feat(#120): add GitHub Actions support with VCS host detection and security hardening

- Detect VCS host type from github.api_url (present on GitHub/GHES, absent on Gitea)
- Add action-repo input: specifies repo hosting review-bot releases, separate from
  the reviewed repo. Defaults to github.action_repository, then rodin/review-bot.
- Add action-repo-token input: auth for release downloads (defaults to github.token
  on GitHub, reviewer-token on Gitea).
- GitHub/GHES path: use github.api_url for version resolution and REST API asset
  download endpoint (required for private repos; web URLs redirect to S3 and don't
  support Authorization headers reliably).
- Gitea path: use validated SERVER_URL with direct download (no -L; prevents
  Authorization forwarding on potential CDN redirects).
- Security hardening:
  - inputs.vcs-url is IGNORED on GitHub/GHES to prevent token exfiltration
  - SERVER_URL validated for https scheme and no whitespace on Gitea path
  - action-repo validated against owner/repo pattern (prevent path traversal)
  - VERSION validated for no slashes/whitespace
  - TOKEN validated for no control characters (header injection defense)
  - ACTION_TOKEN passed via ::add-mask:: + GITHUB_ENV (not step output, which
    can leak in debug logs)
  - set -euo pipefail in both script steps
- Multi-arch support: OS/arch detection via uname (linux/darwin, amd64/arm64)
  for cache key and binary name — incorporates changes from #124
- Run review step: passes VCS_URL from step output (server_url) instead of
  direct input expression

Closes #120

.gitea/actions/review/action.yml

@@ -1,17 +1,37 @@
-# This composite action is designed for Gitea Actions runners.
-# Gitea Actions supports GitHub Actions syntax including $GITHUB_OUTPUT,
-# actions/cache, and actions/checkout.
+# This composite action supports both Gitea Actions and GitHub Actions runners.
+# It detects the VCS host type by checking whether github.api_url is set
+# (present on GitHub.com and GHES runners, absent on Gitea runners) and uses
+# the appropriate releases API for version resolution and binary download
+# (REST API on GitHub, direct URLs on Gitea).
+#
+# Security notes:
+# - On GitHub/GHES (VCS_TYPE=github), inputs.vcs-url is IGNORED to prevent
+#   token exfiltration. API calls use github.api_url; downloads use
+#   github.server_url. Tokens are never sent to user-supplied URLs.
+# - On Gitea (VCS_TYPE=gitea), inputs.vcs-url is validated (https scheme,
+#   no whitespace/newlines) before use.
+# - action-repo is validated against owner/repo pattern.
+# - Tokens are passed via masked environment variables, not step outputs.
+#
 # Requirements: python3, sha256sum, curl (all present on ubuntu-* runners).
 name: 'AI Code Review'
 description: 'Run AI-powered code review on a pull request using review-bot'
 
 inputs:
-  gitea-url:
-    description: 'Gitea instance URL (defaults to server_url)'
+  vcs-url:
+    description: 'VCS server URL (only used on Gitea runners; ignored on GitHub/GHES). Defaults to server_url.'
     required: false
     default: ''
   repo:
-    description: 'Repository (owner/name, defaults to current)'
+    description: 'Repository to review (owner/name, defaults to current)'
+    required: false
+    default: ''
+  action-repo:
+    description: 'Repository hosting review-bot releases (owner/name). Defaults to github.action_repository or rodin/review-bot.'
+    required: false
+    default: ''
+  action-repo-token:
+    description: 'Token for downloading release assets from action-repo (defaults to github.token on GitHub, reviewer-token on Gitea). Required for private repos.'
     required: false
     default: ''
   pr-number:
@@ -19,7 +39,7 @@ inputs:
     required: false
     default: ''
   reviewer-token:
-    description: 'Gitea token for posting the review'
+    description: 'Token for posting the review'
     required: true
   reviewer-name:
     description: 'Display name for the reviewer'
@@ -112,19 +132,120 @@ runs:
       id: version
       shell: bash
       run: |
-        GITEA_URL="${{ inputs.gitea-url || github.server_url }}"
-        REPO="${{ inputs.repo || 'rodin/review-bot' }}"
+        set -euo pipefail
+
+        # --- Input Validation ---
+
+        # Determine the repo hosting review-bot releases (not the repo being reviewed)
+        ACTION_REPO="${{ inputs.action-repo }}"
+        if [ -z "$ACTION_REPO" ]; then
+          # github.action_repository is the repo containing the running action
+          ACTION_REPO="${{ github.action_repository }}"
+        fi
+        if [ -z "$ACTION_REPO" ]; then
+          # Final fallback for Gitea (which may not set action_repository)
+          ACTION_REPO="rodin/review-bot"
+          echo "::notice::action-repo not specified and github.action_repository is empty; falling back to rodin/review-bot"
+        fi
+
+        # Validate ACTION_REPO matches owner/repo pattern (prevent path traversal)
+        if ! printf '%s' "$ACTION_REPO" | grep -qE '^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$'; then
+          echo "Error: action-repo '${ACTION_REPO}' does not match expected owner/repo format" >&2
+          exit 1
+        fi
+
+        # Detect VCS host type using github.api_url context.
+        # github.api_url is set on GitHub.com (https://api.github.com) and GHES
+        # (https://<host>/api/v3). It is empty/unset on Gitea Actions runners.
+        GITHUB_API_URL="${{ github.api_url }}"
+        if [ -n "$GITHUB_API_URL" ]; then
+          VCS_TYPE="github"
+        else
+          VCS_TYPE="gitea"
+        fi
+
+        # Determine SERVER_URL based on VCS type.
+        # SECURITY: On GitHub/GHES, ALWAYS use github.server_url — never trust
+        # inputs.vcs-url to prevent token exfiltration to attacker-controlled hosts.
+        if [ "$VCS_TYPE" = "github" ]; then
+          SERVER_URL="${{ github.server_url }}"
+          if [ -n "${{ inputs.vcs-url }}" ]; then
+            echo "::warning::inputs.vcs-url is ignored on GitHub/GHES runners (VCS_TYPE=github). Using github.server_url instead."
+          fi
+        else
+          SERVER_URL="${{ inputs.vcs-url || github.server_url }}"
+        fi
+        # Strip trailing slash if present
+        SERVER_URL="${SERVER_URL%/}"
+
+        # Validate SERVER_URL for Gitea path: must be https, no whitespace/newlines.
+        # The [^[:space:]] class already rejects newlines, so no separate newline check needed.
+        if [ "$VCS_TYPE" = "gitea" ]; then
+          if ! printf '%s' "$SERVER_URL" | grep -qE '^https://[^[:space:]]+$'; then
+            echo "Error: SERVER_URL '${SERVER_URL}' must be an https:// URL with no whitespace" >&2
+            exit 1
+          fi
+        fi
+
+        # Determine auth token for release API requests
+        ACTION_TOKEN="${{ inputs.action-repo-token }}"
+        if [ -z "$ACTION_TOKEN" ]; then
+          if [ "$VCS_TYPE" = "github" ]; then
+            ACTION_TOKEN="${{ github.token }}"
+          else
+            ACTION_TOKEN="${{ inputs.reviewer-token }}"
+          fi
+        fi
+
+        # Validate token contains no control characters (defense-in-depth against header injection)
+        if [ -n "$ACTION_TOKEN" ]; then
+          if printf '%s' "$ACTION_TOKEN" | LC_ALL=C grep -q '[^[:print:]]'; then
+            echo "Error: ACTION_TOKEN contains control characters" >&2
+            exit 1
+          fi
+        fi
+
         if [ "${{ inputs.version }}" = "latest" ]; then
-          VERSION=$(curl -sSf "${GITEA_URL}/api/v1/repos/${REPO}/releases?limit=1" \
-            | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
+          if [ "$VCS_TYPE" = "github" ]; then
+            # SECURITY: Use github.api_url which is a trusted platform-provided value.
+            # Never construct API URLs from user-supplied inputs on GitHub.
+            API_URL="${GITHUB_API_URL}/repos/${ACTION_REPO}/releases?per_page=1"
+          else
+            # Gitea API — SERVER_URL was validated above
+            API_URL="${SERVER_URL}/api/v1/repos/${ACTION_REPO}/releases?limit=1"
+          fi
+
+          # Fetch latest version with inline auth header (no intermediate variable)
+          if [ -n "$ACTION_TOKEN" ]; then
+            if [ "$VCS_TYPE" = "github" ]; then
+              VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 \
+                -H "Authorization: Bearer ${ACTION_TOKEN}" "$API_URL" \
+                | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
+            else
+              VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 \
+                -H "Authorization: token ${ACTION_TOKEN}" "$API_URL" \
+                | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
+            fi
+          else
+            VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 "$API_URL" \
+              | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
+          fi
+
           if [ -z "$VERSION" ]; then
-            echo "Failed to determine latest version" >&2
+            echo "Failed to determine latest version from ${API_URL}" >&2
             exit 1
           fi
         else
           VERSION="${{ inputs.version }}"
         fi
 
+        # Validate VERSION: no slashes or whitespace (prevent path traversal).
+        # [:space:] includes newlines and carriage returns in POSIX.
+        if printf '%s' "$VERSION" | grep -qE '[/[:space:]]'; then
+          echo "Error: VERSION '${VERSION}' contains invalid characters (newline, slash, or whitespace)" >&2
+          exit 1
+        fi
+
         # Detect OS and architecture for platform-specific binary download
         OS_RAW=$(uname -s | tr '[:upper:]' '[:lower:]')
         case "$OS_RAW" in
@@ -149,6 +270,16 @@ runs:
         echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
         echo "os=${OS}" >> "$GITHUB_OUTPUT"
         echo "arch=${ARCH}" >> "$GITHUB_OUTPUT"
+        echo "action_repo=${ACTION_REPO}" >> "$GITHUB_OUTPUT"
+        echo "server_url=${SERVER_URL}" >> "$GITHUB_OUTPUT"
+        echo "vcs_type=${VCS_TYPE}" >> "$GITHUB_OUTPUT"
+
+        # SECURITY: Pass token via masked environment variable instead of step output.
+        # Step outputs can leak in debug logs; GITHUB_ENV with masking is safer.
+        if [ -n "$ACTION_TOKEN" ]; then
+          echo "::add-mask::${ACTION_TOKEN}"
+          echo "ACTION_TOKEN=${ACTION_TOKEN}" >> "$GITHUB_ENV"
+        fi
 
     - name: Cache review-bot binary
       id: cache
@@ -161,21 +292,115 @@ runs:
       if: steps.cache.outputs.cache-hit != 'true'
       shell: bash
       run: |
-        GITEA_URL="${{ inputs.gitea-url || github.server_url }}"
-        REPO="${{ inputs.repo || 'rodin/review-bot' }}"
-        VERSION="${{ steps.version.outputs.version }}"
-        BINARY="review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }}"
+        set -euo pipefail
 
-        curl -sSfL "${GITEA_URL}/${REPO}/releases/download/${VERSION}/${BINARY}" \
-          -o "${{ runner.temp }}/review-bot"
-        curl -sSfL "${GITEA_URL}/${REPO}/releases/download/${VERSION}/checksums.txt" \
-          -o "${{ runner.temp }}/checksums.txt"
+        SERVER_URL="${{ steps.version.outputs.server_url }}"
+        ACTION_REPO="${{ steps.version.outputs.action_repo }}"
+        VERSION="${{ steps.version.outputs.version }}"
+        VCS_TYPE="${{ steps.version.outputs.vcs_type }}"
+        OS="${{ steps.version.outputs.os }}"
+        ARCH="${{ steps.version.outputs.arch }}"
+        # Read token from masked environment variable (set in Determine version step)
+        # Falls back to empty if not set (public repos don't need auth)
+        ACTION_TOKEN="${ACTION_TOKEN:-}"
+        BINARY="review-bot-${OS}-${ARCH}"
+
+        if [ "$VCS_TYPE" = "github" ]; then
+          # GitHub/GHES: Use REST API for release asset downloads.
+          # Web release URLs ({server}/.../releases/download/{tag}/{asset}) redirect
+          # to S3 and don't reliably support Authorization headers for private repos.
+          # The REST API endpoint with Accept: application/octet-stream is required.
+          # GITHUB_API_URL: trusted platform value, same as detected in "Determine version" step.
+          GITHUB_API_URL="${{ github.api_url }}"
+
+          if [ -n "$ACTION_TOKEN" ]; then
+            RELEASE_JSON=$(curl -sSf --connect-timeout 10 --max-time 30 \
+              -H "Authorization: Bearer ${ACTION_TOKEN}" \
+              "${GITHUB_API_URL}/repos/${ACTION_REPO}/releases/tags/${VERSION}")
+          else
+            RELEASE_JSON=$(curl -sSf --connect-timeout 10 --max-time 30 \
+              "${GITHUB_API_URL}/repos/${ACTION_REPO}/releases/tags/${VERSION}")
+          fi
+
+          # Extract asset IDs for binary and checksums
+          BINARY_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "
+import sys, json
+assets = json.load(sys.stdin).get('assets', [])
+for a in assets:
+    if a['name'] == '${BINARY}':
+        print(a['id'])
+        break
+")
+          if [ -z "$BINARY_ASSET_ID" ]; then
+            echo "Error: could not find asset '${BINARY}' in release ${VERSION}" >&2
+            exit 1
+          fi
+
+          CHECKSUMS_ASSET_ID=$(printf '%s' "$RELEASE_JSON" | python3 -c "
+import sys, json
+assets = json.load(sys.stdin).get('assets', [])
+for a in assets:
+    if a['name'] == 'checksums.txt':
+        print(a['id'])
+        break
+")
+          if [ -z "$CHECKSUMS_ASSET_ID" ]; then
+            echo "Error: could not find asset 'checksums.txt' in release ${VERSION}" >&2
+            exit 1
+          fi
+
+          # Download assets via REST API with Accept: application/octet-stream
+          if [ -n "$ACTION_TOKEN" ]; then
+            curl -sSfL --connect-timeout 10 --max-time 120 \
+              -H "Authorization: Bearer ${ACTION_TOKEN}" \
+              -H "Accept: application/octet-stream" \
+              "${GITHUB_API_URL}/repos/${ACTION_REPO}/releases/assets/${BINARY_ASSET_ID}" \
+              -o "${{ runner.temp }}/review-bot"
+            curl -sSfL --connect-timeout 10 --max-time 30 \
+              -H "Authorization: Bearer ${ACTION_TOKEN}" \
+              -H "Accept: application/octet-stream" \
+              "${GITHUB_API_URL}/repos/${ACTION_REPO}/releases/assets/${CHECKSUMS_ASSET_ID}" \
+              -o "${{ runner.temp }}/checksums.txt"
+          else
+            curl -sSfL --connect-timeout 10 --max-time 120 \
+              -H "Accept: application/octet-stream" \
+              "${GITHUB_API_URL}/repos/${ACTION_REPO}/releases/assets/${BINARY_ASSET_ID}" \
+              -o "${{ runner.temp }}/review-bot"
+            curl -sSfL --connect-timeout 10 --max-time 30 \
+              -H "Accept: application/octet-stream" \
+              "${GITHUB_API_URL}/repos/${ACTION_REPO}/releases/assets/${CHECKSUMS_ASSET_ID}" \
+              -o "${{ runner.temp }}/checksums.txt"
+          fi
+        else
+          # Gitea: Direct download via web release URLs (Gitea serves assets
+          # directly without redirects — no -L needed).
+          # SECURITY: Omitting -L prevents forwarding Authorization header to
+          # unexpected hosts if Gitea ever introduces CDN redirects.
+          DOWNLOAD_URL="${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}"
+
+          if [ -n "$ACTION_TOKEN" ]; then
+            curl -sSf --connect-timeout 10 --max-time 120 \
+              -H "Authorization: token ${ACTION_TOKEN}" \
+              "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
+            curl -sSf --connect-timeout 10 --max-time 30 \
+              -H "Authorization: token ${ACTION_TOKEN}" \
+              "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
+          else
+            curl -sSf --connect-timeout 10 --max-time 120 \
+              "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
+            curl -sSf --connect-timeout 10 --max-time 30 \
+              "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
+          fi
+        fi
 
         # Verify SHA-256 checksum
+        # NOTE: This verifies integrity (download wasn't corrupted) but not
+        # authenticity — both binary and checksums come from the same server.
+        # For stronger guarantees, consider GPG signature verification.
         cd "${{ runner.temp }}"
-        EXPECTED=$(grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')
+        EXPECTED=$(grep -E "^[0-9a-f]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')
         # sha256sum (GNU) is not available on macOS; use shasum -a 256 on darwin.
-        if [ "${{ steps.version.outputs.os }}" = "darwin" ]; then
+        if [ "${OS}" = "darwin" ]; then
           ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}')
         else
           ACTUAL=$(sha256sum review-bot | awk '{print $1}')
@@ -193,12 +418,12 @@ runs:
         fi
 
         chmod +x "${{ runner.temp }}/review-bot"
-        echo "Installed review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }} ${VERSION} (checksum verified)"
+        echo "Installed review-bot-${OS}-${ARCH} ${VERSION} (checksum verified)"
 
     - name: Run review
       shell: bash
       env:
-        GITEA_URL: ${{ inputs.gitea-url || github.server_url }}
+        VCS_URL: ${{ steps.version.outputs.server_url }}
         GITEA_REPO: ${{ inputs.repo || github.repository }}
         PR_NUMBER: ${{ inputs.pr-number || github.event.pull_request.number }}
         REVIEWER_TOKEN: ${{ inputs.reviewer-token }}

.gitea/workflows/ci.yml

@@ -49,7 +49,7 @@ jobs:
       - run: go build -o review-bot ./cmd/review-bot
       - name: Run ${{ matrix.name }} review
         env:
-          GITEA_URL: ${{ github.server_url }}
+          VCS_URL: ${{ github.server_url }}
           GITEA_REPO: ${{ github.repository }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REVIEWER_TOKEN: ${{ secrets[matrix.token_secret] }}

PLAN-125.md

@@ -0,0 +1,175 @@
+# Plan: Issue #125 — Rename GITEA_URL → VCS_URL
+
+## Problem
+
+The `GITEA_URL` environment variable (and `--gitea-url` flag) implies the binary only works with Gitea.
+Now that review-bot supports both Gitea and GitHub/GHES, this name is misleading.
+Renaming to `VCS_URL` makes the binary platform-agnostic in its interface.
+
+## Constraints
+
+- Must not break existing users who already use `GITEA_URL` — need a fallback
+- The CLI flag `--gitea-url` should also be updated to `--vcs-url` for consistency
+- `INTEGRATION_GITEA_URL` in integration tests is a test-only env var, not the binary's interface; but should be updated for clarity
+- The action YAML uses `GITEA_URL` as an internal shell variable in bash scripts — distinct from the env var passed to the binary
+- All changes must compile and pass existing tests
+
+## Files Affected
+
+### Binary / Go source
+| File | Change |
+|------|--------|
+| `cmd/review-bot/main.go` | Rename `--gitea-url` → `--vcs-url`, add `VCS_URL` as primary, keep `GITEA_URL` fallback |
+| `cmd/review-bot/integration_test.go` | Rename `INTEGRATION_GITEA_URL` → `INTEGRATION_VCS_URL` (test-only, no external compat concern) |
+| `integration_test.go` | Same — rename `INTEGRATION_GITEA_URL` → `INTEGRATION_VCS_URL` |
+
+### Action YAML
+| File | Change |
+|------|--------|
+| `.gitea/actions/review/action.yml` | Rename input `gitea-url` → `vcs-url`; update env var passed to binary: `VCS_URL` instead of `GITEA_URL`; keep internal bash var as `GITEA_URL` (only used for release download, not passed to binary) |
+| `.gitea/workflows/ci.yml` | Rename `GITEA_URL` env var to `VCS_URL` in Run review step |
+
+### Documentation
+| File | Change |
+|------|--------|
+| `README.md` | Update CLI example, env var table entry |
+
+## Proposed Approach
+
+### 1. Backward-compatible env var lookup in main.go
+
+Replace:
+```go
+giteaURL := flag.String("gitea-url", envOrDefault("GITEA_URL", ""), "Gitea instance URL")
+```
+
+With:
+```go
+giteaURL := flag.String("vcs-url", envOrDefaultFallback("VCS_URL", "GITEA_URL", ""), "VCS server URL (e.g. https://gitea.example.com)")
+```
+
+Add a helper:
+```go
+// envOrDefaultFallback reads primary env var; if empty, falls back to deprecated env var.
+func envOrDefaultFallback(primary, deprecated, defaultVal string) string {
+    if v := os.Getenv(primary); v != "" {
+        return v
+    }
+    if v := os.Getenv(deprecated); v != "" {
+        slog.Warn("deprecated env var in use; rename to " + primary, "old", deprecated, "new", primary)
+        return v
+    }
+    return defaultVal
+}
+```
+
+**Note:** This must be called AFTER `setupLogger` conceptually, but the flag default is evaluated at flag registration time. Since `setupLogger` runs before `flag.Parse()`, the slog.Warn will print correctly at runtime. We use `log.Printf` as a fallback if this proves problematic.
+
+Actually — flag defaults are evaluated at registration (line 57), before `setupLogger`. The warning won't go through slog. Two options:
+- Use `log.Printf` for the deprecation warning (always visible)
+- Move the fallback lookup to after `flag.Parse()`, checking if the parsed value is still empty
+
+**Decision:** Move fallback to a post-parse check. This is cleaner:
+```go
+vcsURL := flag.String("vcs-url", os.Getenv("VCS_URL"), "VCS server URL")
+flag.Parse()
+// Backward compat: fall back to deprecated GITEA_URL
+if *vcsURL == "" {
+    if v := os.Getenv("GITEA_URL"); v != "" {
+        slog.Warn("GITEA_URL is deprecated; use VCS_URL instead")
+        *vcsURL = v
+    }
+}
+```
+
+This is clean, idiomatic, and the warning goes through slog correctly.
+
+### 2. Keep `--gitea-url` as deprecated alias
+
+Add a hidden flag for backward compat:
+```go
+giteaURLAlias := flag.String("gitea-url", "", "Deprecated: use --vcs-url")
+```
+
+Post-parse:
+```go
+if *vcsURL == "" && *giteaURLAlias != "" {
+    slog.Warn("--gitea-url is deprecated; use --vcs-url instead")
+    *vcsURL = *giteaURLAlias
+}
+```
+
+### 3. Internal variable rename
+
+Rename `giteaURL` local variable → `vcsURL` throughout `main.go` for consistency.
+
+### 4. Error message update
+
+```go
+fmt.Fprintf(os.Stderr, "Required: --vcs-url, --repo, --pr, --reviewer-token, --llm-model\n")
+```
+
+### 5. Action YAML changes
+
+In `.gitea/actions/review/action.yml`:
+- Input `gitea-url` → `vcs-url` (with same description, `required: false`, `default: ''`)
+- Line 172: `GITEA_URL: ${{ inputs.gitea-url || github.server_url }}` → `VCS_URL: ${{ inputs.vcs-url || github.server_url }}`
+- Lines 115, 140: internal bash vars `GITEA_URL=` are used for downloading binaries — NOT passed to the review-bot binary. Leave them as internal bash vars (they're scope-local in bash). These could be renamed to `SERVER_URL` or `BASE_URL` for local clarity, but renaming them isn't strictly required.
+
+In `.gitea/workflows/ci.yml`:
+- Line 52: `GITEA_URL: ${{ github.server_url }}` → `VCS_URL: ${{ github.server_url }}`
+
+### 6. Integration test updates
+
+`INTEGRATION_GITEA_URL` → `INTEGRATION_VCS_URL` in both test files.
+
+### 7. README
+
+- CLI example: `--gitea-url` → `--vcs-url`
+- Env var table: `GITEA_URL` → `VCS_URL`, add note about `GITEA_URL` fallback
+
+## Backward Compatibility Summary
+
+| Old | New | Fallback? |
+|-----|-----|-----------|
+| `GITEA_URL` env var | `VCS_URL` | ✅ with deprecation warning |
+| `--gitea-url` flag | `--vcs-url` | ✅ with deprecation warning |
+| `gitea-url` action input | `vcs-url` | ⚠️ No (action version bump handles this) |
+| `INTEGRATION_GITEA_URL` | `INTEGRATION_VCS_URL` | N/A (test-only) |
+
+## Error Cases
+
+- Both `VCS_URL` and `GITEA_URL` set: `VCS_URL` wins (primary takes precedence)
+- Both `--vcs-url` and `--gitea-url` provided: `--vcs-url` wins
+- Neither set: existing "missing required flags" error unchanged
+
+## Edge Cases
+
+- `os.Getenv` returns "" for unset AND set-to-empty — consistent with existing behavior
+- The `envOrDefault` helper is unchanged; we add `envOrDefaultFallback` for the one renamed var
+
+## Testing Strategy
+
+- Existing unit tests pass unchanged (they don't test env var parsing directly)
+- Integration tests updated to use new env var name
+- Manual: `GITEA_URL=https://example.com ./review-bot --repo x --pr 1 ...` should print deprecation warning and proceed
+- Manual: `VCS_URL=https://example.com ./review-bot ...` should work silently
+
+## Completion Checklist
+
+1. `VCS_URL` is read first; `GITEA_URL` is fallback with deprecation warning
+2. `--vcs-url` flag is primary; `--gitea-url` is deprecated alias with warning
+3. Error message references `--vcs-url` not `--gitea-url`
+4. `action.yml` passes `VCS_URL` (not `GITEA_URL`) to the binary
+5. `ci.yml` passes `VCS_URL` (not `GITEA_URL`) to the binary
+6. README updated in CLI example and env var table
+7. Integration tests use `INTEGRATION_VCS_URL`
+8. `go test ./...` passes
+9. `go vet ./...` passes
+10. `go build ./cmd/review-bot` succeeds
+
+## Open Questions
+
+- Should the CLI flag `--gitea-url` be completely hidden from `--help` or just deprecated with a note? The issue doesn't specify. Decision: keep it visible but add "(deprecated: use --vcs-url)" to the description.
+- Should action.yml also add `gitea-url` as a deprecated input alias? The issue says "Update the action to pass the new env var name" — no mention of backward compat for the action input. Decision: rename only, no alias (action users pin a version anyway).
+- The bash-internal `GITEA_URL` variable in action.yml scripts (used for release download, not passed to binary) — rename for clarity? Decision: yes, rename to `BASE_URL` to avoid confusion with the env var.

README.md

@@ -282,7 +282,7 @@ Rules:
 
 ```bash
 review-bot \
-  --gitea-url https://gitea.example.com \
+  --vcs-url https://gitea.example.com \
   --repo owner/name \
   --pr 42 \
   --reviewer-token "$GITEA_TOKEN" \
@@ -299,7 +299,7 @@ All flags have environment variable equivalents:
 
 | Flag | Env Var |
 |------|---------|
-| `--gitea-url` | `GITEA_URL` |
+| `--vcs-url` | `VCS_URL` (fallback: `GITEA_URL`) |
 | `--repo` | `GITEA_REPO` |
 | `--pr` | `PR_NUMBER` |
 | `--reviewer-token` | `REVIEWER_TOKEN` |

cmd/review-bot/integration_test.go

@@ -17,7 +17,7 @@ import (
 // Integration test requires a running Gitea instance and LLM endpoint.
 // Set environment variables:
 //
-//	INTEGRATION_GITEA_URL     - Gitea base URL
+//	INTEGRATION_VCS_URL       - VCS base URL
 //	INTEGRATION_GITEA_TOKEN   - Gitea API token with repo access
 //	INTEGRATION_GITEA_REPO    - owner/repo with an open PR
 //	INTEGRATION_PR_NUMBER     - PR number to test against
@@ -25,7 +25,7 @@ import (
 //	INTEGRATION_LLM_API_KEY   - LLM API key
 //	INTEGRATION_LLM_MODEL     - Model name
 func TestIntegration_FullReviewFlow(t *testing.T) {
-	giteaURL := os.Getenv("INTEGRATION_GITEA_URL")
+	giteaURL := os.Getenv("INTEGRATION_VCS_URL")
 	giteaToken := os.Getenv("INTEGRATION_GITEA_TOKEN")
 	giteaRepo := os.Getenv("INTEGRATION_GITEA_REPO")
 	prNumStr := os.Getenv("INTEGRATION_PR_NUMBER")
@@ -104,7 +104,7 @@ func TestIntegration_FullReviewFlow(t *testing.T) {
 }
 
 func TestIntegration_PostAndCleanup(t *testing.T) {
-	giteaURL := os.Getenv("INTEGRATION_GITEA_URL")
+	giteaURL := os.Getenv("INTEGRATION_VCS_URL")
 	giteaToken := os.Getenv("INTEGRATION_GITEA_TOKEN")
 	giteaRepo := os.Getenv("INTEGRATION_GITEA_REPO")
 	prNumStr := os.Getenv("INTEGRATION_PR_NUMBER")

cmd/review-bot/main.go

@@ -54,7 +54,8 @@ func main() {
 	logFormat := flag.String("log-format", envOrDefault("LOG_FORMAT", "text"), "Log output format: text or json")
 	verbosity := flag.String("verbosity", envOrDefault("LOG_VERBOSITY", "info"), "Log verbosity: debug, info, warn, error")
 	// CLI flags
-	giteaURL := flag.String("gitea-url", envOrDefault("GITEA_URL", ""), "Gitea instance URL")
+	vcsURL := flag.String("vcs-url", os.Getenv("VCS_URL"), "VCS server URL (e.g. https://gitea.example.com)")
+	giteaURLAlias := flag.String("gitea-url", "", "Deprecated: use --vcs-url")
 	repo := flag.String("repo", envOrDefault("GITEA_REPO", ""), "Repository (owner/name)")
 	prNum := flag.String("pr", envOrDefault("PR_NUMBER", ""), "Pull request number")
 	reviewerName := flag.String("reviewer-name", envOrDefault("REVIEWER_NAME", ""), "Reviewer display name")
@@ -91,12 +92,24 @@ func main() {
 
 	slog.Info("review-bot starting", "version", version)
 
+	// Backward compatibility: fall back to deprecated env var / flag if VCS_URL / --vcs-url not set.
+	if *vcsURL == "" {
+		if v := os.Getenv("GITEA_URL"); v != "" {
+			slog.Warn("GITEA_URL is deprecated; rename the environment variable to VCS_URL")
+			*vcsURL = v
+		}
+	}
+	if *vcsURL == "" && *giteaURLAlias != "" {
+		slog.Warn("--gitea-url is deprecated; use --vcs-url instead")
+		*vcsURL = *giteaURLAlias
+	}
+
 	// Validate required fields
 	// For aicore provider, llm-base-url and llm-api-key are not required
 	isAICore := llm.Provider(*llmProvider) == llm.ProviderAICore
-	if *giteaURL == "" || *repo == "" || *prNum == "" || *reviewerToken == "" || *llmModel == "" {
+	if *vcsURL == "" || *repo == "" || *prNum == "" || *reviewerToken == "" || *llmModel == "" {
 		fmt.Fprintf(os.Stderr, "Error: missing required flags or environment variables\n\n")
-		fmt.Fprintf(os.Stderr, "Required: --gitea-url, --repo, --pr, --reviewer-token, --llm-model\n")
+		fmt.Fprintf(os.Stderr, "Required: --vcs-url, --repo, --pr, --reviewer-token, --llm-model\n")
 		os.Exit(1)
 	}
 	if !isAICore && (*llmBaseURL == "" || *llmAPIKey == "") {
@@ -139,7 +152,7 @@ func main() {
 	}
 
 	// Initialize clients
-	giteaClient := gitea.NewClient(*giteaURL, *reviewerToken)
+	giteaClient := gitea.NewClient(*vcsURL, *reviewerToken)
 	llmClient := llm.NewClient(*llmBaseURL, *llmAPIKey, *llmModel)
 	if *llmTemp < 0 || *llmTemp > 2 {
 		slog.Error("invalid LLM temperature", "temperature", *llmTemp, "range", "0-2")
@@ -453,7 +466,7 @@ func main() {
 
 	// Supersede all old reviews with link to the new one
 	if len(oldReviews) > 0 {
-		newReviewURL := fmt.Sprintf("%s/%s/%s/pulls/%d#pullrequestreview-%d", strings.TrimRight(*giteaURL, "/"), owner, repoName, prNumber, posted.ID)
+		newReviewURL := fmt.Sprintf("%s/%s/%s/pulls/%d#pullrequestreview-%d", strings.TrimRight(*vcsURL, "/"), owner, repoName, prNumber, posted.ID)
 		for _, oldReview := range oldReviews {
 			cid, err := giteaClient.GetTimelineReviewCommentIDForReview(ctx, owner, repoName, prNumber, oldReview.ID)
 			if err != nil {

integration_test.go

@@ -16,16 +16,17 @@ import (
 
 // Integration test requires a running Gitea instance and LLM endpoint.
 // Set environment variables:
-//   INTEGRATION_GITEA_URL     - Gitea base URL
-//   INTEGRATION_GITEA_TOKEN   - Gitea API token with repo access
-//   INTEGRATION_GITEA_REPO    - owner/repo with an open PR
-//   INTEGRATION_PR_NUMBER     - PR number to test against
-//   INTEGRATION_LLM_BASE_URL  - LLM API base URL
-//   INTEGRATION_LLM_API_KEY   - LLM API key
-//   INTEGRATION_LLM_MODEL     - Model name
+//
+//	INTEGRATION_VCS_URL       - VCS base URL
+//	INTEGRATION_GITEA_TOKEN   - Gitea API token with repo access
+//	INTEGRATION_GITEA_REPO    - owner/repo with an open PR
+//	INTEGRATION_PR_NUMBER     - PR number to test against
+//	INTEGRATION_LLM_BASE_URL  - LLM API base URL
+//	INTEGRATION_LLM_API_KEY   - LLM API key
+//	INTEGRATION_LLM_MODEL     - Model name
 
 func TestIntegration_FullReviewFlow(t *testing.T) {
-	giteaURL := os.Getenv("INTEGRATION_GITEA_URL")
+	giteaURL := os.Getenv("INTEGRATION_VCS_URL")
 	giteaToken := os.Getenv("INTEGRATION_GITEA_TOKEN")
 	giteaRepo := os.Getenv("INTEGRATION_GITEA_REPO")
 	prNumStr := os.Getenv("INTEGRATION_PR_NUMBER")