phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-10-03 19:57:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add comment-triggered pre-commit bot for PRs (#3672)

Browse source 
## Summary

This PR adds a comment-triggered GitHub Actions workflow that allows
running pre-commit hooks on-demand for any pull request. When someone
comments `@github-actions run precommit` on a PR, the bot automatically
runs all pre-commit hooks and commits any formatting or linting fixes
directly to the PR branch.

The implementation uses a secure two-workflow approach: a trigger
workflow validates permissions and dispatches to an execution workflow
that runs pre-commit in a privileged context. This works safely for both
same-repo and fork PRs, with permission checks ensuring only PR authors
or repository collaborators can trigger the bot.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Ashwin Bharambe 2025-10-03 11:51:40 -07:00 committed by GitHub
parent 9f6c658f2a
commit 5a44b9ff82
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 297 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/README.md vendored
View file

@ -12,6 +12,8 @@ Llama Stack uses GitHub Actions for Continuous Integration (CI). Below is a tabl
| Integration Tests (Replay) | [integration-tests.yml](integration-tests.yml) | Run the integration test suites from tests/integration in replay mode | | Integration Tests (Replay) | [integration-tests.yml](integration-tests.yml) | Run the integration test suites from tests/integration in replay mode |
| Vector IO Integration Tests | [integration-vector-io-tests.yml](integration-vector-io-tests.yml) | Run the integration test suite with various VectorIO providers | | Vector IO Integration Tests | [integration-vector-io-tests.yml](integration-vector-io-tests.yml) | Run the integration test suite with various VectorIO providers |
| Pre-commit | [pre-commit.yml](pre-commit.yml) | Run pre-commit checks | | Pre-commit | [pre-commit.yml](pre-commit.yml) | Run pre-commit checks |
| Pre-commit Bot - Execute | [precommit-execute.yml](precommit-execute.yml) | Pre-commit bot execution for PR |
| Pre-commit Bot - Trigger | [precommit-trigger.yml](precommit-trigger.yml) | Pre-commit bot trigger |
| Test Llama Stack Build | [providers-build.yml](providers-build.yml) | Test llama stack build | | Test Llama Stack Build | [providers-build.yml](providers-build.yml) | Test llama stack build |
| Python Package Build Test | [python-build-test.yml](python-build-test.yml) | Test building the llama-stack PyPI project | | Python Package Build Test | [python-build-test.yml](python-build-test.yml) | Test building the llama-stack PyPI project |
| Integration Tests (Record) | [record-integration-tests.yml](record-integration-tests.yml) | Run the integration test suite from tests/integration | | Integration Tests (Record) | [record-integration-tests.yml](record-integration-tests.yml) | Run the integration test suite from tests/integration |

179
.github/workflows/precommit-execute.yml vendored Normal file
View file

@ -0,0 +1,179 @@
name: Pre-commit Bot - Execute
run-name: Pre-commit bot execution for PR #${{ inputs.pr_number }}
on:
workflow_dispatch:
inputs:
pr_number:
description: 'Pull request number'
required: true
type: string
pr_head_ref:
description: 'PR head ref'
required: true
type: string
pr_head_sha:
description: 'PR head SHA'
required: true
type: string
pr_head_repo:
description: 'PR head repository'
required: true
type: string
pr_base_ref:
description: 'PR base ref'
required: true
type: string
jobs:
pre-commit:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Comment starting
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ inputs.pr_number }},
body: `⏳ Running pre-commit hooks on PR #${{ inputs.pr_number }}...`
});
- name: Determine checkout strategy
id: checkout_strategy
run: |
# Check if this is a fork PR
if [[ "${{ inputs.pr_head_repo }}" != "${{ github.repository }}" ]]; then
echo "is_fork=true" >> $GITHUB_OUTPUT
echo "This is a fork PR from ${{ inputs.pr_head_repo }}"
else
echo "is_fork=false" >> $GITHUB_OUTPUT
echo "This is a same-repo PR"
fi
- name: Checkout PR branch (same-repo)
if: steps.checkout_strategy.outputs.is_fork == 'false'
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ inputs.pr_head_ref }}
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout PR branch (fork)
if: steps.checkout_strategy.outputs.is_fork == 'true'
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
repository: ${{ inputs.pr_head_repo }}
ref: ${{ inputs.pr_head_ref }}
fetch-depth: 0
# For forks, we need a token with write access to push
# This will only work if the fork has granted workflow permissions
token: ${{ secrets.GITHUB_TOKEN }}
- name: Verify checkout
run: |
echo "Current SHA: $(git rev-parse HEAD)"
echo "Expected SHA: ${{ inputs.pr_head_sha }}"
if [[ "$(git rev-parse HEAD)" != "${{ inputs.pr_head_sha }}" ]]; then
echo "::error::Checked out SHA does not match expected SHA"
exit 1
fi
- name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
with:
python-version: '3.12'
cache: pip
cache-dependency-path: |
**/requirements*.txt
.pre-commit-config.yaml
- name: Set up Node.js
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: 'llama_stack/ui/'
- name: Install npm dependencies
run: npm ci
working-directory: llama_stack/ui
- name: Run pre-commit
id: precommit
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
continue-on-error: true
env:
SKIP: no-commit-to-branch
RUFF_OUTPUT_FORMAT: github
- name: Check for changes
id: changes
run: |
if ! git diff --exit-code || [ -n "$(git ls-files --others --exclude-standard)" ]; then
echo "has_changes=true" >> $GITHUB_OUTPUT
echo "Changes detected after pre-commit"
else
echo "has_changes=false" >> $GITHUB_OUTPUT
echo "No changes after pre-commit"
fi
- name: Commit and push changes
if: steps.changes.outputs.has_changes == 'true'
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
git add -A
git commit -m "style: apply pre-commit fixes
🤖 Applied by @github-actions bot via pre-commit workflow"
# Push changes
git push origin HEAD:${{ inputs.pr_head_ref }}
- name: Comment success with changes
if: steps.changes.outputs.has_changes == 'true'
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ inputs.pr_number }},
body: `✅ Pre-commit hooks completed successfully!\n\n🔧 Changes have been committed and pushed to the PR branch.`
});
- name: Comment success without changes
if: steps.changes.outputs.has_changes == 'false' && steps.precommit.outcome == 'success'
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ inputs.pr_number }},
body: `✅ Pre-commit hooks passed!\n\n✨ No changes needed - your code is already formatted correctly.`
});
- name: Comment failure
if: failure()
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ inputs.pr_number }},
body: `❌ Pre-commit workflow failed!\n\nPlease check the [workflow logs](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) for details.`
});

116
.github/workflows/precommit-trigger.yml vendored Normal file
View file

@ -0,0 +1,116 @@
name: Pre-commit Bot - Trigger
run-name: Pre-commit bot trigger
on:
issue_comment:
types: [created]
jobs:
trigger:
# Only run on pull request comments
if: github.event.issue.pull_request && contains(github.event.comment.body, '@github-actions run precommit')
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Check comment author
id: check_author
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// Get PR details
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
// Check if commenter has write access or is the PR author
const commenter = context.payload.comment.user.login;
const prAuthor = pr.data.user.login;
let hasPermission = false;
// Check if commenter is PR author
if (commenter === prAuthor) {
hasPermission = true;
console.log(`Comment author ${commenter} is the PR author`);
} else {
// Check if commenter has write/admin access
try {
const permission = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: commenter
});
const level = permission.data.permission;
hasPermission = ['write', 'admin', 'maintain'].includes(level);
console.log(`Comment author ${commenter} has permission: ${level}`);
} catch (error) {
console.log(`Could not check permissions for ${commenter}: ${error.message}`);
}
}
if (!hasPermission) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `❌ @${commenter} You don't have permission to trigger pre-commit. Only PR authors or repository collaborators can run this command.`
});
core.setFailed(`User ${commenter} does not have permission`);
return;
}
// Save PR info for the execution workflow
core.setOutput('pr_number', context.issue.number);
core.setOutput('pr_head_ref', pr.data.head.ref);
core.setOutput('pr_head_sha', pr.data.head.sha);
core.setOutput('pr_head_repo', pr.data.head.repo.full_name);
core.setOutput('pr_base_ref', pr.data.base.ref);
core.setOutput('authorized', 'true');
- name: React to comment
if: steps.check_author.outputs.authorized == 'true'
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: 'rocket'
});
- name: Trigger execution workflow
if: steps.check_author.outputs.authorized == 'true'
uses: actions/github-script@b72609b8d3f6598eef55e8f8010b7cba8b9ff9c5 # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'precommit-execute.yml',
ref: context.payload.repository.default_branch,
inputs: {
pr_number: '${{ steps.check_author.outputs.pr_number }}',
pr_head_ref: '${{ steps.check_author.outputs.pr_head_ref }}',
pr_head_sha: '${{ steps.check_author.outputs.pr_head_sha }}',
pr_head_repo: '${{ steps.check_author.outputs.pr_head_repo }}',
pr_base_ref: '${{ steps.check_author.outputs.pr_base_ref }}'
}
});
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `🚀 Pre-commit workflow triggered! Check the [Actions tab](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/workflows/precommit-execute.yml) for progress.`
});