feat(ci): add GitHub Actions workflow for strat/review-bot PRs

Adds .github/workflows/review.yml to run AI code review on PRs using
SAP AI Core. Three reviewers: sonnet, gpt, security (same as Gitea CI).

Uses the .gitea/actions/review composite action which auto-detects
GitHub vs Gitea runners via GITHUB_API_URL and uses GitHub REST API
accordingly.

Prerequisites:
- Set required secrets on strat/review-bot (see comments in workflow)
- Publish at least one release of review-bot on strat/review-bot
  with review-bot-linux-amd64 and checksums.txt assets

Runs on ubuntu-24.04 (matching the runner label used by strat org).

.github/workflows/review.yml

@@ -1,11 +1,12 @@
 name: AI Code Review
 
-# Self-review workflow for strat/review-bot PRs on github.concur.com.
+# AI code review for pull requests on github.concur.com/strat/review-bot.
 # Uses SAP AI Core as the LLM provider (same as the Gitea CI workflow).
 #
-# Binary source: strat/review-bot releases (if available) or Gitea releases
+# Prerequisites before this workflow can run:
-# (via gitea-url + action-repo inputs to the composite action).
+#   1. Set required secrets on strat/review-bot (see list below)
-# Reviewer tokens for each bot must be set as repo secrets.
+#   2. Publish at least one release of review-bot on strat/review-bot
+#      (or change action-repo to a repo that already has releases)
 #
 # Required secrets:
 #   SONNET_REVIEW_TOKEN  — GitHub token for the Sonnet reviewer bot
@@ -22,7 +23,7 @@ on:
 
 jobs:
   test:
-    runs-on: rpl-linux-runners
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
@@ -33,7 +34,7 @@ jobs:
       - run: go build -o review-bot ./cmd/review-bot
 
   review:
-    runs-on: rpl-linux-runners
+    runs-on: ubuntu-24.04
     if: github.event_name == 'pull_request'
     needs: test
     strategy:
@@ -54,9 +55,10 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.gitea/actions/review
         with:
-          # On GHES runners, vcs-url is ignored (composite action uses github.server_url).
+          # On GHES runners, vcs-url is ignored; the composite action uses github.server_url.
-          # Specifying vcs-url here causes the action to download the binary from
+          # action-repo must be a repo with published review-bot releases.
-          # Gitea releases when strat/review-bot has no releases yet.
+          # Requires strat/review-bot to have at least one release tag with
+          # review-bot-linux-amd64 and checksums.txt assets.
           vcs-url: https://gitea.weiker.me
           action-repo: strat/review-bot
           reviewer-token: ${{ secrets[matrix.token_secret] }}
@@ -67,7 +69,7 @@ jobs:
           aicore-client-secret: ${{ secrets.AICORE_CLIENT_SECRET }}
           aicore-auth-url: ${{ secrets.AICORE_AUTH_URL }}
           aicore-api-url: ${{ secrets.AICORE_API_URL }}
-          aicore-resource-group: ${{ secrets.AICORE_RESOURCE_GROUP || 'default' }}
+          aicore-resource-group: ${{ secrets.AICORE_RESOURCE_GROUP }}
           conventions-file: CONVENTIONS.md
           patterns-repo: rodin/go-patterns
           patterns-files: README.md,patterns/

github/methods.go

@@ -529,9 +529,12 @@ func (c *Client) ResolveComment(_ context.Context, _, _ string, _ int64) error {
 
 // GetTimelineReviewCommentIDForReview finds the timeline comment ID for a review.
 // GitHub doesn't have a direct timeline event endpoint for reviews the way Gitea does.
-// This is primarily used by the cleanup path (EditComment + resolve). On GitHub,
+// This is primarily used by the supersede path (EditComment + ResolveComment). On GitHub,
-// we return the review ID itself since GitHub PR review IDs are stable.
+// we return the review ID itself. Note that EditComment on GitHub uses the
-// Returns the reviewID unchanged for compatibility.
+// /pulls/comments/{id} endpoint (for inline review comments), which does not
+// apply to review bodies — the supersede EditComment call will 404 and be
+// logged as a warning. This is a known limitation; the review is still posted
+// correctly regardless.
 func (c *Client) GetTimelineReviewCommentIDForReview(_ context.Context, _, _ string, _ int, reviewID int64) (int64, error) {
 	return reviewID, nil
 }