Merged
Conversation
|
Caution Review failedPull request was closed or merged during review WalkthroughAdds a new GitHub Actions workflow that triggers on created issue comments. If the comment starts with Changes
Sequence Diagram(s)sequenceDiagram
participant User as Commenter
participant GH as GitHub
participant Runner as Actions Runner
participant Action as ambient-action
participant API as External API
User->>GH: Post issue comment starting with "@ambient"
GH->>Runner: Trigger workflow (issue_comment: created)
Runner->>Runner: Evaluate `if` (comment startsWith "@ambient" && author_association in OWNER,MEMBER)
Runner->>Action: Execute ambient-code/ambient-action@v2 with inputs (prompt, project, display-name, repo config, labels) and secrets (api-url, api-token)
Action->>API: Send prompt + repo/context via API_URL/API_TOKEN
API-->>Action: Return response
Action-->>Runner: Finish job (may push branch `ambient/issue-<issue_number>`)
Runner-->>GH: Record workflow run result
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ambient.yml:
- Line 21: The workflow currently hardcodes the repos JSON with "branch": "main"
while "autoPush": true, which risks pushing fixes directly to the default
branch; update the JSON so pushes target the PR/feature branch instead (or
disable autoPush). Specifically, replace the fixed "branch": "main" with a
branch expression that points to the feature/PR head (for example use the
workflow/runner variable referencing the head ref) or set "autoPush": false;
adjust the "repos" value that contains the "branch" and "autoPush" keys so the
action pushes only to the intended feature branch (or not at all).
- Around line 9-11: The current workflow condition uses startsWith(...) and
contains(...) on github.event.comment but does not prevent firing for PR
discussion comments; update the condition to also check that
github.event.issue.pull_request is null (i.e., add an additional guard alongside
the existing startsWith(...) and contains(...) checks) so the job only runs for
issue comments and not pull request conversation comments.
- Around line 7-13: Add an explicit permissions block to the ambient job to
restrict GITHUB_TOKEN scopes instead of using defaults: inside the job named
ambient (under jobs -> ambient) declare a permissions mapping for the workflow
or the job that grants only the minimum required scopes (for example read:
contents, write: issues, or whichever specific permissions your commands need)
and remove reliance on default broad permissions; ensure the permission keys
match GitHub Actions syntax (permissions: { <scope>: <read|write|none> }) so the
ambient job uses only least-privilege access.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2b1ab5fc-784f-4068-877d-fd2edfccc304
📒 Files selected for processing (1)
.github/workflows/ambient.yml
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/ambient.yml (2)
24-24:⚠️ Potential issue | 🔴 Critical
autoPushtomainconflicts with the feature-branch objective.Line 24 sets
"branch": "main"with"autoPush": true, which can push bot changes directly to default branch. Target a dedicated feature branch (e.g., per-issue) or disable auto-push.Safer branch targeting example
- repos: '[{"url": "https://github.com/${{ github.repository }}", "branch": "main", "autoPush": true}]' + repos: '[{"url": "https://github.com/${{ github.repository }}", "branch": "ambient/issue-${{ github.event.issue.number }}", "autoPush": true}]'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ambient.yml at line 24, The workflow currently sets repos: '[{"url": "https://github.com/${{ github.repository }}", "branch": "main", "autoPush": true}]' which allows automatic pushes to main; change this to target a dedicated feature branch (or disable autoPush) by updating the repos entry to use a non-default branch name pattern (e.g., a per-run or per-issue feature branch like "ambient-bot/${{ github.run_id }}" or issue-based name) or set "autoPush": false so the action will not push directly to main; update the "branch" and/or "autoPush" fields in the repos object accordingly.
12-14:⚠️ Potential issue | 🟠 MajorAdd an issues-only guard to avoid triggering from PR comments.
issue_commentalso fires for PR conversation comments. Addgithub.event.issue.pull_request == nullso this runs only on issues (Line 12).Suggested condition hardening
if: >- + github.event.issue.pull_request == null && startsWith(github.event.comment.body, '@ambient') && contains(fromJSON('["OWNER","MEMBER"]'), github.event.comment.author_association)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ambient.yml around lines 12 - 14, The existing workflow if-condition (the line with startsWith(github.event.comment.body, '@ambient') && contains(fromJSON('["OWNER","MEMBER"]'), github.event.comment.author_association)) allows PR comment events because issue_comment also triggers for PRs; update the condition to include a guard for issues by adding github.event.issue.pull_request == null so the combined if requires the comment to be on an issue (not a PR) in addition to the existing startsWith(...) and contains(...) checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/ambient.yml:
- Line 24: The workflow currently sets repos: '[{"url": "https://github.com/${{
github.repository }}", "branch": "main", "autoPush": true}]' which allows
automatic pushes to main; change this to target a dedicated feature branch (or
disable autoPush) by updating the repos entry to use a non-default branch name
pattern (e.g., a per-run or per-issue feature branch like "ambient-bot/${{
github.run_id }}" or issue-based name) or set "autoPush": false so the action
will not push directly to main; update the "branch" and/or "autoPush" fields in
the repos object accordingly.
- Around line 12-14: The existing workflow if-condition (the line with
startsWith(github.event.comment.body, '@ambient') &&
contains(fromJSON('["OWNER","MEMBER"]'),
github.event.comment.author_association)) allows PR comment events because
issue_comment also triggers for PRs; update the condition to include a guard for
issues by adding github.event.issue.pull_request == null so the combined if
requires the comment to be on an issue (not a PR) in addition to the existing
startsWith(...) and contains(...) checks.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0d67e617-1d03-40b0-a6ac-a4f00826e5aa
📒 Files selected for processing (1)
.github/workflows/ambient.yml
Triggers an ACP session when org members comment @ambient on issues. Restricted to OWNER and MEMBER author associations for security. Workflow token scoped to contents: read per least-privilege principle. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jeremyeder
force-pushed
the
add-ambient-action
branch
from
e07882c to
e37afd3
Compare
ACP sessions now push to ambient/issue-<number> branches instead of main, ensuring changes go through PR review before merging. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Addressing review feedback: Permissions (CodeQL/CodeRabbit): Already resolved — the squashed commit includes Scope to issues only (CodeRabbit): Intentionally kept as-is — per @jeremyeder, this should run on both issues and PRs. Branch targeting (CodeRabbit): Good catch. Fixed — now targets |
Contributor
Author
|
I'm merging this with CI failing because this PR has an old copy of the workflow that will never pass. It is fixed in #11 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/ambient.ymltriggered by@ambientissue commentsOWNER/MEMBERauthor association)AMBIENT_API_URLandAMBIENT_BOT_TOKENsecrets (already configured)Test plan
@ambient describe what this repo doeson a test issuegps-ambient-action🤖 Generated with Claude Code