cicaddy-github 0.3.0__tar.gz → 0.3.2__tar.gz

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/.claude/skills/cicaddy-action/SKILL.md

@@ -219,15 +219,19 @@ context: |
 
 ## Workflow Usage
 
+The PR review workflow uses `pull_request_target` so secrets are available for
+fork PRs. Internal PRs run automatically; fork PRs require a maintainer to add
+the `safe-to-review` label. The label is auto-removed on new pushes to prevent
+TOCTOU bypasses.
+
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.3.2
   with:
     ai_provider: gemini
     ai_model: gemini-3-flash-preview
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
-    github_token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ## Running Locally

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/.github/workflows/pr-review.yml

@@ -1,16 +1,35 @@
 name: AI PR Review
 
 on:
-  pull_request:
-    types: [opened, synchronize]
+  pull_request_target:
+    types: [opened, synchronize, labeled]
 
 permissions:
   contents: read
   pull-requests: write
 
 jobs:
+  remove-label-on-push:
+    if: >-
+      github.event.action == 'synchronize' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      contains(github.event.pull_request.labels.*.name, 'safe-to-review')
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Remove safe-to-review label on new push from fork
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr edit "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --remove-label "safe-to-review"
+
   review:
-    if: ${{ github.actor != 'dependabot[bot]' }}
+    if: >-
+      github.actor != 'dependabot[bot]' &&
+      (
+        (github.event.pull_request.head.repo.full_name == github.repository && github.event.action != 'labeled') ||
+        (github.event.action == 'labeled' && github.event.label.name == 'safe-to-review')
+      )
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -38,7 +57,6 @@ jobs:
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           mcp_servers_config: ${{ steps.mcp.outputs.config }}
         env:
           ANALYSIS_FOCUS: "general"

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/CLAUDE.md

@@ -27,5 +27,15 @@ GitHub Action that wraps cicaddy for running AI agent tasks in GitHub Actions wo
 - Test files in `tests/unit/`
 - Fixtures in `tests/conftest.py`
 
+## Release Checklist
+- **Bump `version` in `pyproject.toml` BEFORE tagging** — the release workflow builds from the checked-out source, so the `pyproject.toml` version must match the git tag. If the version doesn't match, PyPI will reject the upload (either as a duplicate or a mismatch).
+- When bumping the version for a release, also update all `cicaddy-action@vX.Y.Z` version references in `README.md` and `.claude/skills/cicaddy-action/SKILL.md` to match the new version.
+
+## PR Review Workflow Security
+- The PR review workflow uses `pull_request_target` so secrets are available for fork PRs.
+- Internal PRs (same repo) run automatically; fork PRs require the `safe-to-review` label.
+- The label is auto-removed on `synchronize` (new pushes from forks) to prevent TOCTOU bypasses.
+- The workflow never checks out or executes untrusted PR code — cicaddy fetches the diff via the GitHub API.
+
 ## Reference Repos
 - [cicaddy core](https://github.com/waynesun09/cicaddy)

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/Dockerfile

@@ -11,6 +11,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends git && \
 
 COPY pyproject.toml README.md LICENSE ./
 COPY src ./src
+COPY tasks ./tasks
 COPY entrypoint.sh ./
 
 RUN uv pip install --system --no-cache . && \

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.3.0
+Version: 0.3.2
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
@@ -9,7 +9,7 @@ Author: Wayne Sun
 License: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
-Requires-Dist: cicaddy==0.3.0
+Requires-Dist: cicaddy>=0.3.0
 Requires-Dist: detect-secrets>=1.4.0
 Requires-Dist: pygithub>=2.1.0
 Provides-Extra: test
@@ -32,59 +32,63 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 
 ## Quick Start
 
-### Changelog Report on Release
+### AI PR Review
+
+This example uses the `pull_request` trigger, which works for in-repo PRs
+(branches pushed to the same repository). For fork PR support, see
+`.github/workflows/pr-review.yml` which uses `pull_request_target` with
+a `safe-to-review` label gate.
 
 ```yaml
-name: Generate Changelog
+name: PR Review
 
 on:
-  release:
-    types: [published]
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  pull-requests: write
 
 jobs:
-  changelog:
+  review:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.2
         with:
           ai_provider: gemini
-          ai_model: gemini-2.5-flash
+          ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/changelog_report.yml
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
 ```
 
-### AI PR Review
+### Changelog Report on Release
 
 ```yaml
-name: PR Review
+name: Generate Changelog
 
 on:
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  pull-requests: write
+  release:
+    types: [published]
 
 jobs:
-  review:
+  changelog:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.2
         with:
           ai_provider: gemini
           ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          task_file: tasks/changelog_report.yml
 ```
 
 ## Inputs

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/README.md

@@ -12,59 +12,63 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 
 ## Quick Start
 
-### Changelog Report on Release
+### AI PR Review
+
+This example uses the `pull_request` trigger, which works for in-repo PRs
+(branches pushed to the same repository). For fork PR support, see
+`.github/workflows/pr-review.yml` which uses `pull_request_target` with
+a `safe-to-review` label gate.
 
 ```yaml
-name: Generate Changelog
+name: PR Review
 
 on:
-  release:
-    types: [published]
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  pull-requests: write
 
 jobs:
-  changelog:
+  review:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.2
         with:
           ai_provider: gemini
-          ai_model: gemini-2.5-flash
+          ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/changelog_report.yml
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
 ```
 
-### AI PR Review
+### Changelog Report on Release
 
 ```yaml
-name: PR Review
+name: Generate Changelog
 
 on:
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  pull-requests: write
+  release:
+    types: [published]
 
 jobs:
-  review:
+  changelog:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - uses: redhat-community-ai-tools/cicaddy-action@v0
+      - uses: redhat-community-ai-tools/cicaddy-action@v0.3.2
         with:
           ai_provider: gemini
           ai_model: gemini-3-flash-preview
           ai_api_key: ${{ secrets.AI_API_KEY }}
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          task_file: tasks/changelog_report.yml
 ```
 
 ## Inputs

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/entrypoint.sh

@@ -36,7 +36,15 @@ _to_abs() {
 }
 
 if [[ -n "${INPUT_TASK_FILE}" ]]; then
-  export AI_TASK_FILE="$(_to_abs "${INPUT_TASK_FILE}")"
+  _ws_path="$(_to_abs "${INPUT_TASK_FILE}")"
+  if [[ -f "${_ws_path}" ]]; then
+    export AI_TASK_FILE="${_ws_path}"
+  elif [[ -f "/app/${INPUT_TASK_FILE}" ]]; then
+    # Fall back to bundled task files shipped with the action
+    export AI_TASK_FILE="/app/${INPUT_TASK_FILE}"
+  else
+    export AI_TASK_FILE="${_ws_path}"
+  fi
 fi
 export AI_TASK_PROMPT="${INPUT_TASK_PROMPT}"
 if [[ -n "${INPUT_REPORT_TEMPLATE}" ]]; then
@@ -50,6 +58,13 @@ export POST_PR_COMMENT="${INPUT_POST_PR_COMMENT:-false}"
 # Extract PR number from GITHUB_REF (e.g. refs/pull/123/merge -> 123)
 if [[ "${GITHUB_REF}" =~ ^refs/pull/([0-9]+)/ ]]; then
   export GITHUB_PR_NUMBER="${BASH_REMATCH[1]}"
+elif [[ -n "${GITHUB_EVENT_PATH}" && -f "${GITHUB_EVENT_PATH}" ]]; then
+  # For pull_request_target, GITHUB_REF is the base branch, not refs/pull/N/merge.
+  # Extract PR number from the event payload JSON instead.
+  PR_NUM=$(python3 -c "import json,sys; e=json.load(open(sys.argv[1])); print(e.get('pull_request',{}).get('number',''))" "${GITHUB_EVENT_PATH}" 2>/dev/null || true)
+  if [[ -n "${PR_NUM}" ]]; then
+    export GITHUB_PR_NUMBER="${PR_NUM}"
+  fi
 fi
 
 # Enable local tools (git operations) and set working directory

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/pyproject.toml

@@ -4,14 +4,14 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cicaddy-github"
-version = "0.3.0"
+version = "0.3.2"
 description = "GitHub Actions plugin for cicaddy AI agent framework"
 readme = "README.md"
 requires-python = ">=3.11"
 license = {text = "Apache-2.0"}
 authors = [{name = "Wayne Sun"}]
 dependencies = [
-    "cicaddy==0.3.0",
+    "cicaddy>=0.3.0",
     "PyGithub>=2.1.0",
     "detect-secrets>=1.4.0",
 ]

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/src/cicaddy_github/github_integration/detector.py

@@ -10,7 +10,7 @@ logger = get_logger(__name__)
 def _detect_github_agent_type(settings) -> str | None:
     """Detect GitHub-specific agent types from Actions environment variables."""
     event = os.getenv("GITHUB_EVENT_NAME")
-    if event == "pull_request":
+    if event in ("pull_request", "pull_request_target"):
         logger.info(f"Detected pull request context: GITHUB_EVENT_NAME={event}")
         return "github_pr"
 

{cicaddy_github-0.3.0 → cicaddy_github-0.3.2}/tests/unit/test_detector.py

@@ -17,6 +17,16 @@ class TestDetectGitHubAgentType:
             result = _detect_github_agent_type(settings)
         assert result == "github_pr"
 
+    def test_pull_request_target_event_returns_github_pr(self):
+        """GITHUB_EVENT_NAME=pull_request_target returns github_pr."""
+        from cicaddy_github.github_integration.detector import _detect_github_agent_type
+
+        settings = MagicMock()
+        settings.github_pr_number = None
+        with patch.dict(os.environ, {"GITHUB_EVENT_NAME": "pull_request_target"}):
+            result = _detect_github_agent_type(settings)
+        assert result == "github_pr"
+
     def test_push_event_returns_none(self):
         """GITHUB_EVENT_NAME=push returns None (falls through to TaskAgent)."""
         from cicaddy_github.github_integration.detector import _detect_github_agent_type