pulumi-docker-build/.github/workflows/shared/review.md at f6b499a9d44aaabb9c8bcda2c2f79062fc37072f

Files

Pulumi Bot f6b499a9d4 [rollout] Set up GH-AW and install shared PR review workflows (#794 )

## Summary

This PR sets up GitHub Agentic Workflows (GH-AW) and installs shared PR
review workflows in `pulumi/pulumi-docker-build`.

### Commands Executed

- `gh-aw version` → `v0.56.2` (used as entrypoint)
- `gh-aw init` → ran (`.github/aw/` was not present)
- `gh-aw add
pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@main
--name docker-build-pr-review --force`
- `gh-aw add
pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@main
--name docker-build-pr-rereview --force`
- `gh-aw compile`
- `gh-aw validate`

### Configuration

| Property | Value |
|---|---|
| AW entrypoint | `gh-aw` (v0.56.2) |
| Target base branch | `main` |
| `prefix_stem` | `docker-build` |
| `gh-aw init` | Ran (was not previously initialized) |

### Changed Files

- `.gitattributes` — added `merge=ours` strategy for
`.github/workflows/*.lock.yml`
- `.github/agents/agentic-workflows.agent.md` — created by `gh-aw init`
- `.github/workflows/copilot-setup-steps.yml` — generated dependency
workflow
- `.github/workflows/docker-build-pr-review.md` — shared PR review
workflow source
- `.github/workflows/docker-build-pr-review.lock.yml` — compiled lock
file
- `.github/workflows/docker-build-pr-rereview.md` — shared PR re-review
workflow source
- `.github/workflows/docker-build-pr-rereview.lock.yml` — compiled lock
file
- `.github/workflows/shared/review.md` — imported shared workflow
- `.github/workflows/shared/plugins/code-review/code-review.md` —
imported shared plugin

### Validation Output

**compile:**
````
⚠ Compiled 2 workflow(s): 0 error(s), 2 warning(s)
```

**validate:**
```
⚠ Compiled 2 workflow(s): 0 error(s), 2 warning(s)
```

### Validation Warnings

Both workflows produced the same non-blocking warning:
```
warning: This workflow grants id-token: write permission
OIDC tokens can authenticate to cloud providers (AWS, Azure, GCP).
Ensure proper audience validation and trust policies are configured.
````

These warnings are expected for the shared review workflows which use
OIDC for cloud authentication and are non-blocking.

---
Rollout triggered by
[provider-ops#41](https://github.com/pulumi/provider-ops/issues/41).




> Generated by [Generic Rollout
Worker](https://github.com/pulumi/provider-ops/actions/runs/23014445857)
·
[◷](https://github.com/search?q=repo%3Apulumi%2Fpulumi-docker-build+%22gh-aw-workflow-id%3A+gh-aw-workflow-rollout-worker%22&type=pullrequests)

<!-- gh-aw-agentic-workflow: Generic Rollout Worker, engine: claude, id:
23014445857, workflow_id: gh-aw-workflow-rollout-worker, run:
https://github.com/pulumi/provider-ops/actions/runs/23014445857 -->

<!-- gh-aw-workflow-id: gh-aw-workflow-rollout-worker -->

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-12 15:25:04 -04:00

3.1 KiB

Raw Blame History

permissions, engine, steps, tools, safe-outputs

permissions

engine

steps

tools

safe-outputs

contents	pull-requests	id-token
read	read	write

env

claude

ANTHROPIC_API_KEY
${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY \|\| '__GH_AW_ACTIVATION_PLACEHOLDER__' }}

env

name

uses

ESC_ACTION_ENVIRONMENT	ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES	ESC_ACTION_OIDC_AUTH	ESC_ACTION_OIDC_ORGANIZATION	ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE
imports/github-secrets	false	true	pulumi	urn:pulumi:token-type:access_token:organization

esc-secrets

Fetch secrets from ESC

pulumi/esc-action@9eb774255b

name

env

run

Validate ESC secret output

ANTHROPIC_API_KEY_FROM_ESC
${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}

test -n "$ANTHROPIC_API_KEY_FROM_ESC" || { echo "ESC did not return ANTHROPIC_API_KEY"; exit 1; }

cache-memory

github

true

lockdown

toolsets

false

pull_requests

repos

create-pull-request-review-comment

submit-pull-request-review

noop

messages

max	side	target	target-repo
12	RIGHT	${{ github.event.pull_request.number \|\| github.event.inputs.pr_number \|\| github.event.issue.number }}	${{ github.repository }}

max	target
1	${{ github.event.pull_request.number \|\| github.event.inputs.pr_number \|\| github.event.issue.number }}

max
1

footer	run-started	run-success	run-failure
> Reviewed by [{workflow_name}]({run_url})	Started automated PR review for #${{ github.event.pull_request.number \|\| github.event.inputs.pr_number \|\| github.event.issue.number }}.	Finished automated PR review for #${{ github.event.pull_request.number \|\| github.event.inputs.pr_number \|\| github.event.issue.number }}.	Automated PR review failed for #${{ github.event.pull_request.number \|\| github.event.inputs.pr_number \|\| github.event.issue.number }} ({status}).

Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository ${{ github.repository }}.

Workflow-specific rules:

Use ${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} as the authoritative PR target.
Treat the imported review prompt as the source of the review procedure.
Use only gh-aw safe outputs for side effects:
- create-pull-request-review-comment for actionable inline findings on changed lines
- submit-pull-request-review for the final review
- noop when the PR is not reviewable or required context is missing
Submit exactly one final review:
- REQUEST_CHANGES when at least one blocking issue exists.
- APPROVE otherwise, including when only non-blocking observations exist.
- Do not submit COMMENT as the final review state.
Do not post free-form issue comments outside safe outputs.
Respect the configured inline comment limit and prioritize the highest-signal unique findings.
Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
Ignore discovery steps intended for runs without PR context.

3.1 KiB Raw Blame History

3.1 KiB

Raw Blame History