[Enhancement](CI) Auto refresh AI Review credential#63431
Conversation
### What problem does this PR solve?
Issue Number: close #xxx
Related PR: #xxx
Problem Summary: The OpenCode review runner previously constructed ~/.local/share/opencode/auth.json from repository secrets on every run. That kept OpenCode credential fields split across GitHub secrets and discarded any auth file refresh performed during a review. This change installs ossutil in the runner, downloads auth.json from oss://doris-community-ci/auth.json using the OSS_AK and OSS_SK secrets, and uploads the auth file back to the same OSS object after the review step completes.
### Release note
None
### Check List (For Author)
- Test: Manual test
- Uploaded the initial auth.json object to OSS from opencode-review.json
- Verified ossutil can download and upload oss://doris-community-ci/auth.json
- Parsed .github/workflows/opencode-review-runner.yml as YAML locally
- actionlint was not available in the local environment
- Behavior changed: Yes. The OpenCode review workflow now loads and persists auth.json through OSS instead of GitHub OpenAI credential secrets.
- Does this need documentation: No
### What problem does this PR solve?
Issue Number: close #xxx
Related PR: #xxx
Problem Summary: The OpenCode review command can emit terminal-colored error lines such as "Error: Token refresh failed" while still leaving ANSI escape sequences at the beginning of the last log line. The runner checked the raw line against ^Error:, so those colored failures were not recognized. Strip ANSI escape sequences from the final non-empty OpenCode log line before applying the existing failure checks.
### Release note
None
### Check List (For Author)
- Test: Manual test
- Parsed .github/workflows/opencode-review-runner.yml as YAML locally
- Verified a colored OpenCode error line is normalized and matched by the existing failure regex
- Behavior changed: Yes. The OpenCode review workflow now fails when OpenCode emits a colored terminal error line.
- Does this need documentation: No
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
|
/review |
|
run buildall |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
I found one blocking workflow reliability issue in the new auth persistence path. The PR goal appears to be moving OpenCode auth to an OSS-backed shared auth file, persisting refreshed auth after review, and improving ANSI-stripped failure detection. The core review flow still works, but the new post-review persistence step can make a completed review job fail and leave the required code-review status pending.
Critical checkpoint conclusions: goal mostly accomplished, but not safely for failure handling; change is focused, but the persistence side effect needs to be non-blocking or reflected in status handling; no Doris FE/BE data correctness, transaction, storage-format, or memory-tracking concerns apply because this is only a GitHub Actions workflow; concurrency/lifecycle risk is limited to shared OSS auth state, and transient OSS write failures currently affect unrelated PR review status; no new configuration items or compatibility paths in Doris runtime; tests are not included, so validation appears to rely on workflow execution; observability for review failures remains present, but persistence failures after review success do not get a PR failure comment.
User focus: no additional user-provided review focus was supplied.
### What problem does this PR solve?
Issue Number: close #xxx
Related PR: #xxx
Problem Summary: The OpenCode review runner uploads the auth file back to OSS after the review step completes. If that post-review upload has a transient OSS failure, the reusable workflow can fail even though the automated review already finished, which leaves the caller's code-review status pending and blocks unrelated PRs on a best-effort credential persistence side effect. Treat missing auth output and OSS upload failures as warnings in the persistence step so the review result remains authoritative.
### Release note
None
### Check List (For Author)
- Test: Manual test
- Parsed .github/workflows/opencode-review-runner.yml as YAML locally
- Verified the existing ANSI-colored OpenCode error normalization still detects colored Error lines
- Behavior changed: Yes. OSS auth persistence failures are now warnings instead of failing a completed review workflow.
- Does this need documentation: No
|
/review |
|
run buildall |
There was a problem hiding this comment.
Review completed for the workflow-only change.
No new inline issues found. I also checked the existing inline thread about post-review auth persistence failures; the current head now handles missing/failed OSS persistence as warnings, so I did not duplicate that thread.
Critical checkpoint conclusions:
- Goal and tests: The PR moves OpenCode auth loading/persistence to OSS and strips ANSI sequences before error matching. The workflow changes appear to accomplish that goal. Validation is manual/YAML parsing per the PR; I did not run the workflow end-to-end.
- Scope and clarity: The change is small and focused on
.github/workflows/opencode-review-runner.yml. - Concurrency/lifecycle: No in-process concurrency or lock lifecycle is introduced. Shared OSS auth object updates can still be a cross-run coordination point, but I did not identify a separate new actionable issue beyond the existing auth-persistence discussion.
- Configuration/compatibility: No Doris runtime config, storage format, FE/BE protocol, or rolling-upgrade compatibility concern applies.
- Parallel paths: The caller workflows still consume the reusable runner result as before; no other review runner path was found needing the same edit.
- Error handling/observability: The new upload path no longer fails the completed review on persistence errors, and the colored-error detection is improved. Pre-review OSS download/install failures still fail the workflow, which is consistent with auth being required before review can run.
- Test coverage: No automated CI test was added for the workflow script; residual risk is limited to GitHub Actions runtime behavior and OSS availability.
- User focus: No additional user-provided review focus was supplied.
2 participants
The OpenAI with OAuth authentication will expire but has the ability to refresh automatically. Therefore, we ensure the refresh by storing and accessing credentials through OSS.