From 260b45637e4f56a72b3332a626bb0c2c3cc1b147 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:02:48 +0200 Subject: [PATCH 01/11] AI-review --- .gitea/workflows/ai-review.yaml | 37 ++++++++++++++++ .gitmodules | 3 ++ docs/REFERENCE.md | 78 +++++++++++++++++++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 .gitea/workflows/ai-review.yaml create mode 100644 .gitmodules diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml new file mode 100644 index 0000000..2f2b060 --- /dev/null +++ b/.gitea/workflows/ai-review.yaml @@ -0,0 +1,37 @@ +name: AI Code Review + +on: + pull_request: + types: [opened, synchronize] + +jobs: + ai-review: + runs-on: ubuntu-latest + container: + image: nikitafilonov/ai-review:latest + + env: + AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml + # VCS configuration + VCS__PROVIDER: GITEA + VCS__PIPELINE__OWNER: ${{ github.repository_owner }} + VCS__PIPELINE__REPO: ${{ github.event.repository.name }} + VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }} + VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1 + VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }} + # LLM configuration + LLM__PROVIDER: CLAUDE + LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 + + - name: Run inline review + run: ai-review inline + + - name: Run summary review + run: ai-review summary diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..2e05419 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "shared-prompts"] + path = shared-prompts + url = https://git.forteapps.net/Forte/ai-review-prompts.git diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 5ba17aa..598efd1 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -876,6 +876,84 @@ dind: - Gitea admin panel (`/admin/runners`) — runners show as Online - Create test workflow in `.gitea/workflows/test.yml` — job executes +### AI Code Review (ai-review) + +**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`) +**Trigger**: `pull_request` events (`opened`, `synchronize`) +**Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`) + +**Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact. + +**Architecture**: +- Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image +- Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`) +- Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient) +- Agent mode: disabled (one-shot review, no multi-turn reasoning) +- LLM: Claude Sonnet (`claude-sonnet-4-20250514`) + +**Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`): +``` +shared-prompts/ + base/ + security.md # org-wide security rules (all profiles) + iac/ + .ai-review.yaml # IaC/GitOps profile config + inline.md # inline review prompt + summary.md # PR summary prompt + # future profiles: backend/, frontend/, etc. +``` + +**Configuration** (`shared-prompts/iac/.ai-review.yaml`): +```yaml +llm: + provider: CLAUDE + model: claude-sonnet-4-20250514 +vcs: + provider: GITEA +review: + mode: ONLY_ADDED_WITH_CONTEXT +agent: + enabled: false +prompt: + inline_prompt_files: # concatenated in order + - ./shared-prompts/base/security.md + - ./shared-prompts/iac/inline.md + summary_prompt_files: + - ./shared-prompts/iac/summary.md +ignore: + - "*.sealed.yaml" + - "*.lock" + - "docs/**" +``` + +**Custom Prompts** (IaC profile): +- `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt +- `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments +- `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags + +**Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines. + +**Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml` + +**Required Secrets** (configure in Gitea repo or org settings): + +| Secret | Purpose | +|--------|---------| +| `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) | +| `AI_REVIEW_TOKEN` | Gitea API token with `write:issue` + `read:repository` scopes (use a bot/service account) | + +**Setup Steps**: +1. Create a Gitea bot/service account and generate an API token with `write:issue` + `read:repository` scopes +2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets +3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key +4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`) +5. Push the workflow file — it triggers automatically on PR creation/update + +**Verification**: +- Open a PR with infrastructure changes → workflow runs → inline comments + summary appear +- Check Gitea Actions tab for workflow run status and logs +- Monitor Anthropic usage dashboard for token consumption + ### Keycloak Client Registrar **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`) -- 2.49.1 From 3d6eadf128a0481425eb6687cbf8522abdd5c134 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:07:50 +0200 Subject: [PATCH 02/11] workflow fix --- .gitea/workflows/ai-review.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index 2f2b060..cf38310 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -7,8 +7,6 @@ on: jobs: ai-review: runs-on: ubuntu-latest - container: - image: nikitafilonov/ai-review:latest env: AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml @@ -30,6 +28,11 @@ jobs: submodules: true fetch-depth: 0 + - name: Install ai-review + run: | + apt-get update && apt-get install -y --no-install-recommends python3-pip + pip install xai-review --break-system-packages + - name: Run inline review run: ai-review inline -- 2.49.1 From 89d2952d7af433b72a2c38d9dab697dfec7f94cd Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:09:06 +0200 Subject: [PATCH 03/11] flag --- .gitea/workflows/ai-review.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index cf38310..fb7f282 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -30,8 +30,7 @@ jobs: - name: Install ai-review run: | - apt-get update && apt-get install -y --no-install-recommends python3-pip - pip install xai-review --break-system-packages + pip install xai-review - name: Run inline review run: ai-review inline -- 2.49.1 From e06b270e6702e924c76b2ac383c5f1b0c39d5a85 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:11:30 +0200 Subject: [PATCH 04/11] pip --- .gitea/workflows/ai-review.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index fb7f282..2303f72 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -28,12 +28,12 @@ jobs: submodules: true fetch-depth: 0 - - name: Install ai-review - run: | - pip install xai-review - - name: Run inline review - run: ai-review inline + uses: docker://nikitafilonov/ai-review:latest + with: + args: ai-review inline - name: Run summary review - run: ai-review summary + uses: docker://nikitafilonov/ai-review:latest + with: + args: ai-review summary -- 2.49.1 From 9ab283f1e5c9366a474b0b12daca1d6d81121fab Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:37:40 +0200 Subject: [PATCH 05/11] workflow fix --- .gitea/workflows/ai-review.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index 2303f72..2d12939 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -10,15 +10,13 @@ jobs: env: AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml - # VCS configuration - VCS__PROVIDER: GITEA + # VCS — dynamic per PR VCS__PIPELINE__OWNER: ${{ github.repository_owner }} VCS__PIPELINE__REPO: ${{ github.event.repository.name }} VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }} VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1 VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }} - # LLM configuration - LLM__PROVIDER: CLAUDE + # LLM — only the secret; rest comes from YAML LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }} steps: -- 2.49.1 From 16da2fa6b3816aedab2ce0389ac641f755d0a9b8 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:39:02 +0200 Subject: [PATCH 06/11] vars --- .gitea/workflows/ai-review.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index 2d12939..a9b5526 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -10,13 +10,17 @@ jobs: env: AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml - # VCS — dynamic per PR + # VCS configuration + VCS__PROVIDER: GITEA VCS__PIPELINE__OWNER: ${{ github.repository_owner }} VCS__PIPELINE__REPO: ${{ github.event.repository.name }} VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }} VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1 VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }} - # LLM — only the secret; rest comes from YAML + # LLM configuration + LLM__PROVIDER: CLAUDE + LLM__META__MODEL: claude-sonnet-4-20250514 + LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }} steps: -- 2.49.1 From 077be9fbf31b27036bc673a0759b67775fad6ee7 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Mon, 20 Apr 2026 13:39:44 +0200 Subject: [PATCH 07/11] cmd --- .gitea/workflows/ai-review.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index a9b5526..5c46335 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -33,9 +33,9 @@ jobs: - name: Run inline review uses: docker://nikitafilonov/ai-review:latest with: - args: ai-review inline + args: ai-review run-inline - name: Run summary review uses: docker://nikitafilonov/ai-review:latest with: - args: ai-review summary + args: ai-review run-summary -- 2.49.1 From 72ab85d0cdd16cba4fd8a83b6c88affe4e8c30d3 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 21 Apr 2026 08:52:40 +0200 Subject: [PATCH 08/11] token fix --- .gitea/workflows/ai-review.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index 5c46335..936a646 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -20,6 +20,7 @@ jobs: # LLM configuration LLM__PROVIDER: CLAUDE LLM__META__MODEL: claude-sonnet-4-20250514 + LLM__META__MAX_TOKENS: "4096" LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }} -- 2.49.1 From a3507fd7f15c6b635615cf49766434b1b9fce587 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 21 Apr 2026 09:25:45 +0200 Subject: [PATCH 09/11] debug --- .gitea/workflows/ai-review.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index 936a646..8a2a76b 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -17,6 +17,8 @@ jobs: VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }} VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1 VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }} + # Review — disable fallback to see real Gitea API errors + REVIEW__INLINE_COMMENT_FALLBACK: "false" # LLM configuration LLM__PROVIDER: CLAUDE LLM__META__MODEL: claude-sonnet-4-20250514 -- 2.49.1 From c4f6a1c0285fde17600a0dae0af77619f31d5466 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 21 Apr 2026 09:38:36 +0200 Subject: [PATCH 10/11] doc --- docs/REFERENCE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index 598efd1..4cf4d0a 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -940,10 +940,10 @@ ignore: | Secret | Purpose | |--------|---------| | `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) | -| `AI_REVIEW_TOKEN` | Gitea API token with `write:issue` + `read:repository` scopes (use a bot/service account) | +| `AI_REVIEW_TOKEN` | Gitea API token with `write:repository` + `read:repository` scopes (use a bot/service account) | **Setup Steps**: -1. Create a Gitea bot/service account and generate an API token with `write:issue` + `read:repository` scopes +1. Create a Gitea bot/service account and generate an API token with `write:repository` + `read:repository` scopes 2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets 3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key 4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`) -- 2.49.1 From d7ac8b5b267855bcf0bcd312c8ac987b41da8e85 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 21 Apr 2026 10:19:33 +0200 Subject: [PATCH 11/11] pr types --- .gitea/workflows/ai-review.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/ai-review.yaml b/.gitea/workflows/ai-review.yaml index 8a2a76b..daa1cd7 100644 --- a/.gitea/workflows/ai-review.yaml +++ b/.gitea/workflows/ai-review.yaml @@ -2,7 +2,7 @@ name: AI Code Review on: pull_request: - types: [opened, synchronize] + types: [ opened, synchronize, reopened ] jobs: ai-review: @@ -27,18 +27,18 @@ jobs: LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }} steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - submodules: true - fetch-depth: 0 + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 0 - - name: Run inline review - uses: docker://nikitafilonov/ai-review:latest - with: - args: ai-review run-inline + - name: Run inline review + uses: docker://nikitafilonov/ai-review:latest + with: + args: ai-review run-inline - - name: Run summary review - uses: docker://nikitafilonov/ai-review:latest - with: - args: ai-review run-summary + - name: Run summary review + uses: docker://nikitafilonov/ai-review:latest + with: + args: ai-review run-summary -- 2.49.1