ci: add pr template check workflow

[sapphi-red]

Adds a workflow that checks that the PR description follow the requirements in the template. It doesn't add a comment for now s o that it won't be noisy until we evaluate it.

refs #21630

[sapphi-red]

This workflow uses pull_request_target which known to be often used as an attack vector. This is required so that it has access to secrets.WARP_API_KEY. I thought deeply about this safety conditions and I think it is safe. But I'm also fine to close this PR as not worth the risk.

[bluwy]

Since we read the title and body and put it in the prompt, could that be used as an attack vector to somehow extract stuff?

[sapphi-red]

It is possible to steal the WARP_API_KEY but other than that, there shouldn't be any other information.

[bluwy]

Ok, I guess this isn't any different than the clarity workflow we had before, but also, I don't think there's another way to use oz without exposing the key.

[graphite-app]

Silent failure when agent output format is unexpected. If no line with type: 'agent' is found in the output, agentText remains null and the workflow completes successfully without writing anything to the summary or indicating any issue.

This masks problems with the agent output format and makes debugging difficult. Should add:

if (!agentText) {
  core.setFailed('No agent output found in response');
  return;
}

Before line 91 to explicitly fail when the expected output format is not found.

Suggested change

	if (agentText) {
	await core.summary
	.addHeading('Pull Request Template Check')
	.addCodeBlock(agentText, 'json')
	.write();
	}
	if (!agentText) {
	core.setFailed('No agent output found in response');
	return;
	}
	await core.summary
	.addHeading('Pull Request Template Check')
	.addCodeBlock(agentText, 'json')
	.write();

Spotted by Graphite



Is this helpful? React 👍 or 👎 to let us know.

[sapphi-red]

Will follow up in a separate PR