Prince/ added dependonme-bot workflow #35
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- AI Code Analysis: Analyzes AI-generated code in PRs with workflow_call support - AI Dashboard: Tracks merged PRs and maintains AI usage dashboard - Self-contained with included generate-dashboard.js script - Comprehensive security validations and reusable inputs
Add ShiftAI workflows: AI code analysis and dashboard tracker
- Move ai-code-analysis.yml to .github/workflows/ (required by GitHub) - Move ai-dashboard.yml to .github/workflows/ (required by GitHub) - Move scripts to .github/scripts/ (correct path) - Fixes: workflows must be defined at the top level of .github/workflows/
Fix workflow structure: Move to top-level workflows directory
fix: workflow issues
- Move tokens from inputs to secrets section (GitHub requirement) - PERSONAL_ACCESS_TOKEN now properly handled as secret - GITHUB_TOKEN and SHIFTAI_TOKEN use secrets context - Simplified inputs to only essential customizations - Follows GitHub's security best practices
Fix workflows: Use proper secrets architecture
- Rename GITHUB_TOKEN to GH_TOKEN (GitHub reserves GITHUB_TOKEN) - Fixes error: secret name GITHUB_TOKEN within workflow_call collides with system reserved name - Maintains same functionality with non-reserved secret name
Prince/Add shiftai workflows
- Remove explicit secret definitions that aren't needed with inherit - Use original GITHUB_TOKEN name (works with inherit) - Cleaner calling syntax: just 'secrets: inherit' - Maintains compatibility with explicit secret passing
Optimize for secrets: inherit pattern
- Remove undefined secrets.GITHUB_TOKEN references - Use github.token which is always available - Add test file with AI code blocks for testing - Ready for production use with 'secrets: inherit'
Final fix: Use github.token directly for inherited secrets
- Remove workflow_call section entirely - Let's see what the actual error is now - Will add back with proper fix once we identify root cause
DEBUG: Temporarily disable workflow_call to isolate error
- Restore workflow_call section after debugging - Only define PERSONAL_ACCESS_TOKEN in secrets - Use github.token directly, no secrets.GITHUB_TOKEN reference - Should fix Invalid secret GITHUB_TOKEN is not defined error
FIXED: Restore workflow_call with proper GITHUB_TOKEN handling
- Define GITHUB_TOKEN as optional secret to support secrets: inherit - Required when caller uses secrets: inherit with GITHUB_TOKEN - Should fix persistent Invalid secret GITHUB_TOKEN not defined error
Add GITHUB_TOKEN as optional secret for inherit compatibility
…llision - Remove GITHUB_TOKEN from workflow_call secrets (GitHub reserved name) - Keep only PERSONAL_ACCESS_TOKEN as required secret - Use github.token directly in workflow (always available) - Breaks the catch-22 loop - ready for production
Prince/Add shiftai workflows
- Add github_token as optional input to avoid reserved name collision - Use inputs.github_token || github.token pattern - Should finally resolve the persistent GITHUB_TOKEN validation error - Avoids GitHub's secret reserved name restrictions
BREAKTHROUGH: Make GITHUB_TOKEN an input instead of secret
- Minimal reusable workflow to test basic functionality - No complex logic, just echo statements - Will help isolate if issue is workflow complexity or basic setup
Add simple test workflow for debugging
- Simple test workflow worked, confirming basic setup is fine - Issue was specific to our complex AI workflow - Ready to test actual AI workflow now
Remove test workflow - debugging complete
- Replace external script download with inline script creation - Fixes 404 error when workflow tries to download from non-existent repo - Remove separate .github/scripts/generate-dashboard.js file (no longer needed) - Now works correctly in reusable workflow context
- Remove remaining pull_request_target trigger - Now both workflows are pure reusable workflows - No automatic execution on shared-actions repo
Fix: Convert template literals to string concatenation in dashboard s…
- Changed from date-only (2024-08-01) to date+time (2024-08-01 14:30:15 UTC) - Ensures AI-DASHBOARD.md always has unique content on each run - Prevents multiple runs on same day from generating identical content - Now both history.json AND dashboard.md will be committed every time
Fix: Include time in dashboard timestamp to ensure updates
- Remove 'summary' object wrapper for consistency - All entries now have percentage/totalCharacters/aiCharacters at root level - Simplify data access logic (no more dual format handling) - Workflow now always generates consistent format - ✅ Eliminates TypeError: Cannot read properties of undefined
Normalize: Standardize data structure to root level format
- Parse structured JSON data from AI analysis comments - Extract file details instead of hardcoding files: [] - Fallback to regex parsing if JSON extraction fails - ✅ Test passed - files array now populated correctly - Dashboard will show actual file counts and details
Fix: Extract files data from AI analysis JSON
- Replace problematic regex /[\s\S]*?/ that breaks in bash heredoc - Use indexOf() and substring() for safer JSON extraction - Eliminates shell escaping issues in YAML workflows - ✅ Test passed - JSON parsing works without regex complexity - Fixes: syntax error near unexpected token and eval syntax errors
Fix: Replace regex with safer string parsing for YAML heredoc
- Replace 'node -e "..."' with 'cat << EOF > script.js; node script.js' - Eliminates bash trying to interpret JavaScript as shell commands - ✅ Test passed: Real AI comment parsing works perfectly (1 file, 94 chars) - Fixes: command not found errors and ReferenceError scope issues - Resolves: Cannot access 'jsonStart' before initialization
Fix: Replace node -e with HERE documents to eliminate bash interference
- Remove problematic cat << 'EOF' ... EOF construct - Replace with clean node -e command for inline JavaScript - Fixes YAML syntax highlighting and validation issues - Eliminates EOF terminator positioning problems
fix: Replace HERE document with node -e to fix YAML syntax
- Fix JSON extraction regex to properly handle newlines after ```json - Replace flawed indexOf+substring approach with proper regex matching - Add comprehensive debug logging to diagnose parsing issues - Track comment length, JSON detection, and regex fallback values
fix: Improve JSON parsing and add debug logging for AI analysis
Revert "fix: Improve JSON parsing and add debug logging for AI analysis"
added guidelines
- Resolved conflicts by keeping job-level permissions - Maintained environment variable usage for injection prevention - Security enhancements from shiftai-workflows branch preserved
Shiftai workflows
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Manifest Files.github/workflows/dependonme-bot.yml |
Dependonme bot
Revert "Dependonme bot"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.