Skip to content

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 01 Jul 03:30
Immutable release. Only release title and notes can be modified.
3a245f6

Added

  • /describe command: ask the bot to generate or improve the PR title and description from the diff. It posts a suggestion comment the author can copy in — it never edits the pull request, so the author's own title and body are never overwritten. Respects the repository instructions file, is write-gated like the other paid commands, and honors a /pause (#35)
  • /changelog command: ask the bot to draft a CHANGELOG entry for the PR from the diff, in the Keep a Changelog format (Added/Changed/Fixed/Security…). It posts a suggestion comment the author can copy into CHANGELOG.md — it never commits, so nothing is changed without consent. Respects the repository instructions file, is write-gated like the other paid commands, and honors a /pause (#62)
  • /add-docs command: ask the bot to generate docstrings for undocumented changed symbols. It posts each as an inline suggestion comment on the symbol's declaration so the author applies it with one click (or, when the declaration can't be anchored as a committable suggestion, a note describing the gap with the drafted docs to add manually) — it never commits. Write-gated like the other paid commands, honors a /pause, and is on by default (turn off with REVIEW_ADD_DOCS_ENABLED=false) (#56)
  • Changed-files walkthrough in the PR summary: the first-review summary comment now includes a table of the changed files with their change type, giving a quick map of the PR before the findings (#179)
  • Opt-in Mermaid control-flow diagram: the PR summary can include a collapsible Mermaid diagram of the change's control flow, off by default and enabled per-deployment via REVIEW_DIAGRAM_ENABLED (#181)

Changed

  • CI status resolves concurrently with the model call, with one fewer API request: required-check resolution and CI evaluation depend only on the commit and base branch, not the model response, so they now run concurrently with the (blocking) AI call instead of strictly after it — the GitHub latency overlaps the model latency rather than stacking on top of it — and the base branch is carried on the review request, so the CI resolver no longer issues a separate getPullRequest just to read the target branch (#217)
  • Multi-line suggestions: when a finding's fix replaces several consecutive lines, the bot now posts a multi-line review comment (start_line..line) so the GitHub suggestion replaces the whole range in one click, instead of anchoring to a single line and mis-applying the rest. The range is derived from the flagged code's position in the diff and falls back to a single-line comment when it can't be resolved (#71)
  • Config/IaC findings no longer suppressed: the reviewer was high-precision but had weak recall on declarative diffs (Kubernetes/Helm manifests, Terraform, CI workflow YAML, Dockerfiles) — it would consider issues like over-broad RBAC, missing container hardening, token automounting, or a schema-invalid manifest and then drop them, because the SECURITY dimension named only application-code threats and severity was anchored on "will fail at runtime". The review prompt now names infra/config security classes, adds a config/IaC correctness dimension, and recalibrates severity so a change that fails schema/lint/CI validation — or that weakens a safety property the PR itself claims to add — is a defensible finding. Precision is preserved by the verifier (it still rejects config claims that rest on cluster/provider state not in the diff), not by blanket suppression (#238)

Fixed

  • Check run concluded before the review was posted: the orchestrator marked the check run completed with its final conclusion before posting the review and comments, so a transient failure while posting left a concluded — for a zero-findings PR, green success — check run with no review actually on the PR (branch protection saw green; the human saw nothing). The review and its comments now post first, and the check run is concluded only afterwards. A failure while posting takes the normal failure path — check run marked failed plus a retry notice — instead of being swallowed (#254)
  • A post-result failure no longer leaves a session stuck in progress: after the review and its comments were on the PR, a failure in a later step — most importantly the session-completion persistence write — was caught and only logged, skipping the completion broadcast and leaving the session shown as perpetually running in the dashboard even though the review had posted. The completion now always runs and the session reaches a terminal state (#254)
  • Trimming the regression context no longer forces a "partial review": the truncation gate counted omitted files from the supplementary base↔head comparison as well as the PR diff, so a PR whose full diff was reviewed could still be held back from approval and labelled a partial review when only the extra regression context was trimmed. Only the PR diff's omitted files now gate the verdict (#234)
  • No crash on a prior review from a deleted account: prior-review author checks dereferenced each review's author with no null guard, so a review left by a since-deleted GitHub account (serialized as user: null) threw a NullPointerException — failing the whole review (the first-visible-review check) or aborting the stale-pending-review dismissal partway, which left the bot's own pending review undeleted and could block the next review. Both checks now null-check the author, matching the sibling comment and summary checks
  • Findings that can't be anchored are always reported: a finding whose line fell outside the current diff was dropped when other findings in the same review did anchor inline — they were only listed in the review body when none anchored at all. Such findings are now always reported in the review body, with their description, so a problem is never silently dropped just because a suggestion couldn't be placed (#215)
  • No more green ✅ over a held conclusion on a truncated PR: the check-run title re-derived "all clear" by hand and omitted the truncation guard, so a clean PR whose diff was truncated showed a title over a neutral (held) conclusion. The title is now derived from the single verdict gate, so it celebrates only when the review actually approves (#234)
  • A truncated review no longer shows the all-clear celebration: a clean review whose diff was too large to read in full is held to a comment, but the check-run summary and the PR summary comment still rendered the "no issues found" celebration, hiding that only part of the change was reviewed. Both now report a partial review (#234)
  • Unreadable CI status no longer allows an approval: the CI gate works off the offending checks, and an empty list meant "nothing blocks". But when the Check Runs / Combined Status API threw or returned a null body, that empty list was indistinguishable from "CI all green", so a PR whose CI was actually failing or still pending could receive an APPROVE on a transient GitHub hiccup. An unread CI source now holds the verdict to a comment (findings still post, only the approval is held) and is disclosed in the summary, instead of being mistaken for green (#253)

Dependencies

  • Bumped the Quarkus platform (quarkus-bom and quarkus-maven-plugin) from 3.36.3 to 3.37.0 (#263), the frontend @types/node to 26.0.1 (#262), and the GitHub Actions actions/checkout (7.0.0), actions/cache (6.0.0), and actions/setup-java (5.4.0) (#265, #266, #267)