feat: ACNA-4515 add pr-reviewer workflow

[chsrimanaswi]

Description

Adds an AI-powered PR reviewer workflow that automatically reviews pull requests using Claude via AWS Bedrock. Triggers on PR open/reopen/synchronize and on /review or /pr-reviewer comments by admins or maintainers.

Related Issue

ACNA-4515

Motivation and Context

Reduces code review toil by providing automated first-pass reviews with inline suggestions. Part of a broader rollout across App Builder repos.

How Has This Been Tested?

Tested end-to-end in adobe/generator-aio-app — workflow triggers correctly on PR events and /review comments, posts inline suggestions and summary reviews via github-actions[bot].

Screenshots (if appropriate):

N/A

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[github-actions]

🤖 PR Reviewer

The workflow is well-structured with a clear gate/review separation and good use of environment variables to avoid injection. There are a couple of minor security and robustness concerns worth addressing.

📝 3 suggestion(s) - Please review inline comments below.

---

💡 How to re-trigger

Comment /review or /pr-reviewer on this PR

[github-actions]

The gh api call for PR data is vulnerable to command injection if ISSUE_NUMBER is somehow tampered with. While it comes from github.event.issue.number (an integer), it's safer to quote it explicitly and validate it's numeric before use.

Suggested change

	DATA=$(gh api repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER)
	ISSUE_NUMBER_SAFE=$(echo "$ISSUE_NUMBER" | grep -E '^[0-9]+$' || { echo 'Invalid issue number'; exit 1; })
	DATA=$(gh api "repos/$GITHUB_REPOSITORY/pulls/$ISSUE_NUMBER_SAFE")

[github-actions]

The fork check only prevents direct PR events from forks, but issue_comment events on PRs from forks are still allowed through (since the comment is on the repo itself). This is actually the correct pattern for fork PRs triggered by trusted collaborators, but it should be explicitly documented so future maintainers don't accidentally weaken the permission check thinking it's redundant.

Suggested change

	(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) ||
	# NOTE: For fork PRs, only issue_comment from admin/maintain collaborators can trigger review.
	# The fork check on pull_request events prevents auto-triggering from untrusted forks.
	if: |
	(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) ||
	(github.event_name == 'issue_comment' && github.event.issue.pull_request != null &&
	(github.event.comment.body == '/review' || github.event.comment.body == '/pr-reviewer'))

[github-actions]

Pinning the reusable workflow to @main means any update to the upstream workflow (including breaking changes or security issues) will automatically affect this workflow. Consider pinning to a specific SHA or tag for production stability and supply chain security.

Suggested change

	uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@main
	uses: adobe/aio-reusable-workflows/.github/workflows/pr-review.yml@<specific-sha-or-tag>

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Proposed changes not required