PyPI - cicaddy-github - Versions diffs - 0.3.0__tar.gz → 0.3.1__tar.gz - Mend

cicaddy-github 0.3.0tar.gz → 0.3.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/.claude/skills/cicaddy-action/SKILL.md RENAMED Viewed

@@ -219,15 +219,19 @@ context: |
 ## Workflow Usage
+The PR review workflow uses `pull_request_target` so secrets are available for
+fork PRs. Internal PRs run automatically; fork PRs require a maintainer to add
+the `safe-to-review` label. The label is auto-removed on new pushes to prevent
+TOCTOU bypasses.
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
   with:
     ai_provider: gemini
     ai_model: gemini-3-flash-preview
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
-    github_token: ${{ secrets.GITHUB_TOKEN }}
 ```
 ## Running Locally

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/.github/workflows/pr-review.yml RENAMED Viewed

@@ -1,16 +1,35 @@
 name: AI PR Review
 on:
-  pull_request:
-    types: [opened, synchronize]
+  pull_request_target:
+    types: [opened, synchronize, labeled]
 permissions:
   contents: read
   pull-requests: write
 jobs:
+  remove-label-on-push:
+    if: >-
+      github.event.action == 'synchronize' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      contains(github.event.pull_request.labels.*.name, 'safe-to-review')
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Remove safe-to-review label on new push from fork
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr edit "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --remove-label "safe-to-review"
   review:
-    if: ${{ github.actor != 'dependabot[bot]' }}
+    if: >-
+      github.actor != 'dependabot[bot]' &&
+      (
+        (github.event.pull_request.head.repo.full_name == github.repository && github.event.action != 'labeled') ||
+        (github.event.action == 'labeled' && github.event.label.name == 'safe-to-review')
+      )
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -38,7 +57,6 @@ jobs:
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           mcp_servers_config: ${{ steps.mcp.outputs.config }}
         env:
           ANALYSIS_FOCUS: "general"

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/CLAUDE.md RENAMED Viewed

@@ -27,5 +27,15 @@ GitHub Action that wraps cicaddy for running AI agent tasks in GitHub Actions wo
 - Test files in `tests/unit/`
 - Fixtures in `tests/conftest.py`
+## Release Checklist
+- **Bump `version` in `pyproject.toml` BEFORE tagging** — the release workflow builds from the checked-out source, so the `pyproject.toml` version must match the git tag. If the version doesn't match, PyPI will reject the upload (either as a duplicate or a mismatch).
+- When bumping the version for a release, also update all `cicaddy-action@vX.Y.Z` version references in `README.md` and `.claude/skills/cicaddy-action/SKILL.md` to match the new version.
+## PR Review Workflow Security
+- The PR review workflow uses `pull_request_target` so secrets are available for fork PRs.
+- Internal PRs (same repo) run automatically; fork PRs require the `safe-to-review` label.
+- The label is auto-removed on `synchronize` (new pushes from forks) to prevent TOCTOU bypasses.
+- The workflow never checks out or executes untrusted PR code — cicaddy fetches the diff via the GitHub API.
 ## Reference Repos
 - [cicaddy core](https://github.com/waynesun09/cicaddy)

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.3.0
+Version: 0.3.1
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
@@ -9,7 +9,7 @@ Author: Wayne Sun
 License: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
-Requires-Dist: cicaddy==0.3.0
+Requires-Dist: cicaddy>=0.3.0
 Requires-Dist: detect-secrets>=1.4.0
 Requires-Dist: pygithub>=2.1.0
 Provides-Extra: test
@@ -32,59 +32,63 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 ## Quick Start
-### Changelog Report on Release
+### AI PR Review
+This example uses the `pull_request` trigger, which works for in-repo PRs
+(branches pushed to the same repository). For fork PR support, see
+`.github/workflows/pr-review.yml` which uses `pull_request_target` with
+a `safe-to-review` label gate.
 ```yaml
-name: Generate Changelog
+name: PR Review
 on:
-  release:
-    types: [published]
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  pull-requests: write
 jobs:
-  changelog:
+  review:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
-          ai_model: gemini-2.5-flash
+          ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/changelog_report.yml
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
 ```
-### AI PR Review
+### Changelog Report on Release
 ```yaml
-name: PR Review
+name: Generate Changelog
 on:
-  pull_request:
-    types: [opened, synchronize]
-permissions:
-  pull-requests: write
+  release:
+    types: [published]
 jobs:
-  review:
+  changelog:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
           ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          task_file: tasks/changelog_report.yml
 ```
 ## Inputs

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/README.md RENAMED Viewed

@@ -12,59 +12,63 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 ## Quick Start
-### Changelog Report on Release
+### AI PR Review
+This example uses the `pull_request` trigger, which works for in-repo PRs
+(branches pushed to the same repository). For fork PR support, see
+`.github/workflows/pr-review.yml` which uses `pull_request_target` with
+a `safe-to-review` label gate.
 ```yaml
-name: Generate Changelog
+name: PR Review
 on:
-  release:
-    types: [published]
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  pull-requests: write
 jobs:
-  changelog:
+  review:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
-          ai_model: gemini-2.5-flash
+          ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/changelog_report.yml
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
 ```
-### AI PR Review
+### Changelog Report on Release
 ```yaml
-name: PR Review
+name: Generate Changelog
 on:
-  pull_request:
-    types: [opened, synchronize]
-permissions:
-  pull-requests: write
+  release:
+    types: [published]
 jobs:
-  review:
+  changelog:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.1
         with:
           ai_provider: gemini
           ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          task_file: tasks/changelog_report.yml
 ```
 ## Inputs

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/entrypoint.sh RENAMED Viewed

@@ -50,6 +50,13 @@ export POST_PR_COMMENT="${INPUT_POST_PR_COMMENT:-false}"
 # Extract PR number from GITHUB_REF (e.g. refs/pull/123/merge -> 123)
 if [[ "${GITHUB_REF}" =~ ^refs/pull/([0-9]+)/ ]]; then
   export GITHUB_PR_NUMBER="${BASH_REMATCH[1]}"
+elif [[ -n "${GITHUB_EVENT_PATH}" && -f "${GITHUB_EVENT_PATH}" ]]; then
+  # For pull_request_target, GITHUB_REF is the base branch, not refs/pull/N/merge.
+  # Extract PR number from the event payload JSON instead.
+  PR_NUM=$(python3 -c "import json,sys; e=json.load(open(sys.argv[1])); print(e.get('pull_request',{}).get('number',''))" "${GITHUB_EVENT_PATH}" 2>/dev/null || true)
+  if [[ -n "${PR_NUM}" ]]; then
+    export GITHUB_PR_NUMBER="${PR_NUM}"
+  fi
 fi
 # Enable local tools (git operations) and set working directory

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/pyproject.toml RENAMED Viewed

@@ -4,14 +4,14 @@ build-backend = "hatchling.build"
 [project]
 name = "cicaddy-github"
-version = "0.3.0"
+version = "0.3.1"
 description = "GitHub Actions plugin for cicaddy AI agent framework"
 readme = "README.md"
 requires-python = ">=3.11"
 license = {text = "Apache-2.0"}
 authors = [{name = "Wayne Sun"}]
 dependencies = [
-    "cicaddy==0.3.0",
+    "cicaddy>=0.3.0",
     "PyGithub>=2.1.0",
     "detect-secrets>=1.4.0",
 ]

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/src/cicaddy_github/github_integration/detector.py RENAMED Viewed

@@ -10,7 +10,7 @@ logger = get_logger(__name__)
 def _detect_github_agent_type(settings) -> str | None:
     """Detect GitHub-specific agent types from Actions environment variables."""
     event = os.getenv("GITHUB_EVENT_NAME")
-    if event == "pull_request":
+    if event in ("pull_request", "pull_request_target"):
         logger.info(f"Detected pull request context: GITHUB_EVENT_NAME={event}")
         return "github_pr"

{cicaddy_github-0.3.0 → cicaddy_github-0.3.1}/tests/unit/test_detector.py RENAMED Viewed

@@ -17,6 +17,16 @@ class TestDetectGitHubAgentType:
             result = _detect_github_agent_type(settings)
         assert result == "github_pr"
+    def test_pull_request_target_event_returns_github_pr(self):
+        """GITHUB_EVENT_NAME=pull_request_target returns github_pr."""
+        from cicaddy_github.github_integration.detector import _detect_github_agent_type
+        settings = MagicMock()
+        settings.github_pr_number = None
+        with patch.dict(os.environ, {"GITHUB_EVENT_NAME": "pull_request_target"}):
+            result = _detect_github_agent_type(settings)
+        assert result == "github_pr"
     def test_push_event_returns_none(self):
         """GITHUB_EVENT_NAME=push returns None (falls through to TaskAgent)."""
         from cicaddy_github.github_integration.detector import _detect_github_agent_type