips_case_insensitive(self):
+        """Output wrapped in ```Markdown or ```MD is also unwrapped."""
+        for tag in ("Markdown", "MARKDOWN", "MD", "Md"):
+            text = f"```{tag}\nContent here.\n```"
+            result = strip_markdown_wrapper(text)
+            assert result == "Content here.", f"Failed for tag: {tag}"
+    def test_no_change_without_wrapper(self):
+        """Plain markdown without wrapper is unchanged."""
+        text = "### Summary\nSome analysis."
+        assert strip_markdown_wrapper(text) == text
+    def test_preserves_internal_code_blocks(self):
+        """Code blocks inside the markdown wrapper are preserved."""
+        text = "```markdown\n### Example\n```python\nprint('hi')\n```\n```"
+        result = strip_markdown_wrapper(text)
+        assert "```python\nprint('hi')\n```" in result
+    def test_no_change_for_non_markdown_fence(self):
+        """A ```python wrapper is NOT stripped."""
+        text = "```python\nprint('hi')\n```"
+        assert strip_markdown_wrapper(text) == text

{cicaddy_github-0.2.0 → cicaddy_github-0.3.1}/tests/unit/test_detector.py RENAMED Viewed

@@ -17,6 +17,16 @@ class TestDetectGitHubAgentType:
             result = _detect_github_agent_type(settings)
         assert result == "github_pr"
+    def test_pull_request_target_event_returns_github_pr(self):
+        """GITHUB_EVENT_NAME=pull_request_target returns github_pr."""
+        from cicaddy_github.github_integration.detector import _detect_github_agent_type
+        settings = MagicMock()
+        settings.github_pr_number = None
+        with patch.dict(os.environ, {"GITHUB_EVENT_NAME": "pull_request_target"}):
+            result = _detect_github_agent_type(settings)
+        assert result == "github_pr"
     def test_push_event_returns_none(self):
         """GITHUB_EVENT_NAME=push returns None (falls through to TaskAgent)."""
         from cicaddy_github.github_integration.detector import _detect_github_agent_type