feat(ci): add GitHub Actions workflow for strat/review-bot PRs

Adds .github/workflows/review.yml to run AI code review on PRs using
SAP AI Core. Three reviewers: sonnet, gpt, security (same as Gitea CI).

Uses the .gitea/actions/review composite action which auto-detects
GitHub vs Gitea runners via GITHUB_API_URL and uses GitHub REST API
accordingly.

Prerequisites:
- Set required secrets on strat/review-bot (see comments in workflow)
- Publish at least one release of review-bot on strat/review-bot
  with review-bot-linux-amd64 and checksums.txt assets

Runs on ubuntu-24.04 (matching the runner label used by strat org).

.github/workflows/review.yml

@@ -0,0 +1,77 @@
+name: AI Code Review
+
+# AI code review for pull requests on github.concur.com/strat/review-bot.
+# Uses SAP AI Core as the LLM provider (same as the Gitea CI workflow).
+#
+# Prerequisites before this workflow can run:
+#   1. Set required secrets on strat/review-bot (see list below)
+#   2. Publish at least one release of review-bot on strat/review-bot
+#      (or change action-repo to a repo that already has releases)
+#
+# Required secrets:
+#   SONNET_REVIEW_TOKEN  — GitHub token for the Sonnet reviewer bot
+#   GPT_REVIEW_TOKEN     — GitHub token for the GPT reviewer bot
+#   AICORE_CLIENT_ID     — SAP AI Core OAuth client ID
+#   AICORE_CLIENT_SECRET — SAP AI Core OAuth client secret
+#   AICORE_AUTH_URL      — SAP AI Core OAuth token endpoint
+#   AICORE_API_URL       — SAP AI Core inference API URL
+#   AICORE_RESOURCE_GROUP — SAP AI Core resource group (optional, default: default)
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.26'
+      - run: go test ./...
+      - run: go vet ./...
+      - run: go build -o review-bot ./cmd/review-bot
+
+  review:
+    runs-on: ubuntu-24.04
+    if: github.event_name == 'pull_request'
+    needs: test
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: sonnet
+            token_secret: SONNET_REVIEW_TOKEN
+            model: anthropic--claude-4.6-sonnet
+          - name: gpt
+            token_secret: GPT_REVIEW_TOKEN
+            model: gpt-5
+          - name: security
+            token_secret: GPT_REVIEW_TOKEN
+            model: gpt-5
+            system_prompt_file: SECURITY_REVIEW.md
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.gitea/actions/review
+        with:
+          # On GHES runners, vcs-url is ignored; the composite action uses github.server_url.
+          # action-repo must be a repo with published review-bot releases.
+          # Requires strat/review-bot to have at least one release tag with
+          # review-bot-linux-amd64 and checksums.txt assets.
+          vcs-url: https://gitea.weiker.me
+          action-repo: strat/review-bot
+          reviewer-token: ${{ secrets[matrix.token_secret] }}
+          reviewer-name: ${{ matrix.name }}
+          llm-provider: aicore
+          llm-model: ${{ matrix.model }}
+          aicore-client-id: ${{ secrets.AICORE_CLIENT_ID }}
+          aicore-client-secret: ${{ secrets.AICORE_CLIENT_SECRET }}
+          aicore-auth-url: ${{ secrets.AICORE_AUTH_URL }}
+          aicore-api-url: ${{ secrets.AICORE_API_URL }}
+          aicore-resource-group: ${{ secrets.AICORE_RESOURCE_GROUP }}
+          conventions-file: CONVENTIONS.md
+          patterns-repo: rodin/go-patterns
+          patterns-files: README.md,patterns/
+          timeout: "600"
+          system-prompt-file: ${{ matrix.system_prompt_file || '' }}

github/methods.go

@@ -529,9 +529,12 @@ func (c *Client) ResolveComment(_ context.Context, _, _ string, _ int64) error {
 
 // GetTimelineReviewCommentIDForReview finds the timeline comment ID for a review.
 // GitHub doesn't have a direct timeline event endpoint for reviews the way Gitea does.
-// This is primarily used by the cleanup path (EditComment + resolve). On GitHub,
+// This is primarily used by the supersede path (EditComment + ResolveComment). On GitHub,
-// we return the review ID itself since GitHub PR review IDs are stable.
+// we return the review ID itself. Note that EditComment on GitHub uses the
-// Returns the reviewID unchanged for compatibility.
+// /pulls/comments/{id} endpoint (for inline review comments), which does not
+// apply to review bodies — the supersede EditComment call will 404 and be
+// logged as a warning. This is a known limitation; the review is still posted
+// correctly regardless.
 func (c *Client) GetTimelineReviewCommentIDForReview(_ context.Context, _, _ string, _ int, reviewID int64) (int64, error) {
 	return reviewID, nil
 }