From 7ab856727aeaa8bcc01ed6dcaaad9f92fceb3e63 Mon Sep 17 00:00:00 2001 From: Andrew Ridgway Date: Wed, 20 May 2026 22:48:03 +1000 Subject: [PATCH 1/3] add webhook capability --- .env.example | 7 +- .gitea/workflows/build_push.yml | 3 + pyproject.toml | 3 +- src/pr_reviewer/main.py | 143 ++++++++++++++++++++++++++++++++ 4 files changed, 154 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index 52046b7..166f463 100644 --- a/.env.example +++ b/.env.example @@ -22,4 +22,9 @@ SEMGRAPH_API_TOKEN= TOTAL_FLOW_TIMEOUT=600 PER_CREW_TIMEOUT=300 -LOG_LEVEL=INFO \ No newline at end of file +LOG_LEVEL=INFO + +# Gitea Webhook Configuration +GITEA_URL=http://192.168.178.160:3000 +GITEA_TOKEN=your_gitea_personal_access_token_here +GITEA_SECRET=your_webhook_secret_here \ No newline at end of file diff --git a/.gitea/workflows/build_push.yml b/.gitea/workflows/build_push.yml index df02899..a313db4 100644 --- a/.gitea/workflows/build_push.yml +++ b/.gitea/workflows/build_push.yml @@ -73,5 +73,8 @@ jobs: --from-literal=LOG_LEVEL=INFO \ --from-literal=TOTAL_FLOW_TIMEOUT=600 \ --from-literal=PER_CREW_TIMEOUT=300 \ + --from-literal=GITEA_URL=${{ vars.GITEA_URL }} \ + --from-literal=GITEA_TOKEN=${{ secrets.GITEA_TOKEN }} \ + --from-literal=GITEA_SECRET=${{ secrets.GITEA_SECRET }} \ --namespace=pr-reviewer kubectl apply -f kube/pr-reviewer_deployment.yaml && kubectl apply -f kube/pr-reviewer_service.yaml diff --git a/pyproject.toml b/pyproject.toml index 437702e..af7d5f1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -26,7 +26,8 @@ dependencies = [ "mcpadapt", "pydantic>=2.5.0", "python-dotenv>=1.0.0", - "gitpython>=3.1.0" + "gitpython>=3.1.0", + "requests>=2.28.0" ] [project.optional-dependencies] diff --git a/src/pr_reviewer/main.py b/src/pr_reviewer/main.py index f206d97..781daf1 100644 --- a/src/pr_reviewer/main.py +++ b/src/pr_reviewer/main.py @@ -1,5 +1,8 @@ import logging import os +import hmac +import hashlib +import base64 from fastapi import FastAPI, HTTPException, Request from fastapi.responses import JSONResponse import uvicorn @@ -8,6 +11,7 @@ import asyncio from concurrent.futures import ThreadPoolExecutor, TimeoutError as FutureTimeoutError import time import uuid +import requests from .flow import CodeReviewFlow from .state import PRReviewState, FileInfo, ContextOverrides @@ -27,6 +31,10 @@ app = FastAPI( TOTAL_FLOW_TIMEOUT = int(os.getenv("TOTAL_FLOW_TIMEOUT", "600")) # Default 10 minutes PER_CREW_TIMEOUT = int(os.getenv("PER_CREW_TIMEOUT", "300")) # Default 5 minutes +GITEA_URL = os.getenv("GITEA_URL", "http://192.168.178.160:3000") +GITEA_TOKEN = os.getenv("GITEA_TOKEN") +WEBHOOK_SECRET = os.getenv("GITEA_SECRET", "") + @app.get("/api/v1/health") async def health_check() -> Dict[str, str]: @@ -36,6 +44,141 @@ async def health_check() -> Dict[str, str]: return {"status": "healthy", "service": "pr-reviewer"} +def verify_signature(payload: bytes, signature: str) -> bool: + if not WEBHOOK_SECRET: + return True + mac = hmac.new(WEBHOOK_SECRET.encode(), payload, hashlib.sha256).hexdigest() + return hmac.compare_digest(mac, signature) + + +def fetch_pr_files(repo_full: str, pr_number: int) -> List[Dict[str, Any]]: + headers = {"Authorization": f"token {GITEA_TOKEN}"} + url = f"{GITEA_URL}/api/v1/repos/{repo_full}/pulls/{pr_number}/files" + resp = requests.get(url, headers=headers) + resp.raise_for_status() + files_data = resp.json() + + files = [] + for f in files_data: + filename = f["filename"] + status = f["status"] + content = None + if status in ("added", "modified"): + raw_url = f"{GITEA_URL}/api/v1/repos/{repo_full}/contents/{filename}?ref=pulls/{pr_number}/head" + raw_resp = requests.get(raw_url, headers=headers) + if raw_resp.ok: + raw = raw_resp.json() + if raw.get("encoding") == "base64": + content = base64.b64decode(raw["content"]).decode("utf-8") + files.append({ + "filename": filename, + "status": status, + "content": content or "", + "additions": f.get("additions", 0), + "deletions": f.get("deletions", 0), + "patch": f.get("patch", ""), + }) + return files + + +def post_pr_comment(repo_full: str, pr_number: int, comment: str) -> None: + headers = {"Authorization": f"token {GITEA_TOKEN}"} + url = f"{GITEA_URL}/api/v1/repos/{repo_full}/issues/{pr_number}/comments" + resp = requests.post(url, headers=headers, json={"body": comment}) + resp.raise_for_status() + logger.info(f"Posted review comment to PR #{pr_number} in {repo_full}") + + +@app.post("/api/v1/gitea-webhook") +async def gitea_webhook(request: Request) -> Dict[str, Any]: + body = await request.body() + sig = request.headers.get("X-Gitea-Signature", "") + if not verify_signature(body, sig): + raise HTTPException(status_code=403, detail="Invalid signature") + + data = await request.json() + event = request.headers.get("X-Gitea-Event") + + if event == "pull_request": + action = data.get("action", "") + pr = data["pull_request"] + pr_number = pr["number"] + repo = data["repository"] + repo_full = repo["full_name"] + repo_url = repo.get("html_url", f"{GITEA_URL}/{repo_full}") + + if action not in ("opened", "synchronize", "reopened"): + logger.info(f"Ignoring PR action: {action}") + return {"status": "ignored", "reason": f"action '{action}' not processed"} + + if not GITEA_TOKEN: + raise HTTPException(status_code=500, detail="GITEA_TOKEN not configured") + + try: + files = fetch_pr_files(repo_full, pr_number) + except Exception as e: + raise HTTPException(status_code=500, detail=f"Error fetching PR files: {e}") + + converted_files = [] + for f in files: + converted_files.append(FileInfo( + path=f["filename"], + content=f.get("content"), + status=f.get("status", "modified"), + additions=f.get("additions", 0), + deletions=f.get("deletions", 0), + patch=f.get("patch"), + )) + + flow_inputs = { + "pr_id": str(pr_number), + "pr_title": pr["title"], + "pr_description": pr.get("body", ""), + "pr_url": f"{repo_url}/pull/{pr_number}", + "repo_name": repo_full, + "repo_url": repo_url, + "branch": pr["head"]["label"], + "base_branch": pr["base"]["label"], + "files": [f.dict() for f in converted_files], + "context_overrides": None, + } + + flow = CodeReviewFlow() + loop = asyncio.get_event_loop() + with ThreadPoolExecutor() as pool: + try: + flow_result = await asyncio.wait_for( + loop.run_in_executor(pool, lambda: flow.kickoff(inputs=flow_inputs)), + timeout=TOTAL_FLOW_TIMEOUT, + ) + except asyncio.TimeoutError: + logger.error(f"PR review timed out for PR #{pr_number}") + raise HTTPException( + status_code=504, + detail=f"PR review timed out after {TOTAL_FLOW_TIMEOUT} seconds", + ) + + if flow_result.get("error"): + logger.error(f"PR review failed for PR #{pr_number}: {flow_result['error']}") + + try: + summary = flow_result.get("review_summary", "") + if summary: + comment = f"## PR Review Results\n\n{summary}" + post_pr_comment(repo_full, pr_number, comment) + except Exception as e: + logger.warning(f"Failed to post review comment: {e}") + + return { + "status": "completed" if not flow_result.get("error") else "failed", + "pr_number": pr_number, + "review_summary": flow_result.get("review_summary"), + "error": flow_result.get("error"), + } + + return {"status": "ignored"} + + @app.post("/api/v1/review") async def review_pr(request: Request) -> Dict[str, Any]: """ From 5054f609dde689abd413d0de43daea19fc2197ba Mon Sep 17 00:00:00 2001 From: Andrew Ridgway Date: Wed, 20 May 2026 22:54:31 +1000 Subject: [PATCH 2/3] gitea compliant var names --- .env.example | 6 +++--- .gitea/workflows/build_push.yml | 6 +++--- src/pr_reviewer/main.py | 22 +++++++++++----------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.env.example b/.env.example index 166f463..3b35e5e 100644 --- a/.env.example +++ b/.env.example @@ -25,6 +25,6 @@ PER_CREW_TIMEOUT=300 LOG_LEVEL=INFO # Gitea Webhook Configuration -GITEA_URL=http://192.168.178.160:3000 -GITEA_TOKEN=your_gitea_personal_access_token_here -GITEA_SECRET=your_webhook_secret_here \ No newline at end of file +ACCESS_GITEA_URL=http://192.168.178.160:3000 +ACCESS_GITEA_TOKEN=your_gitea_personal_access_token_here +ACCESS_GITEA_SECRET=your_webhook_secret_here \ No newline at end of file diff --git a/.gitea/workflows/build_push.yml b/.gitea/workflows/build_push.yml index a313db4..d4bd2a3 100644 --- a/.gitea/workflows/build_push.yml +++ b/.gitea/workflows/build_push.yml @@ -73,8 +73,8 @@ jobs: --from-literal=LOG_LEVEL=INFO \ --from-literal=TOTAL_FLOW_TIMEOUT=600 \ --from-literal=PER_CREW_TIMEOUT=300 \ - --from-literal=GITEA_URL=${{ vars.GITEA_URL }} \ - --from-literal=GITEA_TOKEN=${{ secrets.GITEA_TOKEN }} \ - --from-literal=GITEA_SECRET=${{ secrets.GITEA_SECRET }} \ + --from-literal=ACCESS_GITEA_URL=${{ vars.ACCESS_GITEA_URL }} \ + --from-literal=ACCESS_GITEA_TOKEN=${{ secrets.ACCESS_GITEA_TOKEN }} \ + --from-literal=ACCESS_GITEA_SECRET=${{ secrets.ACCESS_GITEA_SECRET }} \ --namespace=pr-reviewer kubectl apply -f kube/pr-reviewer_deployment.yaml && kubectl apply -f kube/pr-reviewer_service.yaml diff --git a/src/pr_reviewer/main.py b/src/pr_reviewer/main.py index 781daf1..53203ad 100644 --- a/src/pr_reviewer/main.py +++ b/src/pr_reviewer/main.py @@ -31,9 +31,9 @@ app = FastAPI( TOTAL_FLOW_TIMEOUT = int(os.getenv("TOTAL_FLOW_TIMEOUT", "600")) # Default 10 minutes PER_CREW_TIMEOUT = int(os.getenv("PER_CREW_TIMEOUT", "300")) # Default 5 minutes -GITEA_URL = os.getenv("GITEA_URL", "http://192.168.178.160:3000") -GITEA_TOKEN = os.getenv("GITEA_TOKEN") -WEBHOOK_SECRET = os.getenv("GITEA_SECRET", "") +ACCESS_GITEA_URL = os.getenv("ACCESS_GITEA_URL", "http://192.168.178.160:3000") +ACCESS_GITEA_TOKEN = os.getenv("ACCESS_GITEA_TOKEN") +WEBHOOK_SECRET = os.getenv("ACCESS_GITEA_SECRET", "") @app.get("/api/v1/health") @@ -52,8 +52,8 @@ def verify_signature(payload: bytes, signature: str) -> bool: def fetch_pr_files(repo_full: str, pr_number: int) -> List[Dict[str, Any]]: - headers = {"Authorization": f"token {GITEA_TOKEN}"} - url = f"{GITEA_URL}/api/v1/repos/{repo_full}/pulls/{pr_number}/files" + headers = {"Authorization": f"token {ACCESS_GITEA_TOKEN}"} + url = f"{ACCESS_GITEA_URL}/api/v1/repos/{repo_full}/pulls/{pr_number}/files" resp = requests.get(url, headers=headers) resp.raise_for_status() files_data = resp.json() @@ -64,7 +64,7 @@ def fetch_pr_files(repo_full: str, pr_number: int) -> List[Dict[str, Any]]: status = f["status"] content = None if status in ("added", "modified"): - raw_url = f"{GITEA_URL}/api/v1/repos/{repo_full}/contents/{filename}?ref=pulls/{pr_number}/head" + raw_url = f"{ACCESS_GITEA_URL}/api/v1/repos/{repo_full}/contents/{filename}?ref=pulls/{pr_number}/head" raw_resp = requests.get(raw_url, headers=headers) if raw_resp.ok: raw = raw_resp.json() @@ -82,8 +82,8 @@ def fetch_pr_files(repo_full: str, pr_number: int) -> List[Dict[str, Any]]: def post_pr_comment(repo_full: str, pr_number: int, comment: str) -> None: - headers = {"Authorization": f"token {GITEA_TOKEN}"} - url = f"{GITEA_URL}/api/v1/repos/{repo_full}/issues/{pr_number}/comments" + headers = {"Authorization": f"token {ACCESS_GITEA_TOKEN}"} + url = f"{ACCESS_GITEA_URL}/api/v1/repos/{repo_full}/issues/{pr_number}/comments" resp = requests.post(url, headers=headers, json={"body": comment}) resp.raise_for_status() logger.info(f"Posted review comment to PR #{pr_number} in {repo_full}") @@ -105,14 +105,14 @@ async def gitea_webhook(request: Request) -> Dict[str, Any]: pr_number = pr["number"] repo = data["repository"] repo_full = repo["full_name"] - repo_url = repo.get("html_url", f"{GITEA_URL}/{repo_full}") + repo_url = repo.get("html_url", f"{ACCESS_GITEA_URL}/{repo_full}") if action not in ("opened", "synchronize", "reopened"): logger.info(f"Ignoring PR action: {action}") return {"status": "ignored", "reason": f"action '{action}' not processed"} - if not GITEA_TOKEN: - raise HTTPException(status_code=500, detail="GITEA_TOKEN not configured") + if not ACCESS_GITEA_TOKEN: + raise HTTPException(status_code=500, detail="ACCESS_GITEA_TOKEN not configured") try: files = fetch_pr_files(repo_full, pr_number) From 4ace5932ff66c4536640b9a0e7495c41cc5ea96e Mon Sep 17 00:00:00 2001 From: Andrew Ridgway Date: Wed, 20 May 2026 23:04:52 +1000 Subject: [PATCH 3/3] drop trivy --- .gitea/workflows/build_push.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.gitea/workflows/build_push.yml b/.gitea/workflows/build_push.yml index d4bd2a3..fea51f7 100644 --- a/.gitea/workflows/build_push.yml +++ b/.gitea/workflows/build_push.yml @@ -44,14 +44,6 @@ jobs: tags: | git.aridgwayweb.com/armistace/pr-reviewer:latest - - name: Trivy Scan - run: | - TRIVY_VERSION=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep '"tag_name"' | cut -d'"' -f4) - wget -qO /tmp/trivy.tar.gz "https://github.com/aquasecurity/trivy/releases/download/${TRIVY_VERSION}/trivy_${TRIVY_VERSION#v}_Linux-64bit.tar.gz" - tar xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy - chmod +x /usr/local/bin/trivy - trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --severity HIGH,CRITICAL git.aridgwayweb.com/armistace/pr-reviewer:latest - - name: Deploy run: | echo "Installing Kubectl"