poc/pds
1
0
Fork 1
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity

added workflows and composer updates #8

Merged
jothi merged 2 commits from ranjith-dev into master 2025-11-25 08:59:43 +00:00
Conversation 1 Commits 2 Files Changed 3 +1199 -860
jothi commented 2025-11-25 08:59:33 +00:00
Owner
Copy Link
No description provided.
jothi added 2 commits 2025-11-25 08:59:33 +00:00
added gemini workflow
All checks were successful
Scan for leaked secrets using Kingfisher / kingfisher-secrets-scan (push) Successful in 10s
Details
11191cd6e3
composer updated
All checks were successful
Scan for leaked secrets using Kingfisher / kingfisher-secrets-scan (push) Successful in 10s
Details
Scan for leaked secrets using Kingfisher / kingfisher-secrets-scan (pull_request) Successful in 51s
Details
Gemini PR Review / review (pull_request) Successful in 1m2s
Details
e9525017d2
jothi merged commit 0cfe20bc9f into master 2025-11-25 08:59:43 +00:00
gitea-actionsbot commented 2025-11-25 10:08:43 +00:00
Copy Link
- `on:` trigger for `workflow_dispatch` should not be empty. It should define inputs if it's meant to be triggered manually with options, or just `workflow_dispatch:` if no inputs are needed.
- The workflow uses `gitea.event.pull_request` context variables, which are specific to Gitea. Since this is a `.github/workflows/` file, it should use GitHub Actions context variables like `github.event.pull_request`.
- The `npm install -g --loglevel=http @google/gemini-cli` command is using `--loglevel=http`, which can expose sensitive information in logs. It should be changed to a less verbose log level like `warn` or `error` unless debugging is specifically required.

```markdown
### .github/workflows/gemini-pr-review.yaml

Line 10: workflow_dispatch:

🟡 Medium: The workflow_dispatch: trigger is empty. While syntactically valid, it's good practice to either omit the colon if no configuration is needed for a manual trigger, or define inputs: if the workflow is meant to accept parameters when run manually.

on:
  pull_request:
    types: [opened, reopened, synchronize]
  workflow_dispatch:

Line 43: git diff "${{ gitea.event.pull_request.base.sha }}...${{ gitea.event.pull_request.head.sha }}" > pr.diff

🔴 Critical: The workflow uses gitea.event.pull_request.base.sha and gitea.event.pull_request.head.sha. These context variables are specific to Gitea and are incorrect for a GitHub Actions workflow. They should be replaced with github.event.pull_request.base.sha and github.event.pull_request.head.sha for GitHub.

          git diff "${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}" > pr.diff

Line 57: --url "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \

🔴 Critical: Similar to the previous issue, this line uses gitea.server_url, gitea.repository, and gitea.event.pull_request.number. These must be changed to their GitHub equivalents: github.api_url, github.repository, and github.event.pull_request.number.

          --url "${{ github.api_url }}/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \

Line 37: run: npm install -g --loglevel=http @google/gemini-cli

🟡 Medium: The npm install command uses --loglevel=http. While useful for debugging, this can expose sensitive information in logs if the Gemini CLI performs HTTP requests with credentials. For production workflows, it's generally safer to use a less verbose log level like --loglevel=warn or --loglevel=error to prevent accidental exposure of data.

      - name: Install Gemini CLI globally
        run: npm install -g --loglevel=warn @google/gemini-cli
## 📋 Review Summary

The pull request introduces a new GitHub Actions workflow for Gemini PR review and updates several PHP dependencies in composer.lock. The .github/workflows/gemini-pr-review.md file provides clear instructions for the review agent.

🔍 General Feedback

  • The core logic for integrating Gemini with GitHub Pull Requests is well-structured.
  • The composer.lock file shows a general update of various dependencies, which is a routine maintenance task. No specific issues were found with these updates themselves, but it's important to ensure all updated packages are compatible with the existing codebase.
 ```
``` - `on:` trigger for `workflow_dispatch` should not be empty. It should define inputs if it's meant to be triggered manually with options, or just `workflow_dispatch:` if no inputs are needed. - The workflow uses `gitea.event.pull_request` context variables, which are specific to Gitea. Since this is a `.github/workflows/` file, it should use GitHub Actions context variables like `github.event.pull_request`. - The `npm install -g --loglevel=http @google/gemini-cli` command is using `--loglevel=http`, which can expose sensitive information in logs. It should be changed to a less verbose log level like `warn` or `error` unless debugging is specifically required. ```markdown ### .github/workflows/gemini-pr-review.yaml ``` #### **Line 10**: `workflow_dispatch:` `🟡` Medium: The `workflow_dispatch:` trigger is empty. While syntactically valid, it's good practice to either omit the colon if no configuration is needed for a manual trigger, or define `inputs:` if the workflow is meant to accept parameters when run manually. ```suggestion on: pull_request: types: [opened, reopened, synchronize] workflow_dispatch: ``` #### **Line 43**: `git diff "${{ gitea.event.pull_request.base.sha }}...${{ gitea.event.pull_request.head.sha }}" > pr.diff` `🔴` Critical: The workflow uses `gitea.event.pull_request.base.sha` and `gitea.event.pull_request.head.sha`. These context variables are specific to Gitea and are incorrect for a GitHub Actions workflow. They should be replaced with `github.event.pull_request.base.sha` and `github.event.pull_request.head.sha` for GitHub. ```suggestion git diff "${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}" > pr.diff ``` #### **Line 57**: `--url "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \` `🔴` Critical: Similar to the previous issue, this line uses `gitea.server_url`, `gitea.repository`, and `gitea.event.pull_request.number`. These must be changed to their GitHub equivalents: `github.api_url`, `github.repository`, and `github.event.pull_request.number`. ```suggestion --url "${{ github.api_url }}/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ ``` #### **Line 37**: `run: npm install -g --loglevel=http @google/gemini-cli` `🟡` Medium: The `npm install` command uses `--loglevel=http`. While useful for debugging, this can expose sensitive information in logs if the Gemini CLI performs HTTP requests with credentials. For production workflows, it's generally safer to use a less verbose log level like `--loglevel=warn` or `--loglevel=error` to prevent accidental exposure of data. ```suggestion - name: Install Gemini CLI globally run: npm install -g --loglevel=warn @google/gemini-cli ``` <SUMMARY> ## 📋 Review Summary The pull request introduces a new GitHub Actions workflow for Gemini PR review and updates several PHP dependencies in `composer.lock`. The `.github/workflows/gemini-pr-review.md` file provides clear instructions for the review agent. ## 🔍 General Feedback - The core logic for integrating Gemini with GitHub Pull Requests is well-structured. - The `composer.lock` file shows a general update of various dependencies, which is a routine maintenance task. No specific issues were found with these updates themselves, but it's important to ensure all updated packages are compatible with the existing codebase. </SUMMARY> ```
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dhanabalan jothi ranjith renovate-bot srimathi
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: poc/pds#8
Delete Branch "ranjith-dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?