support azure devops webhook

[yochail]

User description

• add support for azuredevops server webhook, for new pr + comment witth command
• add docker image for server
• small edge case fix for llm output
• relevant docs and configs

---

Type

enhancement, documentation

---

Description

• Implemented Azure DevOps Server webhook server to handle "Pull request created" and "Pull request commented on" events.
• Added functionality to truncate PR descriptions exceeding 4000 characters for Azure DevOps.
• Enhanced YAML loading functionality in the utility module.
• Documented the setup and security configuration for Azure DevOps webhooks, including basic authentication.
• Updated the secrets template to include Azure DevOps Server webhook credentials.

---

Changes walkthrough

	Relevant files
Enhancement	utils.py Enhance YAML Loading Functionality                                              pr_agent/algo/utils.py Adjusted YAML loading to strip trailing colon and newline characters. +1/-1      azuredevops_provider.py Truncate Azure DevOps PR Descriptions Exceeding Character Limit pr_agent/git_providers/azuredevops_provider.py Added a check to truncate PR descriptions exceeding 4000 characters for Azure DevOps. Included logging for when PR description length exceeds the limit. +6/-0      azuredevops_server_webhook.py Implement Azure DevOps Server Webhook Server                          pr_agent/servers/azuredevops_server_webhook.py Introduced Azure DevOps Server webhook server implementation. Added support for "Pull request created" and "Pull request commented on" events. Implemented basic authentication validation for incoming webhook requests. +110/-0
Documentation	Usage.md Document Azure DevOps Webhook Setup and Security                  Usage.md Documented how to set up Azure DevOps webhooks for triggering reviews and handling commands. Added instructions for configuring webhook security using basic authentication. +13/-0
Configuration changes	.secrets_template.toml Add Azure DevOps Server Webhook Credentials to Secrets Template pr_agent/settings/.secrets_template.toml Added template entries for Azure DevOps Server webhook username and password. +6/-0

---

✨ Usage guide:

---

Overview:
The describe tool scans the PR code changes, and generates a description for the PR - title, type, summary, walkthrough and labels. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on a PR.

When commenting, to edit configurations related to the describe tool (pr_description section), use the following template:

/describe --pr_description.some_config1=... --pr_description.some_config2=...

With a configuration file, use the following template:

[pr_description]
some_config1=...
some_config2=...

Enabling\disabling automation When you first install the app, the default mode for the describe tool is: pr_commands = ["/describe --pr_description.add_original_user_description=true" "--pr_description.keep_original_user_title=true", ...] meaning the describe tool will run automatically on every PR, will keep the original title, and will add the original user description above the generated description. Markers are an alternative way to control the generated description, to give maximal control to the user. If you set: pr_commands = ["/describe --pr_description.use_description_markers=true", ...] the tool will replace every marker of the form pr_agent:marker_name in the PR description with the relevant content, where marker_name is one of the following: type: the PR type. summary: the PR summary. walkthrough: the PR walkthrough. Note that when markers are enabled, if the original PR description does not contain any markers, the tool will not alter the description at all.

Custom labels The default labels of the describe tool are quite generic: [Bug fix, Tests, Enhancement, Documentation, Other]. If you specify custom labels in the repo's labels page or via configuration file, you can get tailored labels for your use cases. Examples for custom labels: Main topic:performance - pr_agent:The main topic of this PR is performance New endpoint - pr_agent:A new endpoint was added in this PR SQL query - pr_agent:A new SQL query was added in this PR Dockerfile changes - pr_agent:The PR contains changes in the Dockerfile ... The list above is eclectic, and aims to give an idea of different possibilities. Define custom labels that are relevant for your repo and use cases. Note that Labels are not mutually exclusive, so you can add multiple label categories. Make sure to provide proper title, and a detailed and well-phrased description for each label, so the tool will know when to suggest it.

Inline File Walkthrough 💎 For enhanced user experience, the describe tool can add file summaries directly to the "Files changed" tab in the PR page. This will enable you to quickly understand the changes in each file, while reviewing the code changes (diffs). To enable inline file summary, set pr_description.inline_file_summary in the configuration file, possible values are: 'table': File changes walkthrough table will be displayed on the top of the "Files changed" tab, in addition to the "Conversation" tab. true: A collapsable file comment with changes title and a changes summary for each file in the PR. false (default): File changes walkthrough will be added only to the "Conversation" tab.

Utilizing extra instructions The describe tool can be configured with extra instructions, to guide the model to a feedback tailored to the needs of your project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Notice that the general structure of the description is fixed, and cannot be changed. Extra instructions can change the content or style of each sub-section of the PR description. Examples for extra instructions: [pr_description] extra_instructions=""" - The PR title should be in the format: '<PR type>: <title>' - The title should be short and concise (up to 10 words) - ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the describe usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

PR Description updated to latest commit (86d4a31)

• Copy walkthrough table to "Files Changed" Tab

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

PR Review

PR feedback
⏱️ Estimated effort to review [1-5]	4, because the PR introduces a significant amount of new functionality, including integration with Azure DevOps webhooks, changes to the YAML loading functionality, and the addition of a new Docker image. The complexity of these changes, especially the webhook handling and authentication, requires careful review to ensure correctness and security.
🧪 Relevant tests	No
🔍 Possible issues	The PR description truncation in azuredevops_provider.py does not account for potential loss of important information. Consider adding a mechanism to notify the user about the truncation. In azuredevops_server_webhook.py, there's no explicit handling for potential exceptions from the PRAgent().handle_request method, which could lead to unhandled exceptions if the request processing fails. The use of basic authentication in webhooks (validate_basic_auth function) is correctly implemented but consider documenting the security implications or recommending the use of secure connections (HTTPS) to protect credentials in transit.
🔒 Security concerns	Yes, because the PR introduces basic authentication for the Azure DevOps webhook, which could expose credentials if not transmitted over a secure channel. Ensure that the webhook endpoint is only accessible over HTTPS to mitigate the risk of credential interception.

---

✨ Usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.
When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

Utilizing extra instructions The review tool can be configured with extra instructions, which can be used to guide the model to a feedback tailored to the needs of your project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify the relevant sub-tool, and the relevant aspects of the PR that you want to emphasize. Examples for extra instructions: [pr_reviewer] # /review # extra_instructions=""" In the 'possible issues' section, emphasize the following: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

How to enable\disable automation When you first install PR-Agent app, the default mode for the review tool is: pr_commands = ["/review", ...] meaning the review tool will run automatically on every PR, with the default configuration. Edit this field to enable/disable the tool, or to change the used configurations

Auto-labels The review tool can auto-generate two specific types of labels for a PR: a possible security issue label, that detects possible security issues (enable_review_labels_security flag) a Review effort [1-5]: x label, where x is the estimated effort to review the PR (enable_review_labels_effort flag)

Extra sub-tools The review tool provides a collection of possible feedbacks about a PR. It is recommended to review the possible options, and choose the ones relevant for your use case. Some of the feature that are disabled by default are quite useful, and should be considered for enabling. For example: require_score_review, require_soc2_ticket, and more.

Auto-approve PRs By invoking: /review auto_approve The tool will automatically approve the PR, and add a comment with the approval. To ensure safety, the auto-approval feature is disabled by default. To enable auto-approval, you need to actively set in a pre-defined configuration file the following: [pr_reviewer] enable_auto_approval = true (this specific flag cannot be set with a command line argument, only in the configuration file, committed to the repository) You can also enable auto-approval only if the PR meets certain requirements, such as that the estimated_review_effort is equal or below a certain threshold, by adjusting the flag: [pr_reviewer] maximal_review_effort = 5

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the review usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-pro]

PR Code Suggestions

	Suggestions
enhancement	Use str.strip() for cleaner and more efficient string trimming.  Consider using str.strip() instead of chaining str.rstrip() calls for removing specific characters from both ends of the string. This makes the code cleaner and more efficient. pr_agent/algo/utils.py [323] -response_text = response_text.removeprefix('```yaml').rstrip('`').rstrip(':\n') +response_text = response_text.removeprefix('```yaml').strip('`:\n')
maintainability	Correct a typo in the constant name for clarity.                              Correct the typo in the constant name from MEX_PR_DESCRIPTION_LENGTH to MAX_PR_DESCRIPTION_LENGTH to accurately reflect its purpose. pr_agent/git_providers/azuredevops_provider.py [13] -MEX_PR_DESCRIPTION_LENGTH = 4000-1 +MAX_PR_DESCRIPTION_LENGTH = 4000-1
best practice	Use jsonable_encoder for consistent JSON response encoding.      Use jsonable_encoder directly in the JSONResponse content argument to ensure proper JSON encoding of the response message. pr_agent/servers/azuredevops_server_webhook.py [49] -content=json.dumps({"message": "unauthorized"}) +content=jsonable_encoder({"message": "unauthorized"})
security	Use FastAPI's dependency injection for basic authentication.                  Instead of manually decoding the Authorization header, use FastAPI's dependency injection system to handle basic authentication more securely and cleanly. pr_agent/servers/azuredevops_server_webhook.py [100-102] -decoded_auth = base64.b64decode(auth.split(" ")[1]).decode() -username, password = decoded_auth.split(":") +from fastapi.security import HTTPBasic, HTTPBasicCredentials +security = HTTPBasic() +credentials: HTTPBasicCredentials = Depends(security) +username = credentials.username +password = credentials.password Add error handling for malformed Authorization headers.                       Add error handling for the case where the Authorization header does not contain a colon, to prevent ValueError from being raised when splitting the decoded auth string. pr_agent/servers/azuredevops_server_webhook.py [101] -username, password = decoded_auth.split(":") +try: + username, password = decoded_auth.split(":") +except ValueError: + return False

---

✨ Usage guide:

---

Overview:
The improve tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on a PR.
When commenting, to edit configurations related to the improve tool (pr_code_suggestions section), use the following template:

/improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=...

With a configuration file, use the following template:

[pr_code_suggestions]
some_config1=...
some_config2=...

Enabling\disabling automation When you first install the app, the default mode for the improve tool is: pr_commands = ["/improve --pr_code_suggestions.summarize=true", ...] meaning the improve tool will run automatically on every PR, with summarization enabled. Delete this line to disable the tool from running automatically.

Utilizing extra instructions Extra instructions are very important for the improve tool, since they enable to guide the model to suggestions that are more relevant to the specific needs of the project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify relevant aspects that you want the model to focus on. Examples for extra instructions: [pr_code_suggestions] # /improve # extra_instructions=""" Emphasize the following aspects: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

A note on code suggestions quality While the current AI for code is getting better and better (GPT-4), it's not flawless. Not all the suggestions will be perfect, and a user should not accept all of them automatically. Suggestions are not meant to be simplistic. Instead, they aim to give deep feedback and raise questions, ideas and thoughts to the user, who can then use his judgment, experience, and understanding of the code base. Recommended to use the 'extra_instructions' field to guide the model to suggestions that are more relevant to the specific needs of the project, or use the custom suggestions 💎 tool With large PRs, best quality will be obtained by using 'improve --extended' mode.

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the improve usage page for a more comprehensive guide on using this tool.

[yochail]

relevant comments fixed

[mrT23]

thanks @yochail

Thats a very nice PR, for important content.
It will take us ~2-3 days to review and QA it.

[mrT23]

this is far from optimal mechansim

when you clip an HTML table in the middle, the entire rendering can go bad.
much better logic:

if too long:

• remove entire usage guide
  if still too long:
• remove entire walkthrough table
  if still too long:
• brute force trunctation

[yochail]

i see there is plenty of configurable options to change the description (e.g remove the usage guide), so writing this logic will complicate the generic flow.
what i can do instead is just if size >= configurable limit than force description as comment. what do you think? i can do it only for azure devops or for in the PRDescription donctroller

[mrT23]

the defaults are used 99.9% of the time.
and even if changed, than no harm done because there is the fallback.
the current logic is flawed - it will generate bad rendering almost always.

the revised logic should be:

if too long:

remove entire usage guide
if still too long:
remove entire walkthrough table
if still too long:
brute force truncation

[mrT23]

this is an inferior logic.

the logic of github_app.py is much better and richer, and enables any command to run

[yochail]

here it allows any logic using comment command /, these run only the auto commands on PR creation

[mrT23]

should be fixed to github_app.py logic, which enable any command on startup

[mrT23]

Hi @yochail
i gave some notes, but my main issue is that I tried and couldn't run this webhook, since I am continually getting
"POST / HTTP/1.1" 401 Unauthorized"

once I change the line
@router.post("/", dependencies=[Depends(authorize)])
to
@router.post("/")
I am able to catch the webhook

what enables you to do authorization ? there are not a lot of options in the webhook menu.
the README just says:

"For webhook security, configure the webhook username and password on both the server and Azure DevOps webhook."

[yochail]

@mrT23 the idea is to configure the same username/password pair on the ADO webhook and in the webhook server config. ill try to make the docs more clear about that

[mrT23]

@mrT23 the idea is to configure the same username/password pair on the ADO webhook and in the webhook server config. ill try to make the docs more clear about that

I get that. currently I did not receive any headers from the weboohk, and this line just crashes.
byt maybe its because the 'smee'. i will try something else tomorrow. i want to make sure everyone can use this authentication

[yochail]

on ADO webhook trigger history you can make sure the header was sent.
I was also abel to trigger this locally with ngrock endpoint and test the headers in the debuger

[mrT23]

Yeah, ngrock worked better for me

so, the action items for this PR are:

1. revise the truncation mechanism
2. use the better parsing mechanism, similar to github_app.py

@yochail
if you feel these tasks are overwhelming for you, I can take them. But it's a must for merging this.

[yochail]

the truncation mechanism is unrelated to this pr, so ill remove it and create it later in other PR, i'll handle the other one in this PR

[yochail]

@mrT23 I looked at github_app.py and the webhook structere and the available events are different, with many provider specific patches, so i'm not sure what part of the logic you want and is missing here. currently the logic here is simple(similar to the bitbucket_app):
in case of PR creation event: run auto commands
in case of PR comment event: check if the comment is a legal command, if it is run it
other event types like pr updaet are not supported

[mrT23]

Hi @yochail
please review #667

i started from your PR, and added the following things:

• proper treatment of auto commands, similar to github_app
  https://github.com/Codium-ai/pr-agent/blob/main/Usage.md#github-app-automatic-tools
• proper clipping of the 'describe' command (its a must, since just the usage-guide is above 4000 tokens)
• fixed the apply_repo_settings, which wasn't working before
• added edit_command, so the waitbar is properly removed
• fixed diff_files bug

it brings ADO to a state where the three major commands work well, and the webhook system is viable.

Some minor issues remain (the +- lines are not calculated correctly), but I will leave it for a future PR.

please review #667. You can merge it to your PR, and I will merge yours to main.
If you prefer not to, I will merge #667 directly

thanks for the effort. i think its a tremendous progress towards full ADO support in PR-Agent

[yochail]

you can merge it directly, thanks :)

[mrT23]

PR Review

(Review updated until commit b402bd5)

⏱️ Estimated effort to review [1-5]	4, because the PR involves multiple enhancements including adding support for Azure DevOps webhook, updating documentation, and adding Docker support. The complexity of integrating a new service like Azure DevOps and ensuring security and functionality across different components (webhook handling, authentication, etc.) requires a thorough review. Additionally, the changes span across multiple files and include both backend logic and configuration updates.
🧪 Relevant tests	No
🔍 Possible issues	Security concern: The use of basic authentication for the Azure DevOps webhook could expose credentials if not properly secured. The recommendation to use HTTPS is correct, but ensuring this setup in all environments is crucial.
	Bug: The PR description mentions support for truncating PR descriptions exceeding 4000 characters for Azure DevOps, but this change was reverted. If this functionality is necessary, it needs to be re-implemented.
	Code smell: Hardcoded event types and version checks in azuredevops_server_webhook.py could make future updates or additions of new event types cumbersome.
🔒 Security concerns	Basic authentication usage: The PR introduces basic authentication for securing the Azure DevOps webhook. While the PR recommends using HTTPS to secure credentials, there's an inherent risk in transmitting credentials in this manner. It's important to ensure that all deployments are configured to use HTTPS to mitigate the risk of credential interception.

Code feedback:

---

relevant file	pr_agent/algo/utils.py
suggestion	Consider adding more specific error handling for YAML parsing in load_yaml. Currently, any exception is caught and logged, but it might be beneficial to handle specific YAML parsing errors differently or provide more detailed logs for troubleshooting. [important]
relevant line	except Exception as e:

---

relevant file	pr_agent/servers/azuredevops_server_webhook.py
suggestion	For improved security and future flexibility, consider implementing a more secure authentication method than basic auth, such as OAuth or personal access tokens, especially if the webhook will handle sensitive data or operations. [important]
relevant line	security = HTTPBasic()

---

relevant file	pr_agent/servers/azuredevops_server_webhook.py
suggestion	Refactor the handling of different event types and actions to a more scalable approach, such as using a mapping or factory pattern. This can make adding support for new event types easier and the code more maintainable. [medium]
relevant line	if data["eventType"] == "git.pullrequest.created":

---

relevant file	pr_agent/settings/.secrets_template.toml
suggestion	Ensure that there is clear documentation or comments in the .secrets_template.toml file explaining how to securely generate and store the webhook_username and webhook_password for Azure DevOps Server webhooks. This can help prevent insecure configurations. [medium]
relevant line	# webhook_password = ""

---

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.
When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

Utilizing extra instructions The review tool can be configured with extra instructions, which can be used to guide the model to a feedback tailored to the needs of your project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify the relevant sub-tool, and the relevant aspects of the PR that you want to emphasize. Examples for extra instructions: [pr_reviewer] # /review # extra_instructions=""" In the 'possible issues' section, emphasize the following: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

How to enable\disable automation When you first install PR-Agent app, the default mode for the review tool is: pr_commands = ["/review", ...] meaning the review tool will run automatically on every PR, with the default configuration. Edit this field to enable/disable the tool, or to change the used configurations

Auto-labels The review tool can auto-generate two specific types of labels for a PR: a possible security issue label, that detects possible security issues (enable_review_labels_security flag) a Review effort [1-5]: x label, where x is the estimated effort to review the PR (enable_review_labels_effort flag)

Extra sub-tools The review tool provides a collection of possible feedbacks about a PR. It is recommended to review the possible options, and choose the ones relevant for your use case. Some of the feature that are disabled by default are quite useful, and should be considered for enabling. For example: require_score_review, require_soc2_ticket, and more.

Auto-approve PRs By invoking: /review auto_approve The tool will automatically approve the PR, and add a comment with the approval. To ensure safety, the auto-approval feature is disabled by default. To enable auto-approval, you need to actively set in a pre-defined configuration file the following: [pr_reviewer] enable_auto_approval = true (this specific flag cannot be set with a command line argument, only in the configuration file, committed to the repository) You can also enable auto-approval only if the PR meets certain requirements, such as that the estimated_review_effort is equal or below a certain threshold, by adjusting the flag: [pr_reviewer] maximal_review_effort = 5

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the review usage page for a comprehensive guide on using this tool.

[mrT23]

Persistent review updated to latest commit b402bd5