diff --git a/README.md b/README.md index b199dd3..2ba251c 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Automated pull request review system using [CrewAI](https://crewai.com) Flows and MCP (Model Context Protocol) tools. -Performs three parallel reviews — code quality, security, and infrastructure — then synthesizes a consolidated report via a REST API. +Performs three parallel reviews — code quality, security, and infrastructure — then synthesizes a consolidated report via a REST API. Supports both a direct API and a Gitea webhook integration that fetches diffs automatically and posts the review as a PR comment. ## Features @@ -10,32 +10,10 @@ Performs three parallel reviews — code quality, security, and infrastructure - **Security Review** — vulnerabilities, injection risks, auth issues (powered by Trivy) - **Infrastructure Review** — Dockerfiles, Kubernetes manifests, IaC (powered by Hadolint + Checkov) - **Summarisation** — merges all three reviews into a single actionable report -- **REST API** — FastAPI endpoints for health check and review trigger +- **REST API** — FastAPI endpoints for health check, manual review trigger, and Gitea webhook +- **Gitea Webhook** — process PR events directly; fetches diffs, runs reviews, posts results as a PR comment - **Dockerized** — multi-stage build with all tools bundled -## Architecture - -``` -POST /api/v1/review - │ - ▼ - CodeReviewFlow (CrewAI Flow) - │ - ┌────┼──────────────┐ - ▼ ▼ ▼ - Code Security Infra -Review Review Review - │ │ │ - └─────┼────────────┘ - ▼ - Summariser - │ - ▼ - JSON Response -``` - -LLM-agnostic via CrewAI's LLM abstraction — works with OpenAI, Anthropic, or Ollama. - ## Quick Start ### Prerequisites @@ -85,6 +63,34 @@ curl -X POST http://localhost:8000/api/v1/review \ }' ``` +## Architecture + +``` +POST /api/v1/review POST /api/v1/gitea-webhook + │ │ + │ Gitea webhook payload + │ │ + │ fetch diffs from + │ Gitea API + │ │ + ▼ ▼ + CodeReviewFlow (CrewAI Flow) + │ + ┌────┼──────────────┐ + ▼ ▼ ▼ + Code Security Infra +Review Review Review + │ │ │ + └─────┼────────────┘ + ▼ + Summariser + │ + ▼ + JSON Response / PR Comment +``` + +LLM-agnostic via CrewAI's LLM abstraction — works with OpenAI, Anthropic, or Ollama. + ## API ### `GET /api/v1/health` @@ -97,7 +103,7 @@ Returns service status. ### `POST /api/v1/review` -Triggers a full PR review. +Triggers a full PR review. Provide file contents and diffs directly in the request body. **Request body:** @@ -144,6 +150,42 @@ Triggers a full PR review. } ``` +### `POST /api/v1/gitea-webhook` + +Receives Gitea webhook events. Only processes `pull_request` events with actions `opened`, `synchronize`, or `reopened`. All other events and actions are ignored. + +The endpoint: + +1. Validates the `X-Gitea-Signature` header using HMAC-SHA256 (if `ACCESS_GITEA_SECRET` is configured) +2. Fetches changed files and their contents from the Gitea API +3. Runs the full review pipeline (code, security, infrastructure, summariser) +4. Posts the review summary as a comment on the PR via the Gitea API + +## Gitea Webhook Setup + +### 1. Create an access token + +In your Gitea instance, go to **Settings → Applications → Generate New Token** and create a token with `read:repository` scope. + +### 2. Add the webhook + +In your Gitea repository, go to **Settings → Webhooks → Add Webhook → Gitea**: + +- **Target URL**: `http://:30001/api/v1/gitea-webhook` +- **HTTP Method**: `POST` +- **Secret**: a random string (optional but recommended) +- **Trigger On**: Pull Request + +### 3. Configure environment variables + +Set the following in the container (or k8s secret): + +| Variable | Required | Default | Description | +|----------|----------|---------|-------------| +| `ACCESS_GITEA_URL` | yes | `http://192.168.178.160:3000` | Gitea instance base URL | +| `ACCESS_GITEA_TOKEN` | yes | — | Gitea personal access token with `read:repository` scope | +| `ACCESS_GITEA_SECRET` | no | `""` | Webhook secret; if set, signatures are validated | + ## Configuration All configuration via environment variables in `.env`: @@ -154,10 +196,23 @@ All configuration via environment variables in `.env`: | `LLM_PROVIDER` | (required) | `openai`, `anthropic`, or `ollama` | | `LLM_BASE_URL` | — | API base URL | | `LLM_API_KEY` | — | API key (not needed for Ollama) | +| `ACCESS_GITEA_URL` | `http://192.168.178.160:3000` | Gitea instance base URL | +| `ACCESS_GITEA_TOKEN` | — | Gitea personal access token with `read:repository` scope | +| `ACCESS_GITEA_SECRET` | — | Webhook secret for HMAC-SHA256 signature verification | | `TOTAL_FLOW_TIMEOUT` | `600` | Max seconds for full review | | `PER_CREW_TIMEOUT` | `300` | Max seconds per crew | | `LOG_LEVEL` | `INFO` | Logging level | +## Deployment + +### Kubernetes + +The repo includes a CI pipeline (`.gitea/workflows/build_push.yml`) that builds a multi-arch Docker image, pushes it to the registry, and deploys to Kubernetes. + +The k8s deployment uses a NodePort service exposing port 30001, which maps to the container's port 8000. + +Environment variables are stored in a k8s secret (`pr-reviewer-env`). The CI pipeline creates this secret automatically — add `ACCESS_GITEA_URL`, `ACCESS_GITEA_TOKEN`, and `ACCESS_GITEA_SECRET` as Gitea repo variables/secrets. + ## Development ```bash @@ -179,12 +234,13 @@ uvicorn src.pr_reviewer.main:app --reload ├── crews/ # Crew definitions (code, security, infra, summariser) ├── mcp_servers/ # MCP tool wrappers (Hadolint, Checkov) ├── src/pr_reviewer/ # Core application code -│ ├── main.py # FastAPI app +│ ├── main.py # FastAPI app, endpoints, webhook handler │ ├── flow.py # CrewAI Flow orchestration │ ├── state.py # Pydantic state models │ ├── llm.py # LLM factory │ └── context.py # Context resolution ├── tests/ # Unit and integration tests +├── kube/ # Kubernetes manifests ├── docker-compose.yaml ├── Dockerfile └── pyproject.toml