feat: add GitHub Action for automated PR review via AgentCore Harness by jesseturner21 · Pull Request #934 · aws/agentcore-cli

jesseturner21 · 2026-04-23T16:25:58Z

Summary

Adds a GitHub Action workflow that automatically reviews PRs using Bedrock AgentCore Harness
The harness runs an AI agent in an isolated microVM with gh, git, and pre-cloned repos that fetches PR diffs, reads code context, and posts review comments directly on GitHub
Triggers on PR open/reopen for agentcore-cli-devs team members, with manual workflow_dispatch for any PR
Adds/removes ai-reviewing label during review
Authenticates via GitHub OIDC to assume an AWS role for harness invocation
Uses raw HTTP with SigV4 signing to invoke the harness — no custom boto3 service model needed
Pretty log output with collapsible tool call groups, ANSI colors, and per-tool timing
Reads existing PR comments before reviewing to avoid duplicate feedback

Files added

File	Purpose
`.github/workflows/pr-ai-review.yml`	Main workflow (triggers, auth, setup, invoke)
`.github/scripts/python/harness_review.py`	Harness invocation via raw HTTP + SigV4, stream display
`.github/scripts/prompts/system.md`	System prompt (workspace context for the agent)
`.github/scripts/prompts/review.md`	Review prompt template (instructions for the agent)

Required secrets

HARNESS_AWS_ROLE_ARN — IAM role ARN for GitHub OIDC
HARNESS_ARN — Full ARN of the Bedrock AgentCore harness

Test plan

Tested end-to-end on jesseturner21/agentcore-cli fork
Verified OIDC authentication works
Verified harness invocation and PR comment posting
Verified team membership check (skips for non-members)
Verified ai-reviewing label add/remove
Verified duplicate comment prevention
Verified workflow_dispatch with custom PR URL
Verified raw HTTP + SigV4 invocation (no service model)

Adds a workflow that reviews PRs using Bedrock AgentCore Harness. The harness runs an AI agent in an isolated microVM with gh, git, and pre-cloned repos that fetches PR diffs and posts review comments. Workflow: - Triggers on PR open/reopen for agentcore-cli-devs team members - Supports manual workflow_dispatch for any PR URL - Adds/removes ai-reviewing label during review - Authenticates via GitHub OIDC to assume AWS role Files: - .github/workflows/pr-ai-review.yml — main workflow - .github/scripts/python/harness_review.py — harness invocation script - .github/scripts/python/harness_config.py — config from env vars - .github/scripts/models/ — local boto3 service model (InvokeHarness not yet in standard boto3) Required secrets: - HARNESS_AWS_ROLE_ARN — IAM role ARN for OIDC - HARNESS_ACCOUNT_ID — AWS account ID - HARNESS_ID — Harness ID

Eliminates the 220KB bundled service model by using direct HTTP requests with SigV4 authentication to invoke the harness endpoint. No extra dependencies needed — urllib3, SigV4Auth, and EventStreamBuffer are all part of botocore/boto3. Rejected: invoke_agent_runtime API | server rejects harness ARNs with ResourceNotFoundException Confidence: high Scope-risk: moderate

Remove separate harness_config.py — env vars are read directly in harness_review.py. One less file to maintain, config is still driven entirely by environment variables set in the GitHub workflow.

- Replace HARNESS_ACCOUNT_ID + HARNESS_ID with single HARNESS_ARN env var - Extract prompts into separate .md files in .github/scripts/prompts/ - Extract stream parsing into print_stream() function - Add close_group() helper to deduplicate ::group:: bookkeeping

Extract parse_events() generator to handle binary stream decoding, keeping print_stream() focused on formatting and log groups.

Eliminates HARNESS_REGION env var — the region is extracted from the ARN directly, so there's no risk of a mismatch causing confusing SigV4 auth errors.

Split into authorize + ai-review jobs. The ai-review job only runs if the PR author is authorized (team member or write access) or if triggered via workflow_dispatch. Removes repeated if conditions from every step.

Hweinstock

Very excited for this! I like how you extracted out the prompts because I think we can iterate on this over time.

Hweinstock · 2026-04-23T21:21:39Z

it looks like formatting doesn't like how you wrote the markdown. Maybe we can skip link checks on these?

Checking formatting...
[warn] .github/scripts/prompts/review.md
[warn] .github/scripts/prompts/system.md
[warn] Code style issues found in 2 files. Run Prettier with --write to fix.

Prompt markdown files use intentional formatting that prettier would reflow, breaking the prompt structure.

Hweinstock

Excited to try this!

jesseturner21 requested a review from a team April 23, 2026 16:25

jesseturner21 temporarily deployed to e2e-testing April 23, 2026 16:26 — with GitHub Actions Inactive

jesseturner21 had a problem deploying to e2e-testing April 23, 2026 16:26 — with GitHub Actions Failure

github-actions Bot added the size/xl PR size: XL label Apr 23, 2026

jesseturner21 closed this Apr 23, 2026

jesseturner21 reopened this Apr 23, 2026

github-actions Bot added size/m PR size: M and removed size/xl PR size: XL size/m PR size: M labels Apr 23, 2026

jesseturner21 temporarily deployed to e2e-testing April 23, 2026 17:55 — with GitHub Actions Inactive

github-actions Bot added the size/m PR size: M label Apr 23, 2026

refactor: inline harness config into review script

ed8d6d6

Remove separate harness_config.py — env vars are read directly in harness_review.py. One less file to maintain, config is still driven entirely by environment variables set in the GitHub workflow.