Prepare Cassandra for GitHub Marketplace publishing#44
Conversation
- Add branding (eye/purple) to action.yml for Marketplace listing - Add outputs: review_file, json_file, approved, review_rationale - Pin bazel-contrib/setup-bazel to full commit SHA in action.yml only - Add .github/workflows/release.yml: cross-compiles binaries for 5 platforms and creates a GitHub Release with auto-generated notes - Update cassandra_review.yml: add issues: write permission - Update README: outputs table with usage example, required permissions section (including approve note), REVIEWERS.md convention docs, complete workflow template, and troubleshooting section Agent-Logs-Url: https://github.com/menny/cassandra/sessions/e89680cd-c332-48a8-b9fd-e79ad64e6c17 Co-authored-by: menny <481272+menny@users.noreply.github.com>
|
The changes look robust and securely address the Action outputs and cross-compilation requirements. The mitigations for command injection in the workflow example are correct, and replacing the fragile whitespace splitting with |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
@copilot rebase this branch to latest main, and fix conflicts |
Introduce get-diff, get-files, and get-commits actions to the GitHub tool to allow reviews with shallow clones. Update the AI reviewer to accept pre-fetched data and unconditionally include commit messages in the review context. Co-authored-by: menny <481272+menny@users.noreply.github.com>
- Filter lockfiles from raw GitHub diff to prevent token bloat. - Enforce both --diff-file and --files-list-file in ai_reviewer. - Improve lockfile path matching precision. - Truncate commit messages to first line in GitHub tool. - Export and reuse LockFiles constant across packages. Co-authored-by: menny <481272+menny@users.noreply.github.com>
- Exclude merge commits from GitHub API results to match local behavior. - Normalize CRLF line endings and extract only the first line of commit messages. Co-authored-by: menny <481272+menny@users.noreply.github.com>
|
@copilot install baselisk in your environment and run the format target. See AGENTS.md file for details |
Agent-Logs-Url: https://github.com/menny/cassandra/sessions/e7d85fb8-2cee-46a2-b339-22c91ecf740d Co-authored-by: menny <481272+menny@users.noreply.github.com>
Done. Ran Note: Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot read the code review comments and address them if they make sense |
- README: map review_rationale output to env var to prevent
command injection from AI-generated content
- release.yml: move github.ref_name to RELEASE_VERSION env var in
both Build and Create Release steps to prevent tag injection
- release.yml: add comment explaining why go build is used over Bazel
- action.yml: replace predictable run-id delimiter with
openssl rand -hex 16 for GITHUB_OUTPUT multiline value
- cmd/github/main.go: replace strings.Fields with LastIndex(" b/")
to correctly parse diff --git paths containing spaces
Agent-Logs-Url: https://github.com/menny/cassandra/sessions/efef5157-6dd4-47e1-99a1-a675b5c8265a
Co-authored-by: menny <481272+menny@users.noreply.github.com>
Addressed all 5 actionable findings in commit
|
| - name: Check out code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
@copilot why do we need the entire history? We just build, thus can be shallow
There was a problem hiding this comment.
Removed fetch-depth: 0 — a shallow clone is sufficient since we only need the source files to build. Done in commit 924a1f3.
|
|
||
| echo "Building cassandra for $GOOS/$GOARCH..." | ||
| GOOS="$GOOS" GOARCH="$GOARCH" go build \ | ||
| -ldflags="-s -w -X main.version=$RELEASE_VERSION" \ |
There was a problem hiding this comment.
@copilot This is great, but this repo relies on bazel as a build system. Setup bazel and use it for building and cross compilation
There was a problem hiding this comment.
Replaced the go build loop with Bazel cross-compilation in commit 924a1f3. The step now:
- Uses
setup-bazel(notsetup-go) - Builds each platform with
bazel build --platforms=@rules_go//go/toolchain:<platform> - Copies the resulting binaries to
dist/usingbazel cquery --output=files
The pure = "on" and static = "on" attributes in the existing go_binary targets ensure hermetic, statically-linked binaries.
| ``` | ||
|
|
||
| If you are using `GITHUB_TOKEN`, you should also ensure the correct permissions: | ||
| ### REVIEWERS.md — Per-Directory Review Guidelines |
There was a problem hiding this comment.
@copilot The ai reviewer will also look for AGENTS.md files using the same logic. Restructure this doc to include (maybe merge for clarity) the two guidelines files
There was a problem hiding this comment.
Merged the two into a single "Per-Directory Review Guidelines — REVIEWERS.md and AGENTS.md" section in commit 924a1f3. It now explains that both files use the same walk-up discovery logic, shows both in the directory tree example, and provides separate content examples for each (reviewer guidance vs. AI assistant instructions).
| pull-requests: write | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
@copilot this is no longer needed as the action will use GitHub api to fetch the diff
There was a problem hiding this comment.
Removed in commit 924a1f3. Also cleaned up the workflow template in the same README section to drop fetch-depth: 0 and the now-unnecessary base/head inputs.
- release.yml: remove fetch-depth: 0 (shallow clone sufficient for build) - release.yml: replace go build loop with Bazel cross-compilation using --platforms=@rules_go//go/toolchain:<platform> for each target - release.yml: use setup-bazel instead of setup-go - README: rename and expand REVIEWERS.md section to cover both REVIEWERS.md and AGENTS.md (same discovery logic) - README: remove stale "No changes found" troubleshooting item (diff now fetched via GitHub API, no need for fetch-depth: 0) - README: remove fetch-depth: 0 and base/head from workflow template Agent-Logs-Url: https://github.com/menny/cassandra/sessions/b9bb0f04-fc28-4a65-ad9d-e6a275fc8e08 Co-authored-by: menny <481272+menny@users.noreply.github.com>
|
@copilot rebase the branch with the latest main branch. And fix the conflicts. |
# Conflicts: # cmd/github/main.go Co-authored-by: menny <481272+menny@users.noreply.github.com>
Done in commit |
action.yml(eye/purple)action.yml:review_file,json_file,approved,review_rationaleSet Action Outputsstep to extract values from JSON and expose thembazel-contrib/setup-bazelto full commit SHA inaction.ymlonly; internal workflows keep major versionsissues: write)cassandra_review.ymldeclaresissues: writepermissionREVIEWERS.mdandAGENTS.mdconventions in README (merged into a single section with directory tree examples for both).github/workflows/release.yml): Bazel cross-compiles 5 platform binaries via--platforms=@rules_go//go/toolchain:<platform>, creates release with auto-generated changelog viagh release create --generate-notesfetch-depth: 0or manualbase/headneeded), outputs table with usage examplemain(post-merge of PR feat: fetch diff and commits via GitHub API #42); resolved conflict incmd/github/main.gokeeping theLastIndexfixreview_rationaleoutput throughenv:to prevent command injectionrelease.yml: movegithub.ref_nametoRELEASE_VERSIONenv varaction.yml: useopenssl rand -hex 16for unpredictableGITHUB_OUTPUTdelimitercmd/github/main.go: fixstrings.Fieldslockfile path parsing to useLastIndex(" b/")for correctness with spaces in pathsrelease.yml: removefetch-depth: 0— shallow clone is sufficient for buildingrelease.yml: replacego buildloop with Bazel cross-compilation via--platforms=@rules_go//go/toolchain:<platform>README.md: expand guidelines section to document bothREVIEWERS.mdandAGENTS.md(same discovery logic, merged into one section)README.md: remove stale "No changes found" troubleshooting item; simplified workflow template