ci: add release workflow + install script #2

Merged

aweiker merged 13 commits from ci/release-workflow into main 2026-05-01 19:24:16 +00:00

Conversation 20 Commits 13 Files Changed 10

+708 -41

rodin commented 2026-05-01 17:36:34 +00:00

Owner

Copy Link

Copy Source

What

• Release workflow (.gitea/workflows/release.yml): triggers on v* tags, builds 4 binaries (linux/darwin × amd64/arm64), creates Gitea release with assets
• Install script (install.sh): curl-pipe-bash installer that fetches latest release binary
• Version variable in main.go for ldflags injection

Usage

To release:

git tag v0.1.0
git push origin v0.1.0

To install in CI:

curl -sSfL https://gitea.weiker.me/rodin/review-bot/raw/branch/main/install.sh | bash

Or in gargoyle workflow:

- name: Install review-bot
  run: |
    curl -sSfL https://gitea.weiker.me/rodin/review-bot/releases/download/v0.1.0/review-bot-linux-amd64 -o /usr/local/bin/review-bot
    chmod +x /usr/local/bin/review-bot

## What - **Release workflow** (`.gitea/workflows/release.yml`): triggers on `v*` tags, builds 4 binaries (linux/darwin × amd64/arm64), creates Gitea release with assets - **Install script** (`install.sh`): curl-pipe-bash installer that fetches latest release binary - **Version variable** in main.go for ldflags injection ## Usage To release: ```bash git tag v0.1.0 git push origin v0.1.0 ``` To install in CI: ```bash curl -sSfL https://gitea.weiker.me/rodin/review-bot/raw/branch/main/install.sh | bash ``` Or in gargoyle workflow: ```yaml - name: Install review-bot run: | curl -sSfL https://gitea.weiker.me/rodin/review-bot/releases/download/v0.1.0/review-bot-linux-amd64 -o /usr/local/bin/review-bot chmod +x /usr/local/bin/review-bot ```

rodin added 1 commit 2026-05-01 17:36:34 +00:00

ci: add release workflow + install script ... 0568a84aa9

- Release workflow: builds linux/darwin amd64/arm64 on tag push
- Injects version via -ldflags
- Creates Gitea release with binary assets + checksums
- install.sh: curl-pipe-bash installer from latest release
- Version variable in main.go for -version flag support

rodin added 1 commit 2026-05-01 17:40:42 +00:00

ci: retrigger after adding secrets d62e8ee4f0

rodin added 1 commit 2026-05-01 18:02:30 +00:00

fix(ci): use GPT models available via HAI proxy ... 99916fe24a

HAI proxy serves Anthropic on a different path (/anthropic/v1) than
OpenAI (/openai/v1). Until review-bot supports multiple base URLs,
use GPT-5 and GPT-5-mini for both review slots.

rodin added 1 commit 2026-05-01 18:15:10 +00:00

fix: remove hardcoded temperature (unsupported by GPT-5) ... b6277216f7

GPT-5 via SAP AI Core only supports temperature=1 (default).
Remove the hardcoded 0.1 and use omitempty so the field is not sent.

sonnet-review-bot requested changes 2026-05-01 18:17:16 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Useful release workflow and installer additions, plus ldflags-ready version variable. However, the installer does not verify downloaded binaries and the release workflow assumes jq is present; also the LLM client silently changes temperature behavior. Address these before merging.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	install.sh	32	Installer downloads and executes a binary without any integrity/authenticity verification (no checksum/signature check). This is a security risk; a compromised or tampered artifact could be installed undetected.
2	[MINOR]	.gitea/workflows/release.yml	47	Workflow uses jq to parse the release ID but does not ensure jq is installed on the runner. If jq is missing, the step will fail at runtime.
3	[MINOR]	install.sh	22	Latest tag is parsed from JSON output via grep, which is brittle. Prefer using the API's latest endpoint (if available) or jq; at minimum, make the parsing more robust.
4	[MINOR]	install.sh	9	Default INSTALL_DIR is /usr/local/bin but the script does not check writability or provide a non-root fallback (e.g., ~/.local/bin). This will fail for non-root users following the curl
5	[MINOR]	llm/client.go	40	Temperature field is now omitempty and the default assignment was removed below, changing API behavior from an explicit 0.1 to 'not set'. This may lead to different model behavior depending on server defaults; document or make the default explicit if intentional.
6	[MINOR]	llm/client.go	58	Temperature is no longer set in the request body. If a low-temperature default was desired for determinism, consider retaining an explicit value or making it configurable.

Recommendation

REQUEST_CHANGES — Overall the direction is good, but please address the security and robustness issues first. Specifically: 1) In install.sh, verify the downloaded artifact before installation (e.g., fetch checksums.txt from the same release, validate the binary’s SHA-256, and fail if it doesn’t match). Consider also verifying the checksum file itself (e.g., via release signatures) if available. 2) In release.yml, add an explicit step to install jq (or avoid jq by parsing with a POSIX-safe method) so the release creation is reliable. 3) In install.sh, either check for and handle non-writable INSTALL_DIR (falling back to ~/.local/bin and adding it to PATH or instructing the user) or update the documentation to require sudo. 4) Clarify the change to LLM temperature: if the intent is to rely on server defaults, document it and consider making temperature configurable with a sensible default; otherwise restore an explicit value. After these changes, the PR should be ready to merge.

## Summary Useful release workflow and installer additions, plus ldflags-ready version variable. However, the installer does not verify downloaded binaries and the release workflow assumes jq is present; also the LLM client silently changes temperature behavior. Address these before merging. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `install.sh` | 32 | Installer downloads and executes a binary without any integrity/authenticity verification (no checksum/signature check). This is a security risk; a compromised or tampered artifact could be installed undetected. | | 2 | [MINOR] | `.gitea/workflows/release.yml` | 47 | Workflow uses jq to parse the release ID but does not ensure jq is installed on the runner. If jq is missing, the step will fail at runtime. | | 3 | [MINOR] | `install.sh` | 22 | Latest tag is parsed from JSON output via grep, which is brittle. Prefer using the API's latest endpoint (if available) or jq; at minimum, make the parsing more robust. | | 4 | [MINOR] | `install.sh` | 9 | Default INSTALL_DIR is /usr/local/bin but the script does not check writability or provide a non-root fallback (e.g., ~/.local/bin). This will fail for non-root users following the curl | bash instruction. | | 5 | [MINOR] | `llm/client.go` | 40 | Temperature field is now omitempty and the default assignment was removed below, changing API behavior from an explicit 0.1 to 'not set'. This may lead to different model behavior depending on server defaults; document or make the default explicit if intentional. | | 6 | [MINOR] | `llm/client.go` | 58 | Temperature is no longer set in the request body. If a low-temperature default was desired for determinism, consider retaining an explicit value or making it configurable. | ## Recommendation **REQUEST_CHANGES** — Overall the direction is good, but please address the security and robustness issues first. Specifically: 1) In install.sh, verify the downloaded artifact before installation (e.g., fetch checksums.txt from the same release, validate the binary’s SHA-256, and fail if it doesn’t match). Consider also verifying the checksum file itself (e.g., via release signatures) if available. 2) In release.yml, add an explicit step to install jq (or avoid jq by parsing with a POSIX-safe method) so the release creation is reliable. 3) In install.sh, either check for and handle non-writable INSTALL_DIR (falling back to ~/.local/bin and adding it to PATH or instructing the user) or update the documentation to require sudo. 4) Clarify the change to LLM temperature: if the intent is to rely on server defaults, document it and consider making temperature configurable with a sensible default; otherwise restore an explicit value. After these changes, the PR should be ready to merge.

gpt-review-bot requested changes 2026-05-01 18:20:23 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The PR adds a release workflow, an install script, and a version variable, but introduces at least one functional regression in the LLM client and multiple issues in the release workflow that will cause failures (wrong Gitea URL and missing jq dependency). Please address the major issues before merging.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	llm/client.go	58	The ChatRequest construction no longer sets Temperature (previously Temperature: 0.1). Removing the explicit value makes the field omitted (because of omitempty) and changes the API behaviour — this looks like an accidental removal and is a functional regression.
2	[MINOR]	llm/client.go	40	The Temperature struct tag was changed to json:"temperature,omitempty". This combined with the removed assignment means the temperature will be omitted when 0.0; if the intent was to always send a non-zero temperature, restore the value. The tag change itself is not necessarily wrong but has behavioural implications.
3	[MAJOR]	.gitea/workflows/release.yml	38	The workflow sets GITEA_URL to "${{ github.server_url }}". github.server_url points to GitHub, not the target Gitea instance (gitea.weiker.me). This will cause the release creation/upload to target the wrong host. The workflow should either use a GITEA_URL secret or a hardcoded/derived Gitea URL appropriate to the environment.
4	[MAJOR]	.gitea/workflows/release.yml	47	The release creation step uses jq to parse the JSON response (jq -r '.id') but the runner does not install jq. This will cause the job to fail. Either install jq in the job (apt-get install -y jq) or parse JSON without jq (e.g. use a small Go/Python one-liner or use curl's --silent and a robust tool).
5	[MINOR]	.gitea/workflows/release.yml	45	The script posts to the Gitea API endpoint; ensure the repository path (REPO) and token (GITEA_TOKEN / secrets.RELEASE_TOKEN) are correct for the environment where this runs. Consider making the Gitea base URL configurable via a secret (GITEA_URL) rather than using github.server_url.
6	[NIT]	install.sh	21	Latest-release detection uses grep/cut on the API JSON: this is brittle. Use a JSON parser (jq) if available, or call the releases/tags endpoint or parse with a portable tool. Also ensure the API endpoint you call is correct for the target Gitea host.
7	[MINOR]	cmd/review-bot/main.go	14	Added a package-level variable var version = "dev" for ldflags injection — that's fine. There's an extra blank line before the import block and some whitespace changes; these are harmless but could be cleaned up for readability.
8	[MINOR]	.gitea/workflows/ci.yml	36	CI environment changes: LLM_MODEL values were changed and REVIEWER_NAME was removed. If the application relied on REVIEWER_NAME being set in the env, ensure defaults are handled by the program or reintroduce the variable.

Recommendation

REQUEST_CHANGES — Request changes. Fix the functional regression and workflow problems before merging:

1. llm/client.go: Restore an explicit temperature value in the ChatRequest (e.g. Temperature: 0.1) if that was the intended behaviour, or document the intentional change clearly and update callers/tests. If you keep the omitempty tag, be explicit about default behaviour.

2. .gitea/workflows/release.yml:

   • Do not set GITEA_URL to github.server_url. Instead, provide the Gitea server URL via an input/secret (e.g. GITEA_URL: ${{ secrets.GITEA_URL }}) or hardcode the expected Gitea host if appropriate.
   • Ensure the runner has jq (install it in a step) or remove the jq dependency and parse the API response another way.
   • Validate that secrets.RELEASE_TOKEN is available and that the API endpoints and repository strings are correct for the environment.

3. install.sh: Consider using a more robust JSON parsing approach (or require jq) to fetch the latest tag, or use the releases/tags API to fetch a particular tag. Add graceful error messages and consider supporting more architectures if needed.

4. CI adjustments: Verify that changing/removing REVIEWER_NAME and changing LLM_MODEL values are intentional and compatible with the application; update code or workflow envs accordingly.

After addressing the above, re-run CI. Once the LLM temperature regression and release workflow issues are fixed and tests pass (go test ./... and go vet ./...), this change can be approved.

## Summary The PR adds a release workflow, an install script, and a version variable, but introduces at least one functional regression in the LLM client and multiple issues in the release workflow that will cause failures (wrong Gitea URL and missing jq dependency). Please address the major issues before merging. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `llm/client.go` | 58 | The ChatRequest construction no longer sets Temperature (previously Temperature: 0.1). Removing the explicit value makes the field omitted (because of omitempty) and changes the API behaviour — this looks like an accidental removal and is a functional regression. | | 2 | [MINOR] | `llm/client.go` | 40 | The Temperature struct tag was changed to `json:"temperature,omitempty"`. This combined with the removed assignment means the temperature will be omitted when 0.0; if the intent was to always send a non-zero temperature, restore the value. The tag change itself is not necessarily wrong but has behavioural implications. | | 3 | [MAJOR] | `.gitea/workflows/release.yml` | 38 | The workflow sets GITEA_URL to "${{ github.server_url }}". github.server_url points to GitHub, not the target Gitea instance (gitea.weiker.me). This will cause the release creation/upload to target the wrong host. The workflow should either use a GITEA_URL secret or a hardcoded/derived Gitea URL appropriate to the environment. | | 4 | [MAJOR] | `.gitea/workflows/release.yml` | 47 | The release creation step uses jq to parse the JSON response (`jq -r '.id'`) but the runner does not install jq. This will cause the job to fail. Either install jq in the job (apt-get install -y jq) or parse JSON without jq (e.g. use a small Go/Python one-liner or use curl's --silent and a robust tool). | | 5 | [MINOR] | `.gitea/workflows/release.yml` | 45 | The script posts to the Gitea API endpoint; ensure the repository path (REPO) and token (GITEA_TOKEN / secrets.RELEASE_TOKEN) are correct for the environment where this runs. Consider making the Gitea base URL configurable via a secret (GITEA_URL) rather than using github.server_url. | | 6 | [NIT] | `install.sh` | 21 | Latest-release detection uses grep/cut on the API JSON: this is brittle. Use a JSON parser (jq) if available, or call the releases/tags endpoint or parse with a portable tool. Also ensure the API endpoint you call is correct for the target Gitea host. | | 7 | [MINOR] | `cmd/review-bot/main.go` | 14 | Added a package-level variable `var version = "dev"` for ldflags injection — that's fine. There's an extra blank line before the import block and some whitespace changes; these are harmless but could be cleaned up for readability. | | 8 | [MINOR] | `.gitea/workflows/ci.yml` | 36 | CI environment changes: LLM_MODEL values were changed and REVIEWER_NAME was removed. If the application relied on REVIEWER_NAME being set in the env, ensure defaults are handled by the program or reintroduce the variable. | ## Recommendation **REQUEST_CHANGES** — Request changes. Fix the functional regression and workflow problems before merging: 1) llm/client.go: Restore an explicit temperature value in the ChatRequest (e.g. Temperature: 0.1) if that was the intended behaviour, or document the intentional change clearly and update callers/tests. If you keep the omitempty tag, be explicit about default behaviour. 2) .gitea/workflows/release.yml: - Do not set GITEA_URL to github.server_url. Instead, provide the Gitea server URL via an input/secret (e.g. GITEA_URL: ${{ secrets.GITEA_URL }}) or hardcode the expected Gitea host if appropriate. - Ensure the runner has jq (install it in a step) or remove the jq dependency and parse the API response another way. - Validate that secrets.RELEASE_TOKEN is available and that the API endpoints and repository strings are correct for the environment. 3) install.sh: Consider using a more robust JSON parsing approach (or require jq) to fetch the latest tag, or use the releases/tags API to fetch a particular tag. Add graceful error messages and consider supporting more architectures if needed. 4) CI adjustments: Verify that changing/removing REVIEWER_NAME and changing LLM_MODEL values are intentional and compatible with the application; update code or workflow envs accordingly. After addressing the above, re-run CI. Once the LLM temperature regression and release workflow issues are fixed and tests pass (go test ./... and go vet ./...), this change can be approved.

rodin added 1 commit 2026-05-01 18:22:33 +00:00

fix: address review findings ... 4b3cac66c3

- install.sh: verify SHA-256 checksum before installing binary
- install.sh: fallback to ~/.local/bin if /usr/local/bin not writable
- install.sh: use sed instead of grep for POSIX-safe JSON parsing
- release.yml: remove jq dependency, parse release ID with sed
- llm: make temperature configurable via --llm-temperature / LLM_TEMPERATURE
- llm: add WithTemperature builder method on Client
- llm: omit temperature from request when zero (uses server default)

sonnet-review-bot requested changes 2026-05-01 18:25:18 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Useful additions (release workflow, installer, LLM temperature) but there are blocking issues that will likely break builds and releases. Specifically, an unused package-level version variable in main will fail compilation, the release workflow parses the release ID unreliably and may use the wrong context, and the install script will fail on macOS due to sha256sum.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	cmd/review-bot/main.go	16	Introduces package-level variable var version = "dev" that is never used; in Go, unused variables cause a compile error. This will break go build and the release workflow.
2	[MAJOR]	.gitea/workflows/release.yml	48	Release ID is extracted from JSON using a broad sed pattern (`sed -n 's/."id":([0-9]).*/\1/p'
3	[MAJOR]	.gitea/workflows/release.yml	38	Uses ${{ github.server_url }} and ${{ github.repository }} in a Gitea Actions workflow. On Gitea, the canonical context is gitea.*; relying on github.* may not be supported on all instances and can break the release step. Use ${{ gitea.server_url }} and ${{ gitea.repository }}.
4	[MAJOR]	install.sh	55	Installer verifies checksum with sha256sum, which is not available by default on macOS. Since darwin binaries are built, macOS users will see the script fail. Add a fallback to shasum -a 256 when OS is darwin.
5	[MINOR]	llm/client.go	28	New exported method WithTemperature lacks tests. Per project conventions, all exported functions should have tests.
6	[MINOR]	.gitea/workflows/ci.yml	36	Configuration change to LLM_MODEL values (e.g., to "gpt-5"/"gpt-5-mini") and removal of REVIEWER_NAME may affect review behavior. Confirm these values are supported by the LLM service to avoid runtime failures.

Recommendation

REQUEST_CHANGES — Address the following before merging: (1) Use the injected version variable in cmd/review-bot/main.go (e.g., print on startup or provide a -version flag) or remove it to avoid a compile error. (2) Make the release workflow robust: use the Gitea context variables (gitea.server_url, gitea.repository) and fetch the release ID reliably (e.g., call GET /api/v1/repos/{repo}/releases/tags/{tag} and parse that single object, or at least grep for the top-level "id" key). (3) Update install.sh to support macOS checksum verification by using shasum -a 256 when OS is darwin. Additionally, add tests for the new exported WithTemperature method to adhere to project conventions. Once these issues are resolved, the release and installation flow should be reliable and the feature is a solid enhancement.

## Summary Useful additions (release workflow, installer, LLM temperature) but there are blocking issues that will likely break builds and releases. Specifically, an unused package-level version variable in main will fail compilation, the release workflow parses the release ID unreliably and may use the wrong context, and the install script will fail on macOS due to sha256sum. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `cmd/review-bot/main.go` | 16 | Introduces package-level variable `var version = "dev"` that is never used; in Go, unused variables cause a compile error. This will break `go build` and the release workflow. | | 2 | [MAJOR] | `.gitea/workflows/release.yml` | 48 | Release ID is extracted from JSON using a broad sed pattern (`sed -n 's/.*"id":\([0-9]*\).*/\1/p' | head -1`), which can capture the wrong `id` (e.g., author or asset IDs) depending on formatting. This fragility can cause asset uploads to fail. | | 3 | [MAJOR] | `.gitea/workflows/release.yml` | 38 | Uses `${{ github.server_url }}` and `${{ github.repository }}` in a Gitea Actions workflow. On Gitea, the canonical context is `gitea.*`; relying on `github.*` may not be supported on all instances and can break the release step. Use `${{ gitea.server_url }}` and `${{ gitea.repository }}`. | | 4 | [MAJOR] | `install.sh` | 55 | Installer verifies checksum with `sha256sum`, which is not available by default on macOS. Since darwin binaries are built, macOS users will see the script fail. Add a fallback to `shasum -a 256` when OS is darwin. | | 5 | [MINOR] | `llm/client.go` | 28 | New exported method `WithTemperature` lacks tests. Per project conventions, all exported functions should have tests. | | 6 | [MINOR] | `.gitea/workflows/ci.yml` | 36 | Configuration change to LLM_MODEL values (e.g., to "gpt-5"/"gpt-5-mini") and removal of REVIEWER_NAME may affect review behavior. Confirm these values are supported by the LLM service to avoid runtime failures. | ## Recommendation **REQUEST_CHANGES** — Address the following before merging: (1) Use the injected version variable in cmd/review-bot/main.go (e.g., print on startup or provide a -version flag) or remove it to avoid a compile error. (2) Make the release workflow robust: use the Gitea context variables (`gitea.server_url`, `gitea.repository`) and fetch the release ID reliably (e.g., call GET /api/v1/repos/{repo}/releases/tags/{tag} and parse that single object, or at least grep for the top-level `"id"` key). (3) Update install.sh to support macOS checksum verification by using `shasum -a 256` when OS is darwin. Additionally, add tests for the new exported `WithTemperature` method to adhere to project conventions. Once these issues are resolved, the release and installation flow should be reliable and the feature is a solid enhancement.

gpt-review-bot requested changes 2026-05-01 18:27:51 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The PR adds a release workflow, installer script, and temperature plumbing for the LLM client. Functional changes are mostly reasonable, but there is a critical build break in cmd/review-bot/main.go (a missing import), plus several smaller issues and robustness improvements to address before merging.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	cmd/review-bot/main.go	176	envOrDefaultFloat uses strconv.ParseFloat but strconv is not added to the import list — this will cause a compile error and break CI/builds.
2	[MINOR]	llm/client.go	17	New Temperature field was added to Client. Using json:"temperature,omitempty" on a float64 means zero will be omitted from requests (which is probably intended to allow server default), but document this behavior in comments so future readers understand why omitempty is used.
3	[MINOR]	llm/client.go	28	WithTemperature returns *Client but is used for side-effects only (its return value is ignored). Consider documenting that it mutates the receiver or change it to return nothing to avoid confusion.
4	[MINOR]	llm/client.go	63	ChatRequest building now injects c.Temperature (and omits it when zero). Ensure this aligns with intended default behavior — previously the code set a non-zero default (0.1); this change may alter runtime behavior if callers relied on the previous default.
5	[MINOR]	install.sh	50	The script uses sha256sum to verify checksums. On macOS/bundled environments sha256sum may be missing (macOS typically provides shasum). Consider detecting available checksum tool (sha256sum or shasum -a 256) for portability.
6	[MINOR]	.gitea/workflows/release.yml	1	Release creation uses github.server_url and github.repository to compute GITEA_URL/REPO. If this workflow will run against a Gitea instance (not GitHub), confirm that these GitHub Actions contexts are available/accurate in your runner environment; otherwise consider using a GITEA_URL input/secret for clarity.
7	[MINOR]	.gitea/workflows/ci.yml	36	CI environment LLM_MODEL values were changed (e.g. to "gpt-5" and "gpt-5-mini"). This is configuration and not a code bug, but it may change runtime behavior — verify those models are supported in the target LLM provider.
8	[NIT]	cmd/review-bot/main.go	28	The new llm-temperature flag line is not aligned with other flag declarations. This is purely stylistic but aligning flags improves readability.

Recommendation

REQUEST_CHANGES — Request changes. The blocker is the missing strconv import in cmd/review-bot/main.go; add strconv to the import list (run go build/go test to verify). After fixing that, run go test ./... and go vet ./... locally to validate. Also:

• Consider documenting the Temperature field behavior in llm/client.go and either make WithTemperature a mutating method that returns nothing or document the returned pointer usage.
• Confirm the change in default temperature behavior (you removed a hardcoded 0.1) is intentional.
• Make the installer more portable by falling back to shasum -a 256 when sha256sum is unavailable.
• Verify release workflow context variables are correct for your runner (Gitea vs GitHub) and consider using an explicit GITEA_URL / REPO input or secret for clarity.
• Double-check the changed LLM_MODEL values in CI to ensure they match supported models.
  Once the import/build issue and the suggested hardening items are addressed and CI passes, this can be approved.

## Summary The PR adds a release workflow, installer script, and temperature plumbing for the LLM client. Functional changes are mostly reasonable, but there is a critical build break in cmd/review-bot/main.go (a missing import), plus several smaller issues and robustness improvements to address before merging. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `cmd/review-bot/main.go` | 176 | envOrDefaultFloat uses strconv.ParseFloat but strconv is not added to the import list — this will cause a compile error and break CI/builds. | | 2 | [MINOR] | `llm/client.go` | 17 | New Temperature field was added to Client. Using json:"temperature,omitempty" on a float64 means zero will be omitted from requests (which is probably intended to allow server default), but document this behavior in comments so future readers understand why omitempty is used. | | 3 | [MINOR] | `llm/client.go` | 28 | WithTemperature returns *Client but is used for side-effects only (its return value is ignored). Consider documenting that it mutates the receiver or change it to return nothing to avoid confusion. | | 4 | [MINOR] | `llm/client.go` | 63 | ChatRequest building now injects c.Temperature (and omits it when zero). Ensure this aligns with intended default behavior — previously the code set a non-zero default (0.1); this change may alter runtime behavior if callers relied on the previous default. | | 5 | [MINOR] | `install.sh` | 50 | The script uses sha256sum to verify checksums. On macOS/bundled environments sha256sum may be missing (macOS typically provides shasum). Consider detecting available checksum tool (sha256sum or shasum -a 256) for portability. | | 6 | [MINOR] | `.gitea/workflows/release.yml` | 1 | Release creation uses github.server_url and github.repository to compute GITEA_URL/REPO. If this workflow will run against a Gitea instance (not GitHub), confirm that these GitHub Actions contexts are available/accurate in your runner environment; otherwise consider using a GITEA_URL input/secret for clarity. | | 7 | [MINOR] | `.gitea/workflows/ci.yml` | 36 | CI environment LLM_MODEL values were changed (e.g. to "gpt-5" and "gpt-5-mini"). This is configuration and not a code bug, but it may change runtime behavior — verify those models are supported in the target LLM provider. | | 8 | [NIT] | `cmd/review-bot/main.go` | 28 | The new llm-temperature flag line is not aligned with other flag declarations. This is purely stylistic but aligning flags improves readability. | ## Recommendation **REQUEST_CHANGES** — Request changes. The blocker is the missing strconv import in cmd/review-bot/main.go; add strconv to the import list (run go build/go test to verify). After fixing that, run go test ./... and go vet ./... locally to validate. Also: - Consider documenting the Temperature field behavior in llm/client.go and either make WithTemperature a mutating method that returns nothing or document the returned pointer usage. - Confirm the change in default temperature behavior (you removed a hardcoded 0.1) is intentional. - Make the installer more portable by falling back to shasum -a 256 when sha256sum is unavailable. - Verify release workflow context variables are correct for your runner (Gitea vs GitHub) and consider using an explicit GITEA_URL / REPO input or secret for clarity. - Double-check the changed LLM_MODEL values in CI to ensure they match supported models. Once the import/build issue and the suggested hardening items are addressed and CI passes, this can be approved.

rodin added 1 commit 2026-05-01 18:32:16 +00:00

feat: add composite action for clean distribution ... c458587cfc

- .gitea/actions/review/action.yml: composite action with caching
  Consumers just use:
    uses: https://gitea.weiker.me/rodin/review-bot/.gitea/actions/review@v0.1.0
  No Go toolchain needed, binary cached by version tag.

- Remove install.sh (replaced by composite action)
- CI workflow: use matrix strategy to parallelize reviews
- Self-review still builds from source (pre-release)

sonnet-review-bot approved these changes 2026-05-01 18:34:59 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Overall, the release workflow and temperature plumbing look sound and align with the repository conventions. The changes are mostly additive and well-scoped, with CI passing. There are a few minor robustness and process issues worth addressing.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	llm/client.go	28	New exported method WithTemperature lacks test coverage; repository conventions require tests for every exported function.
2	[MINOR]	llm/client.go	63	Change in default temperature behavior (from fixed 0.1 to omitting the field when zero) shifts control to the server default; ensure this is intentional and documented to avoid unexpected behavior changes.
3	[NIT]	llm/client.go	66	Spurious blank line/whitespace in the ChatRequest struct literal; consider tidying for clarity.
4	[MINOR]	.gitea/actions/review/action.yml	62	Installer downloads a binary without verifying checksums; consider validating against the published checksums.txt to improve supply-chain security.
5	[MINOR]	.gitea/workflows/release.yml	39	Parsing the release ID from JSON using sed is brittle and may break on format changes; consider a more robust pattern (e.g., ensure the matched id corresponds to the created release) or enhance error checks.
6	[MINOR]	.gitea/actions/review/action.yml	49	Cache and install steps assume write access to /usr/local/bin; this may not hold on some runners. Consider caching to a writable directory (e.g., $RUNNER_TOOL_CACHE or $HOME/.local/bin) and adding it to PATH.
7	[MINOR]	.gitea/actions/review/action.yml	62	The install step is hardcoded to the linux/amd64 binary; on arm64 or non-Linux runners this will fail. Consider detecting OS/arch to download the correct artifact.
8	[MINOR]	cmd/review-bot/main.go	176	envOrDefaultFloat silently ignores parse errors; consider logging a brief warning when an invalid LLM_TEMPERATURE is provided to aid troubleshooting.

Recommendation

APPROVE — The changes are solid and CI is green. I recommend merging, with a follow-up to: add a small test for Client.WithTemperature, document the intended temperature defaults, and harden the composite action by verifying release checksums and handling OS/arch detection. If feasible, also make the release ID parsing slightly more robust, and consider writing binaries to a guaranteed-writable path in actions. None of these block merging but will improve reliability and security.

## Summary Overall, the release workflow and temperature plumbing look sound and align with the repository conventions. The changes are mostly additive and well-scoped, with CI passing. There are a few minor robustness and process issues worth addressing. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `llm/client.go` | 28 | New exported method WithTemperature lacks test coverage; repository conventions require tests for every exported function. | | 2 | [MINOR] | `llm/client.go` | 63 | Change in default temperature behavior (from fixed 0.1 to omitting the field when zero) shifts control to the server default; ensure this is intentional and documented to avoid unexpected behavior changes. | | 3 | [NIT] | `llm/client.go` | 66 | Spurious blank line/whitespace in the ChatRequest struct literal; consider tidying for clarity. | | 4 | [MINOR] | `.gitea/actions/review/action.yml` | 62 | Installer downloads a binary without verifying checksums; consider validating against the published checksums.txt to improve supply-chain security. | | 5 | [MINOR] | `.gitea/workflows/release.yml` | 39 | Parsing the release ID from JSON using sed is brittle and may break on format changes; consider a more robust pattern (e.g., ensure the matched id corresponds to the created release) or enhance error checks. | | 6 | [MINOR] | `.gitea/actions/review/action.yml` | 49 | Cache and install steps assume write access to /usr/local/bin; this may not hold on some runners. Consider caching to a writable directory (e.g., $RUNNER_TOOL_CACHE or $HOME/.local/bin) and adding it to PATH. | | 7 | [MINOR] | `.gitea/actions/review/action.yml` | 62 | The install step is hardcoded to the linux/amd64 binary; on arm64 or non-Linux runners this will fail. Consider detecting OS/arch to download the correct artifact. | | 8 | [MINOR] | `cmd/review-bot/main.go` | 176 | envOrDefaultFloat silently ignores parse errors; consider logging a brief warning when an invalid LLM_TEMPERATURE is provided to aid troubleshooting. | ## Recommendation **APPROVE** — The changes are solid and CI is green. I recommend merging, with a follow-up to: add a small test for Client.WithTemperature, document the intended temperature defaults, and harden the composite action by verifying release checksums and handling OS/arch detection. If feasible, also make the release ID parsing slightly more robust, and consider writing binaries to a guaranteed-writable path in actions. None of these block merging but will improve reliability and security.

gpt-review-bot requested changes 2026-05-01 18:35:14 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The PR adds CI/release workflows, an installer action, and LLM temperature support. However, there is a compile-breaking issue in cmd/review-bot (missing strconv import for the new envOrDefaultFloat) and a few other problematic/fragile spots that should be addressed before merging.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	cmd/review-bot/main.go	14	The new envOrDefaultFloat helper calls strconv.ParseFloat but strconv is not imported. This will cause a build failure (undefined: strconv).
2	[MAJOR]	cmd/review-bot/main.go	173	envOrDefaultFloat was added but depends on strconv; without adding the import the code will not compile. Add "strconv" to the import block and run go test/go vet.
3	[MINOR]	cmd/review-bot/main.go	28	The new llm temperature flag is declared as llmTemp := flag.Float64(...). Ensure this is properly indented/placed inside main and consistent with other flag declarations. Also consider allowing explicit negative values or validating the range [0,1] if that matters for your LLM.
4	[MINOR]	llm/client.go	17	You added a Temperature float64 field and WithTemperature method — good. Note that using json:"temperature,omitempty" will omit the field when zero; this is desired for 'server default', but be explicit in comments/docs so callers know that 0 == server default.
5	[MINOR]	.gitea/actions/review/action.yml	47	The composite action writes to $GITHUB_OUTPUT and uses GitHub-specific actions (actions/cache, actions/checkout, etc.). The file lives under .gitea/ — ensure these GitHub Actions idioms are intended here and compatible with your execution environment (Gitea vs GitHub).
6	[MINOR]	.gitea/actions/review/action.yml	61	Caching /usr/local/bin/review-bot may not behave as expected: caching an executable path (and writing to /usr/local/bin) may require elevated permissions on runners and the cache action may not restore to that location. Consider caching to a user-writable directory and installing into /usr/local/bin only after restore.
7	[MINOR]	.gitea/workflows/release.yml	41	Release creation/asset upload uses plain sed to parse JSON and curl to upload. This is brittle: JSON parsing with sed can break on unexpected fields or formatting. Consider using a small Go program or jq (if you can rely on it) or more robust parsing to extract release ID and check for API errors.
8	[NIT]	.gitea/workflows/ci.yml	3	Minor YAML formatting: an extra blank line was added near the top of the file. Not harmful but could be cleaned up for consistency.

Recommendation

REQUEST_CHANGES — Fix the compilation error first by importing strconv in cmd/review-bot/main.go (add "strconv" to the import block). Run go build, go test ./..., and go vet ./... locally to catch any other issues. For robustness: (1) consider validating the llm temperature flag value range and documenting that 0 means server default; (2) avoid caching directly to /usr/local/bin — use a temporary, user-writable cache directory and move the binary to /usr/local/bin after restore; (3) make the release creation/upload step more robust (avoid parsing JSON with sed); and (4) verify that GitHub Actions-specific constructs in .gitea/ files are intentional and compatible with your CI runner. After these changes and a successful CI run, the PR can be approved.

## Summary The PR adds CI/release workflows, an installer action, and LLM temperature support. However, there is a compile-breaking issue in cmd/review-bot (missing strconv import for the new envOrDefaultFloat) and a few other problematic/fragile spots that should be addressed before merging. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `cmd/review-bot/main.go` | 14 | The new envOrDefaultFloat helper calls strconv.ParseFloat but strconv is not imported. This will cause a build failure (undefined: strconv). | | 2 | [MAJOR] | `cmd/review-bot/main.go` | 173 | envOrDefaultFloat was added but depends on strconv; without adding the import the code will not compile. Add "strconv" to the import block and run go test/go vet. | | 3 | [MINOR] | `cmd/review-bot/main.go` | 28 | The new llm temperature flag is declared as llmTemp := flag.Float64(...). Ensure this is properly indented/placed inside main and consistent with other flag declarations. Also consider allowing explicit negative values or validating the range [0,1] if that matters for your LLM. | | 4 | [MINOR] | `llm/client.go` | 17 | You added a Temperature float64 field and WithTemperature method — good. Note that using json:"temperature,omitempty" will omit the field when zero; this is desired for 'server default', but be explicit in comments/docs so callers know that 0 == server default. | | 5 | [MINOR] | `.gitea/actions/review/action.yml` | 47 | The composite action writes to $GITHUB_OUTPUT and uses GitHub-specific actions (actions/cache, actions/checkout, etc.). The file lives under .gitea/ — ensure these GitHub Actions idioms are intended here and compatible with your execution environment (Gitea vs GitHub). | | 6 | [MINOR] | `.gitea/actions/review/action.yml` | 61 | Caching /usr/local/bin/review-bot may not behave as expected: caching an executable path (and writing to /usr/local/bin) may require elevated permissions on runners and the cache action may not restore to that location. Consider caching to a user-writable directory and installing into /usr/local/bin only after restore. | | 7 | [MINOR] | `.gitea/workflows/release.yml` | 41 | Release creation/asset upload uses plain sed to parse JSON and curl to upload. This is brittle: JSON parsing with sed can break on unexpected fields or formatting. Consider using a small Go program or jq (if you can rely on it) or more robust parsing to extract release ID and check for API errors. | | 8 | [NIT] | `.gitea/workflows/ci.yml` | 3 | Minor YAML formatting: an extra blank line was added near the top of the file. Not harmful but could be cleaned up for consistency. | ## Recommendation **REQUEST_CHANGES** — Fix the compilation error first by importing strconv in cmd/review-bot/main.go (add "strconv" to the import block). Run go build, go test ./..., and go vet ./... locally to catch any other issues. For robustness: (1) consider validating the llm temperature flag value range and documenting that 0 means server default; (2) avoid caching directly to /usr/local/bin — use a temporary, user-writable cache directory and move the binary to /usr/local/bin after restore; (3) make the release creation/upload step more robust (avoid parsing JSON with sed); and (4) verify that GitHub Actions-specific constructs in .gitea/ files are intentional and compatible with your CI runner. After these changes and a successful CI run, the PR can be approved.

rodin added 1 commit 2026-05-01 18:38:31 +00:00

fix: address review findings (cache path, docs) ... 8d53b649ee

- Composite action: cache to runner.temp instead of /usr/local/bin
  (avoids permission issues on runners)
- Document that temperature=0 means server default (omitted from request)
- Note: strconv import already exists (false positive from GPT-5)

rodin added 1 commit 2026-05-01 18:40:18 +00:00

fix: address all remaining review findings ... 59fbd38837

- Add temperature range validation (must be 0-2, fatal on invalid)
- release.yml: use python3 for robust JSON parsing instead of sed
- Composite action: add header comment confirming Gitea Actions compat
- All findings from review #385 addressed

sonnet-review-bot requested changes 2026-05-01 18:40:59 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Overall the release workflow and composite action look reasonable, and the LLM temperature support is a useful addition. However, an exported method was added without corresponding tests per the repository conventions, and there are a few robustness and reusability issues in the workflows.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	llm/client.go	28	New exported method WithTemperature was added without corresponding tests. The repository conventions require tests for every exported function.
2	[MINOR]	.gitea/actions/review/action.yml	59	Determining the latest version parses JSON using sed, which is brittle and may break if the API response format changes or contains multiple tag_name fields. Consider a more robust approach.
3	[MINOR]	.gitea/actions/review/action.yml	82	The repository path is hard-coded as rodin/review-bot for asset download and in the version query (line 59), ignoring the repo input. This limits reusability and will break if used from a fork or a different repository. Use the provided repo input or github.repository.
4	[MINOR]	.gitea/actions/review/action.yml	69	The cache key and download target are hardcoded for linux-amd64. If the runner architecture differs (e.g., arm64), the action will download an incompatible binary. Consider detecting OS/arch and adjusting the asset name and cache key accordingly.
5	[MINOR]	.gitea/workflows/release.yml	48	Release ID is extracted from the API response using a sed pattern that may match the wrong "id" field if multiple are present. This is fragile and can cause asset uploads to fail or target the wrong ID. Use a more precise extraction strategy.
6	[NIT]	cmd/review-bot/main.go	29	The llmTemp flag declaration is not indented consistently with the surrounding code. While it compiles, consistent indentation improves readability.
7	[NIT]	.gitea/workflows/ci.yml	23	Matrix entry labeled "sonnet" uses model "gpt-5", which appears semantically inconsistent and may be confusing. Consider aligning names and models for clarity.

Recommendation

REQUEST_CHANGES — Please add unit tests for the new exported method llm.Client.WithTemperature in accordance with the repository's testing conventions. In the composite action, remove the hard-coded repository path and use the provided repo input (or github.repository) both when determining the latest version and when downloading the binary; also consider detecting OS/architecture to download the correct asset and adjust the cache key. For the JSON parsing in both the action and the release workflow, replace the brittle sed-based extraction with a more robust approach (e.g., jq if available on the runner, or more precise grep/sed anchored to the specific fields), to avoid misparsing. Additionally, tidy up minor style issues (indentation in main.go) and clarify the CI matrix names/models. Once tests are added and these adjustments are made, the changes should be good to merge.

## Summary Overall the release workflow and composite action look reasonable, and the LLM temperature support is a useful addition. However, an exported method was added without corresponding tests per the repository conventions, and there are a few robustness and reusability issues in the workflows. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `llm/client.go` | 28 | New exported method WithTemperature was added without corresponding tests. The repository conventions require tests for every exported function. | | 2 | [MINOR] | `.gitea/actions/review/action.yml` | 59 | Determining the latest version parses JSON using sed, which is brittle and may break if the API response format changes or contains multiple tag_name fields. Consider a more robust approach. | | 3 | [MINOR] | `.gitea/actions/review/action.yml` | 82 | The repository path is hard-coded as rodin/review-bot for asset download and in the version query (line 59), ignoring the repo input. This limits reusability and will break if used from a fork or a different repository. Use the provided repo input or github.repository. | | 4 | [MINOR] | `.gitea/actions/review/action.yml` | 69 | The cache key and download target are hardcoded for linux-amd64. If the runner architecture differs (e.g., arm64), the action will download an incompatible binary. Consider detecting OS/arch and adjusting the asset name and cache key accordingly. | | 5 | [MINOR] | `.gitea/workflows/release.yml` | 48 | Release ID is extracted from the API response using a sed pattern that may match the wrong "id" field if multiple are present. This is fragile and can cause asset uploads to fail or target the wrong ID. Use a more precise extraction strategy. | | 6 | [NIT] | `cmd/review-bot/main.go` | 29 | The llmTemp flag declaration is not indented consistently with the surrounding code. While it compiles, consistent indentation improves readability. | | 7 | [NIT] | `.gitea/workflows/ci.yml` | 23 | Matrix entry labeled "sonnet" uses model "gpt-5", which appears semantically inconsistent and may be confusing. Consider aligning names and models for clarity. | ## Recommendation **REQUEST_CHANGES** — Please add unit tests for the new exported method llm.Client.WithTemperature in accordance with the repository's testing conventions. In the composite action, remove the hard-coded repository path and use the provided repo input (or github.repository) both when determining the latest version and when downloading the binary; also consider detecting OS/architecture to download the correct asset and adjust the cache key. For the JSON parsing in both the action and the release workflow, replace the brittle sed-based extraction with a more robust approach (e.g., jq if available on the runner, or more precise grep/sed anchored to the specific fields), to avoid misparsing. Additionally, tidy up minor style issues (indentation in main.go) and clarify the CI matrix names/models. Once tests are added and these adjustments are made, the changes should be good to merge.

gpt-review-bot requested changes 2026-05-01 18:41:34 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The changes add release and CI workflows and LLM temperature handling, which are reasonable additions, but there is at least one correctness issue in the Go code that will break builds (missing import) and a few smaller style/clarity issues to address before merging.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	cmd/review-bot/main.go	173	The newly added envOrDefaultFloat function uses strconv.ParseFloat but the diff did not add an import for the strconv package. This will cause a build error unless strconv is already imported elsewhere in the file (the diff does not show it). Please add "strconv" to the import list or verify it is already imported.
2	[MINOR]	cmd/review-bot/main.go	28	The llm-temperature flag is declared as: llmTemp := flag.Float64(...). The line is mis-indented relative to the surrounding flag declarations (looks like a stray tab/spacing). Not a functional issue, but please run gofmt to normalize formatting.
3	[MINOR]	cmd/review-bot/main.go	56	You call llmClient.WithTemperature(*llmTemp) for side effects without using the returned *Client. This is fine because WithTemperature mutates the receiver, but it may be clearer to either reassign (llmClient = llmClient.WithTemperature(*llmTemp)) or document that the method mutates the client for future maintenance clarity.
4	[MINOR]	llm/client.go	28	WithTemperature method and its docstring are fine, but the documentation repeats the same idea twice and could be tightened. Also be explicit about whether negative values are allowed or clamped, and note that omitting the field (zero) leaves the server default.
5	[MINOR]	llm/client.go	64	ChatRequest now uses Temperature with json:"temperature,omitempty" and the Complete method sets Temperature: c.Temperature — good. Please ensure the desired default (server-side) is achieved when Temperature is zero; omitempty on float64 will omit zero. No functional issue here if that's intended.
6	[NIT]	.gitea/actions/review/action.yml	1	This composite action uses GitHub-specific runner variables ($GITHUB_OUTPUT, runner.temp, github.server_url). If this action is meant to run in Gitea's environment, double-check those variables are available/compatible in Gitea actions; otherwise this may fail when reused in a non-GitHub runner.

Recommendation

REQUEST_CHANGES — Request changes: fix the build-blocking issue by ensuring strconv is imported in cmd/review-bot/main.go (or verify it was already present), run gofmt and go vet, and consider the minor clarity/style improvements listed above. After addressing these, re-run CI (go test ./... and go vet ./...) to ensure everything builds and tests pass before merging.

## Summary The changes add release and CI workflows and LLM temperature handling, which are reasonable additions, but there is at least one correctness issue in the Go code that will break builds (missing import) and a few smaller style/clarity issues to address before merging. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `cmd/review-bot/main.go` | 173 | The newly added envOrDefaultFloat function uses strconv.ParseFloat but the diff did not add an import for the strconv package. This will cause a build error unless strconv is already imported elsewhere in the file (the diff does not show it). Please add "strconv" to the import list or verify it is already imported. | | 2 | [MINOR] | `cmd/review-bot/main.go` | 28 | The llm-temperature flag is declared as: llmTemp := flag.Float64(...). The line is mis-indented relative to the surrounding flag declarations (looks like a stray tab/spacing). Not a functional issue, but please run gofmt to normalize formatting. | | 3 | [MINOR] | `cmd/review-bot/main.go` | 56 | You call llmClient.WithTemperature(*llmTemp) for side effects without using the returned *Client. This is fine because WithTemperature mutates the receiver, but it may be clearer to either reassign (llmClient = llmClient.WithTemperature(*llmTemp)) or document that the method mutates the client for future maintenance clarity. | | 4 | [MINOR] | `llm/client.go` | 28 | WithTemperature method and its docstring are fine, but the documentation repeats the same idea twice and could be tightened. Also be explicit about whether negative values are allowed or clamped, and note that omitting the field (zero) leaves the server default. | | 5 | [MINOR] | `llm/client.go` | 64 | ChatRequest now uses Temperature with json:"temperature,omitempty" and the Complete method sets Temperature: c.Temperature — good. Please ensure the desired default (server-side) is achieved when Temperature is zero; omitempty on float64 will omit zero. No functional issue here if that's intended. | | 6 | [NIT] | `.gitea/actions/review/action.yml` | 1 | This composite action uses GitHub-specific runner variables ($GITHUB_OUTPUT, runner.temp, github.server_url). If this action is meant to run in Gitea's environment, double-check those variables are available/compatible in Gitea actions; otherwise this may fail when reused in a non-GitHub runner. | ## Recommendation **REQUEST_CHANGES** — Request changes: fix the build-blocking issue by ensuring strconv is imported in cmd/review-bot/main.go (or verify it was already present), run gofmt and go vet, and consider the minor clarity/style improvements listed above. After addressing these, re-run CI (go test ./... and go vet ./...) to ensure everything builds and tests pass before merging.

sonnet-review-bot requested changes 2026-05-01 18:42:55 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Solid improvements to release automation and the LLM client, but a new exported API lacks tests and a few workflow robustness issues remain. Address these to align with repository conventions and improve reliability.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	llm/client.go	30	New exported method WithTemperature is introduced without accompanying tests, violating the repository convention to test every exported function.
2	[MINOR]	.gitea/actions/review/action.yml	62	Latest version is determined by parsing JSON with sed, which is brittle and may break with formatting changes; consider robust JSON parsing (e.g., using Python as in release.yml) or jq if available.
3	[MINOR]	.gitea/actions/review/action.yml	85	The action downloads and executes a binary without verifying integrity (e.g., via checksums); consider verifying the SHA256 checksum before chmod/execute.
4	[MINOR]	.gitea/actions/review/action.yml	12	The 'repo' input is defined but not used in the Determine version and Install steps, which hardcode 'rodin/review-bot'. This limits reusability and can cause confusion.
5	[MINOR]	llm/client.go	63	Default temperature changed from explicit 0.1 to omitting the field (server default). If this change is intentional, ensure it is documented and covered by tests to prevent regressions.
6	[NIT]	cmd/review-bot/main.go	33	The llm-temperature flag declaration appears misaligned relative to surrounding flag declarations. While not functionally problematic, aligning formatting improves readability.
7	[MINOR]	.gitea/workflows/release.yml	49	Release creation does not handle the case where a release already exists for the tag (e.g., 409 conflict). Consider detecting existing releases by tag and reusing/updating them.

Recommendation

REQUEST_CHANGES — Please add table-driven tests covering the new exported WithTemperature method in the llm package (including behavior when temperature is unset, set within range, and edge cases). In the composite action, replace the sed-based version detection with a more robust JSON parsing approach (similar to the Python usage in release.yml) and verify downloaded binary checksums prior to execution. Also, either remove or wire up the 'repo' input to avoid hardcoding 'rodin/review-bot' in the Determine version and Install steps. Document the intended change in default temperature behavior (server default vs fixed 0.1) and ensure existing tests reflect this. After these changes, the PR should be ready to merge.

## Summary Solid improvements to release automation and the LLM client, but a new exported API lacks tests and a few workflow robustness issues remain. Address these to align with repository conventions and improve reliability. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `llm/client.go` | 30 | New exported method WithTemperature is introduced without accompanying tests, violating the repository convention to test every exported function. | | 2 | [MINOR] | `.gitea/actions/review/action.yml` | 62 | Latest version is determined by parsing JSON with sed, which is brittle and may break with formatting changes; consider robust JSON parsing (e.g., using Python as in release.yml) or jq if available. | | 3 | [MINOR] | `.gitea/actions/review/action.yml` | 85 | The action downloads and executes a binary without verifying integrity (e.g., via checksums); consider verifying the SHA256 checksum before chmod/execute. | | 4 | [MINOR] | `.gitea/actions/review/action.yml` | 12 | The 'repo' input is defined but not used in the Determine version and Install steps, which hardcode 'rodin/review-bot'. This limits reusability and can cause confusion. | | 5 | [MINOR] | `llm/client.go` | 63 | Default temperature changed from explicit 0.1 to omitting the field (server default). If this change is intentional, ensure it is documented and covered by tests to prevent regressions. | | 6 | [NIT] | `cmd/review-bot/main.go` | 33 | The llm-temperature flag declaration appears misaligned relative to surrounding flag declarations. While not functionally problematic, aligning formatting improves readability. | | 7 | [MINOR] | `.gitea/workflows/release.yml` | 49 | Release creation does not handle the case where a release already exists for the tag (e.g., 409 conflict). Consider detecting existing releases by tag and reusing/updating them. | ## Recommendation **REQUEST_CHANGES** — Please add table-driven tests covering the new exported WithTemperature method in the llm package (including behavior when temperature is unset, set within range, and edge cases). In the composite action, replace the sed-based version detection with a more robust JSON parsing approach (similar to the Python usage in release.yml) and verify downloaded binary checksums prior to execution. Also, either remove or wire up the 'repo' input to avoid hardcoding 'rodin/review-bot' in the Determine version and Install steps. Document the intended change in default temperature behavior (server default vs fixed 0.1) and ensure existing tests reflect this. After these changes, the PR should be ready to merge.

gpt-review-bot requested changes 2026-05-01 18:42:56 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The changes add a release workflow, a composite action, and temperature support for the LLM. However, the Go changes introduce a build break (missing import) and a behavioral change to LLM temperature handling that should be called out and (if unintended) reverted. Please fix the compile error and address the minor issues below.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	cmd/review-bot/main.go	176	envOrDefaultFloat uses strconv.ParseFloat but the strconv package was not added to the import list. This will cause a compile error (undefined: strconv).
2	[MINOR]	llm/client.go	28	WithTemperature comment is repetitive and slightly unclear (it repeats the zero-value explanation twice). Consider tightening the comment to a single clear sentence describing that 0 means omit the field so the server default is used.
3	[MINOR]	llm/client.go	63	Behavioral change: the previous implementation hard-coded Temperature: 0.1 in Complete; the new implementation sets Temperature to c.Temperature (and the struct tag is omitempty). This means that unless a non-zero temperature is explicitly set, the temperature field will be omitted and server default used — different from previous 0.1 default. Ensure this behavioral change is intended and documented.
4	[MINOR]	.gitea/workflows/release.yml	43	The release creation step parses JSON with python3 to extract the release id. This introduces a dependency on python3 being available on the runner. Consider using jq (commonly available) or curl + grep/jq, or the Gitea API in a small Go helper if you want to avoid Python usage.
5	[NIT]	.gitea/actions/review/action.yml	30	Determining the latest version by parsing HTML/JSON with sed is brittle (the sed expression may break on formatting changes). Prefer calling the API and parsing JSON with a robust parser (jq) or use the API's structured output.

Recommendation

REQUEST_CHANGES — Please add the missing import for strconv in cmd/review-bot/main.go (and run go build/go test/go vet locally) so the project compiles. Confirm whether the change to the LLM default temperature (removing the previous 0.1 default and using omission to defer to server defaults) is intentional; if not, restore the previous default or document the change. Tighten the WithTemperature comment for clarity. For the release workflow, consider avoiding a hard dependency on python3 for JSON parsing or explicitly document that python3 is required on the runner. Finally, prefer more robust JSON parsing (jq or the API) instead of sed when determining the latest release in the composite action. After addressing the compile error and these suggestions, re-run CI to ensure all checks pass.

## Summary The changes add a release workflow, a composite action, and temperature support for the LLM. However, the Go changes introduce a build break (missing import) and a behavioral change to LLM temperature handling that should be called out and (if unintended) reverted. Please fix the compile error and address the minor issues below. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `cmd/review-bot/main.go` | 176 | envOrDefaultFloat uses strconv.ParseFloat but the strconv package was not added to the import list. This will cause a compile error (undefined: strconv). | | 2 | [MINOR] | `llm/client.go` | 28 | WithTemperature comment is repetitive and slightly unclear (it repeats the zero-value explanation twice). Consider tightening the comment to a single clear sentence describing that 0 means omit the field so the server default is used. | | 3 | [MINOR] | `llm/client.go` | 63 | Behavioral change: the previous implementation hard-coded Temperature: 0.1 in Complete; the new implementation sets Temperature to c.Temperature (and the struct tag is `omitempty`). This means that unless a non-zero temperature is explicitly set, the temperature field will be omitted and server default used — different from previous 0.1 default. Ensure this behavioral change is intended and documented. | | 4 | [MINOR] | `.gitea/workflows/release.yml` | 43 | The release creation step parses JSON with python3 to extract the release id. This introduces a dependency on python3 being available on the runner. Consider using jq (commonly available) or curl + grep/jq, or the Gitea API in a small Go helper if you want to avoid Python usage. | | 5 | [NIT] | `.gitea/actions/review/action.yml` | 30 | Determining the latest version by parsing HTML/JSON with sed is brittle (the sed expression may break on formatting changes). Prefer calling the API and parsing JSON with a robust parser (jq) or use the API's structured output. | ## Recommendation **REQUEST_CHANGES** — Please add the missing import for strconv in cmd/review-bot/main.go (and run go build/go test/go vet locally) so the project compiles. Confirm whether the change to the LLM default temperature (removing the previous 0.1 default and using omission to defer to server defaults) is intentional; if not, restore the previous default or document the change. Tighten the WithTemperature comment for clarity. For the release workflow, consider avoiding a hard dependency on python3 for JSON parsing or explicitly document that python3 is required on the runner. Finally, prefer more robust JSON parsing (jq or the API) instead of sed when determining the latest release in the composite action. After addressing the compile error and these suggestions, re-run CI to ensure all checks pass.

rodin added 1 commit 2026-05-01 18:58:22 +00:00

fix: address all review findings (zero remaining) ... 46c63ed121

Tests:
- Add WithTemperature tests (builder method, chaining, zero omission)
- Add temperature serialization tests (omitted when 0, included when set)

Composite action:
- Use python3 for robust JSON version parsing (replaces sed)
- Verify SHA-256 checksum before executing downloaded binary
- Wire up repo input (no longer hardcodes rodin/review-bot)

Release workflow:
- Handle 409 conflict (existing release for tag)
- Use file-based JSON parsing for reliability

Code:
- Tighten WithTemperature doc comment (single clear line)
- Fix flag alignment (missing tab on llmTemp declaration)

gpt-review-bot approved these changes 2026-05-01 19:00:19 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The changes add release automation, a reusable Gitea composite action, and support for LLM temperature in the client and CLI. Code and tests are consistent and CI passed; only small improvements and clarifications are recommended.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	cmd/review-bot/main.go	14	A package-level variable version = "dev" was added for ldflags injection. This is fine, but consider adding a short comment explaining its purpose and intended ldflags usage so future maintainers understand it's expected to be overwritten at build time.
2	[MINOR]	cmd/review-bot/main.go	28	The new --llm-temperature flag is validated with log.Fatal on out-of-range values. The project conventions prefer returning errors; while exiting from main is acceptable for CLI, consider returning an error from a run() function and calling log.Fatal only at the top-level to keep logic testable.
3	[MINOR]	cmd/review-bot/main.go	176	The new envOrDefaultFloat helper swallows parse errors and returns the default. Consider logging or returning a wrapped error when environment parsing fails so misconfiguration is easier to debug. At minimum, a comment should explain the choice to ignore parse errors.
4	[MINOR]	llm/client.go	14	Temperature float64 was added to the Client struct and json tag in ChatRequest was changed to temperature,omitempty. This behaves correctly (omits zero), but ensure callers understand that 0 means 'omit' and not an explicit 0.0 sent to the server — the comment on WithTemperature helps, but consider documenting this behavior on the Client type as well.
5	[NIT]	llm/client.go	28	WithTemperature returns the same client pointer and mutates it. This is fine, but it's a mutating chainable method; a short comment clarifying that it mutates the receiver would aid readability for callers.
6	[NIT]	llm/client.go	60	There is a small leftover blank line in the struct literal assigned to reqBody (trailing comma/blank). This is harmless but could be cleaned up for style consistency.
7	[MINOR]	llm/client_test.go	108	The tests assert exact equality on float64 values decoded from JSON (e.g. temp != 0.7). Floating-point equality can be fragile; consider comparing with a small epsilon or asserting the value is within an acceptable delta to avoid flaky tests.
8	[MINOR]	.gitea/workflows/release.yml	1	The release workflow creates/queries releases via the Gitea API unauthenticated when determining the latest tag in some places; this can fail for private repositories. The action and release steps do use a token (RELEASE_TOKEN) for creation/upload, but consider using authentication consistently where needed.
9	[MINOR]	.gitea/actions/review/action.yml	1	The composite action determines the latest release tag by calling the Gitea API without a token. For private repositories this will fail. Either accept a token input for that request or document that the repo must be public (or the runner must have access).
10	[MINOR]	``	0	The PR description mentions an 'install.sh' installer script, but this diff does not include an install.sh file. If the installer is intended to be part of this change, ensure it is added; otherwise update the PR description to avoid confusion.

Recommendation

APPROVE — Approve: the implementation is sound, tests were added to cover the new temperature feature, and CI passed. Please address the minor items: add a brief comment for the version variable, consider a non-fatal validation pattern to keep main logic testable, add documentation/comments clarifying how temperature=0 is treated (omit vs explicit 0), tighten floating-point assertions in tests (use epsilon), and either include the install.sh mentioned in the PR or update the description. Also consider authenticating API calls where appropriate for private repositories (or documenting the public-repo requirement). These changes are small and non-blocking.

## Summary The changes add release automation, a reusable Gitea composite action, and support for LLM temperature in the client and CLI. Code and tests are consistent and CI passed; only small improvements and clarifications are recommended. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `cmd/review-bot/main.go` | 14 | A package-level variable `version = "dev"` was added for ldflags injection. This is fine, but consider adding a short comment explaining its purpose and intended ldflags usage so future maintainers understand it's expected to be overwritten at build time. | | 2 | [MINOR] | `cmd/review-bot/main.go` | 28 | The new --llm-temperature flag is validated with log.Fatal on out-of-range values. The project conventions prefer returning errors; while exiting from main is acceptable for CLI, consider returning an error from a run() function and calling log.Fatal only at the top-level to keep logic testable. | | 3 | [MINOR] | `cmd/review-bot/main.go` | 176 | The new envOrDefaultFloat helper swallows parse errors and returns the default. Consider logging or returning a wrapped error when environment parsing fails so misconfiguration is easier to debug. At minimum, a comment should explain the choice to ignore parse errors. | | 4 | [MINOR] | `llm/client.go` | 14 | Temperature float64 was added to the Client struct and json tag in ChatRequest was changed to `temperature,omitempty`. This behaves correctly (omits zero), but ensure callers understand that 0 means 'omit' and not an explicit 0.0 sent to the server — the comment on WithTemperature helps, but consider documenting this behavior on the Client type as well. | | 5 | [NIT] | `llm/client.go` | 28 | WithTemperature returns the same client pointer and mutates it. This is fine, but it's a mutating chainable method; a short comment clarifying that it mutates the receiver would aid readability for callers. | | 6 | [NIT] | `llm/client.go` | 60 | There is a small leftover blank line in the struct literal assigned to reqBody (trailing comma/blank). This is harmless but could be cleaned up for style consistency. | | 7 | [MINOR] | `llm/client_test.go` | 108 | The tests assert exact equality on float64 values decoded from JSON (e.g. temp != 0.7). Floating-point equality can be fragile; consider comparing with a small epsilon or asserting the value is within an acceptable delta to avoid flaky tests. | | 8 | [MINOR] | `.gitea/workflows/release.yml` | 1 | The release workflow creates/queries releases via the Gitea API unauthenticated when determining the latest tag in some places; this can fail for private repositories. The action and release steps do use a token (RELEASE_TOKEN) for creation/upload, but consider using authentication consistently where needed. | | 9 | [MINOR] | `.gitea/actions/review/action.yml` | 1 | The composite action determines the latest release tag by calling the Gitea API without a token. For private repositories this will fail. Either accept a token input for that request or document that the repo must be public (or the runner must have access). | | 10 | [MINOR] | `` | 0 | The PR description mentions an 'install.sh' installer script, but this diff does not include an install.sh file. If the installer is intended to be part of this change, ensure it is added; otherwise update the PR description to avoid confusion. | ## Recommendation **APPROVE** — Approve: the implementation is sound, tests were added to cover the new temperature feature, and CI passed. Please address the minor items: add a brief comment for the version variable, consider a non-fatal validation pattern to keep main logic testable, add documentation/comments clarifying how temperature=0 is treated (omit vs explicit 0), tighten floating-point assertions in tests (use epsilon), and either include the install.sh mentioned in the PR or update the description. Also consider authenticating API calls where appropriate for private repositories (or documenting the public-repo requirement). These changes are small and non-blocking.

rodin added 1 commit 2026-05-01 19:00:29 +00:00

fix: prevent false-positive missing-import findings ... c76362af95

The LLM was treating the diff as complete file context and flagging
"missing imports" for symbols that exist in unchanged portions of
the file. Added explicit instructions to the system prompt:

- Clarify that the diff is partial; unchanged code already exists
- Explicitly instruct: do not flag missing imports/types unless the
  diff introduces a new usage without a corresponding addition
- Add rule: never flag undefined symbols that could exist in the
  unchanged portions

sonnet-review-bot approved these changes 2026-05-01 19:00:54 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Solid addition of a release workflow and LLM temperature handling, plus a useful composite action for running reviews. Code and tests are straightforward and adhere to conventions; CI has passed.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	.gitea/actions/review/action.yml	61	Input 'repo' description says it defaults to the current repository, but the script defaults to 'rodin/review-bot'. Consider aligning the behavior with the description or updating the description.
2	[NIT]	.gitea/actions/review/action.yml	79	Cache key hardcodes linux/amd64; if this action is ever run on a different OS/arch, the cache will miss and the binary name won't match. Consider parameterizing based on runner.os and runner.arch.
3	[NIT]	.gitea/actions/review/action.yml	111	When the cache hits, the chmod step is skipped; while actions/cache generally preserves file modes, it’s safer to ensure the binary is executable before running (e.g., chmod +x in the run step).

Recommendation

APPROVE — Overall, this PR is well-executed: the release workflow builds four target binaries, includes checksum generation, and robustly creates or reuses a Gitea release. The LLM client’s temperature handling is idiomatic with an omitempty JSON field, a chainable setter, and tests covering both inclusion and omission. The composite action for installation and execution is pragmatic and includes checksum verification. Please consider aligning the default repo behavior with its description in the composite action and hardening the cache/permissions behavior. Otherwise, this is good to merge.

## Summary Solid addition of a release workflow and LLM temperature handling, plus a useful composite action for running reviews. Code and tests are straightforward and adhere to conventions; CI has passed. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `.gitea/actions/review/action.yml` | 61 | Input 'repo' description says it defaults to the current repository, but the script defaults to 'rodin/review-bot'. Consider aligning the behavior with the description or updating the description. | | 2 | [NIT] | `.gitea/actions/review/action.yml` | 79 | Cache key hardcodes linux/amd64; if this action is ever run on a different OS/arch, the cache will miss and the binary name won't match. Consider parameterizing based on runner.os and runner.arch. | | 3 | [NIT] | `.gitea/actions/review/action.yml` | 111 | When the cache hits, the chmod step is skipped; while actions/cache generally preserves file modes, it’s safer to ensure the binary is executable before running (e.g., chmod +x in the run step). | ## Recommendation **APPROVE** — Overall, this PR is well-executed: the release workflow builds four target binaries, includes checksum generation, and robustly creates or reuses a Gitea release. The LLM client’s temperature handling is idiomatic with an omitempty JSON field, a chainable setter, and tests covering both inclusion and omission. The composite action for installation and execution is pragmatic and includes checksum verification. Please consider aligning the default repo behavior with its description in the composite action and hardening the cache/permissions behavior. Otherwise, this is good to merge.

sonnet-review-bot approved these changes 2026-05-01 19:02:43 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Solid addition of a release workflow, a reusable composite action, and LLM temperature handling with tests. Changes are coherent and CI passed; no correctness or design blockers found.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	.gitea/actions/review/action.yml	1	The action installs a hardcoded linux/amd64 binary. If used on non-amd64 Linux or other OS runners, installation will fail. Consider deriving the asset name from runner.os and runner.arch or documenting the Linux/amd64 requirement.
2	[NIT]	.gitea/actions/review/action.yml	1	Bash steps do not enable strict modes. Adding 'set -euo pipefail' at the start of shell scripts would make failures surface earlier and improve robustness.
3	[MINOR]	.gitea/workflows/release.yml	28	Cross-compiling for darwin/amd64 and darwin/arm64 from Linux can be sensitive to CGO settings. Explicitly setting CGO_ENABLED=0 for these builds can make cross-compilation more reliable even if the defaults often suffice.
4	[NIT]	llm/client_test.go	55	In TestComplete_TemperatureIncludedWhenSet, comparing interface{} directly to 0.7 relies on the decoded type being float64. Type-assert to float64 before comparison (e.g., t := req["temperature"].(float64)) to make the intent explicit and avoid accidental type mismatch.

Recommendation

APPROVE — The PR is well-structured and aligns with project conventions. The release workflow builds and uploads multi-arch binaries, the composite action provides a convenient installer with checksum verification, and the LLM temperature feature is implemented cleanly with tests ensuring correct omission/inclusion. Address the minor notes to improve portability and robustness (e.g., support for other runner architectures, stricter bash settings, explicit CGO settings in cross-builds, and a small test refinement). Otherwise, this is good to merge.

## Summary Solid addition of a release workflow, a reusable composite action, and LLM temperature handling with tests. Changes are coherent and CI passed; no correctness or design blockers found. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `.gitea/actions/review/action.yml` | 1 | The action installs a hardcoded linux/amd64 binary. If used on non-amd64 Linux or other OS runners, installation will fail. Consider deriving the asset name from runner.os and runner.arch or documenting the Linux/amd64 requirement. | | 2 | [NIT] | `.gitea/actions/review/action.yml` | 1 | Bash steps do not enable strict modes. Adding 'set -euo pipefail' at the start of shell scripts would make failures surface earlier and improve robustness. | | 3 | [MINOR] | `.gitea/workflows/release.yml` | 28 | Cross-compiling for darwin/amd64 and darwin/arm64 from Linux can be sensitive to CGO settings. Explicitly setting CGO_ENABLED=0 for these builds can make cross-compilation more reliable even if the defaults often suffice. | | 4 | [NIT] | `llm/client_test.go` | 55 | In TestComplete_TemperatureIncludedWhenSet, comparing interface{} directly to 0.7 relies on the decoded type being float64. Type-assert to float64 before comparison (e.g., t := req["temperature"].(float64)) to make the intent explicit and avoid accidental type mismatch. | ## Recommendation **APPROVE** — The PR is well-structured and aligns with project conventions. The release workflow builds and uploads multi-arch binaries, the composite action provides a convenient installer with checksum verification, and the LLM temperature feature is implemented cleanly with tests ensuring correct omission/inclusion. Address the minor notes to improve portability and robustness (e.g., support for other runner architectures, stricter bash settings, explicit CGO settings in cross-builds, and a small test refinement). Otherwise, this is good to merge.

gpt-review-bot approved these changes 2026-05-01 19:04:21 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The changes add CI release automation, an install action, a temperature option for the LLM client, and update prompts — overall implementations look correct and CI is reported as passing. A few minor improvements and robustness suggestions are noted below.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	.gitea/actions/review/action.yml	63	The 'Determine version' step pipes the releases API response into python3 to extract the latest tag. Relying on python3 availability is probably fine on ubuntu runners, but consider using jq (if available) or performing additional checks for empty arrays / unexpected API responses to make this more robust and self-document the dependency.
2	[MINOR]	.gitea/actions/review/action.yml	96	The checksum verification uses grep/awk and sha256sum (EXPECTED=$(grep ...); ACTUAL=$(sha256sum ...)). These external commands are fine on standard ubuntu runners, but consider checking command existence or failing with clearer diagnostics if any of those commands are missing. Also consider quoting/escaping filenames if the binary name ever changes to include whitespace (unlikely here).
3	[MINOR]	.gitea/workflows/release.yml	26	Binaries are built for darwin/amd64 and darwin/arm64 on an Ubuntu runner. Cross-compilation for pure Go projects usually works, but if any cgo is introduced later this step can fail. If you ever need cgo-enabled builds for darwin targets, explicit settings (e.g. CGO_ENABLED=0) or macOS runners may be needed. Also note that checksums.txt is generated and uploaded along with binaries — that's OK but consider also attaching checksums as a separate asset or signature if you want to make verification more discoverable.
4	[MINOR]	cmd/review-bot/main.go	177	envOrDefaultFloat silently ignores parse errors and falls back to the default when an environment variable is present but invalid. It would be more user-friendly to log a warning or return an error (or at least document the behaviour) so misconfiguration (e.g. a typo in an env var) is easier to diagnose.
5	[MINOR]	llm/client.go	28	WithTemperature is a handy chaining helper and the implementation is fine. Consider documenting acceptable temperature range (0-2) in the comment (you enforce this range in main.go), or validating the range inside WithTemperature so callers can't set an out-of-bounds value.

Recommendation

APPROVE — Approve — the PR is well-structured and CI is reported as passing. The changes are small and focused: release workflow, install action, LLM temperature support, and prompt improvements. Address the minor robustness suggestions: make the action's JSON parsing and checksum verification more defensive (or document dependencies), surface parse errors from envOrDefaultFloat (or at least warn), and consider documenting or validating temperature ranges in the LLM client. None of these require blocking the merge.

## Summary The changes add CI release automation, an install action, a temperature option for the LLM client, and update prompts — overall implementations look correct and CI is reported as passing. A few minor improvements and robustness suggestions are noted below. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `.gitea/actions/review/action.yml` | 63 | The 'Determine version' step pipes the releases API response into python3 to extract the latest tag. Relying on python3 availability is probably fine on ubuntu runners, but consider using jq (if available) or performing additional checks for empty arrays / unexpected API responses to make this more robust and self-document the dependency. | | 2 | [MINOR] | `.gitea/actions/review/action.yml` | 96 | The checksum verification uses grep/awk and sha256sum (EXPECTED=$(grep ...); ACTUAL=$(sha256sum ...)). These external commands are fine on standard ubuntu runners, but consider checking command existence or failing with clearer diagnostics if any of those commands are missing. Also consider quoting/escaping filenames if the binary name ever changes to include whitespace (unlikely here). | | 3 | [MINOR] | `.gitea/workflows/release.yml` | 26 | Binaries are built for darwin/amd64 and darwin/arm64 on an Ubuntu runner. Cross-compilation for pure Go projects usually works, but if any cgo is introduced later this step can fail. If you ever need cgo-enabled builds for darwin targets, explicit settings (e.g. CGO_ENABLED=0) or macOS runners may be needed. Also note that checksums.txt is generated and uploaded along with binaries — that's OK but consider also attaching checksums as a separate asset or signature if you want to make verification more discoverable. | | 4 | [MINOR] | `cmd/review-bot/main.go` | 177 | envOrDefaultFloat silently ignores parse errors and falls back to the default when an environment variable is present but invalid. It would be more user-friendly to log a warning or return an error (or at least document the behaviour) so misconfiguration (e.g. a typo in an env var) is easier to diagnose. | | 5 | [MINOR] | `llm/client.go` | 28 | WithTemperature is a handy chaining helper and the implementation is fine. Consider documenting acceptable temperature range (0-2) in the comment (you enforce this range in main.go), or validating the range inside WithTemperature so callers can't set an out-of-bounds value. | ## Recommendation **APPROVE** — Approve — the PR is well-structured and CI is reported as passing. The changes are small and focused: release workflow, install action, LLM temperature support, and prompt improvements. Address the minor robustness suggestions: make the action's JSON parsing and checksum verification more defensive (or document dependencies), surface parse errors from envOrDefaultFloat (or at least warn), and consider documenting or validating temperature ranges in the LLM client. None of these require blocking the merge.

rodin added 1 commit 2026-05-01 19:11:51 +00:00

feat: full file context + patterns-repo support ... e234dca474

Major improvements to review quality:

1. Full file context: fetch complete content of all modified files from
   the PR branch and include as reference. This eliminates false-positive
   "missing import" findings since the model sees the entire file.

2. Patterns repo: new --patterns-repo / PATTERNS_REPO flag fetches
   language idiom files from a separate Gitea repo (e.g. rodin/elixir-patterns)
   and includes them as review criteria.

3. Multi-file patterns: --patterns-files / PATTERNS_FILES accepts
   comma-separated file paths to fetch from the patterns repo.

New API methods:
- GetPullRequestFiles: list changed files in a PR
- GetFileContentRef: fetch file content from a specific branch/ref

Prompt changes:
- BuildSystemPrompt now accepts (conventions, patterns)
- BuildUserPrompt now accepts fileContext parameter
- File context displayed before diff for model reference
- Patterns presented as "review criteria" in system prompt

Composite action updated with patterns-repo and patterns-files inputs.

sonnet-review-bot requested changes 2026-05-01 19:13:57 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Overall the release workflow, installer action, and code changes are well-structured and covered by tests; CI passed. However, the composite action conflates the PR repository input with the binary download repository, which will break valid use cases and needs to be corrected before merging.

Findings

#	Severity	File	Line	Finding
1	[MAJOR]	.gitea/actions/review/action.yml	69	The 'repo' input (intended for the PR target repo) is reused to select the release repository for binary downloads. If a user sets 'repo' to review a different repository, the installer will attempt to download assets from that repo (where releases likely don't exist), causing failures. Use a separate input (e.g., 'bot-repo') or hardcode 'rodin/review-bot' for downloads, independent of the PR repo.
2	[MINOR]	.gitea/actions/review/action.yml	96	The installer hardcodes BINARY='review-bot-linux-amd64' and the cache key to linux-amd64, which will fail on non-amd64 runners and prevents caching per-arch. Detect runner OS/arch (e.g., via $RUNNER_OS/$RUNNER_ARCH) to select the correct asset and include it in the cache key.
3	[MINOR]	.gitea/workflows/release.yml	18	Release workflow runs tests but not 'go vet', whereas repository conventions require 'go vet ./...' to pass. Add a vet step to the release workflow to enforce static checks before releasing.
4	[MINOR]	.gitea/workflows/release.yml	71	Asset upload loop does not handle existing assets on reruns; Gitea may respond with conflicts. Consider checking for existing assets (and deleting/replacing) or using an idempotent approach to make the release job rerunnable safely.

Recommendation

REQUEST_CHANGES — Please decouple the binary download repository from the PR target repository in the composite action. Introduce a separate input (e.g., 'bot-repo') defaulting to 'rodin/review-bot' and use that for determining the version and downloading assets, while keeping 'repo' for the PR under review. Also, update the installer step to select the correct asset based on runner OS/arch and adjust the cache key accordingly. In the release workflow, add a 'go vet ./...' step to conform to repository conventions, and consider making asset uploads idempotent to handle reruns without failure. With these changes, the PR should be safe to merge.

## Summary Overall the release workflow, installer action, and code changes are well-structured and covered by tests; CI passed. However, the composite action conflates the PR repository input with the binary download repository, which will break valid use cases and needs to be corrected before merging. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `.gitea/actions/review/action.yml` | 69 | The 'repo' input (intended for the PR target repo) is reused to select the release repository for binary downloads. If a user sets 'repo' to review a different repository, the installer will attempt to download assets from that repo (where releases likely don't exist), causing failures. Use a separate input (e.g., 'bot-repo') or hardcode 'rodin/review-bot' for downloads, independent of the PR repo. | | 2 | [MINOR] | `.gitea/actions/review/action.yml` | 96 | The installer hardcodes BINARY='review-bot-linux-amd64' and the cache key to linux-amd64, which will fail on non-amd64 runners and prevents caching per-arch. Detect runner OS/arch (e.g., via $RUNNER_OS/$RUNNER_ARCH) to select the correct asset and include it in the cache key. | | 3 | [MINOR] | `.gitea/workflows/release.yml` | 18 | Release workflow runs tests but not 'go vet', whereas repository conventions require 'go vet ./...' to pass. Add a vet step to the release workflow to enforce static checks before releasing. | | 4 | [MINOR] | `.gitea/workflows/release.yml` | 71 | Asset upload loop does not handle existing assets on reruns; Gitea may respond with conflicts. Consider checking for existing assets (and deleting/replacing) or using an idempotent approach to make the release job rerunnable safely. | ## Recommendation **REQUEST_CHANGES** — Please decouple the binary download repository from the PR target repository in the composite action. Introduce a separate input (e.g., 'bot-repo') defaulting to 'rodin/review-bot' and use that for determining the version and downloading assets, while keeping 'repo' for the PR under review. Also, update the installer step to select the correct asset based on runner OS/arch and adjust the cache key accordingly. In the release workflow, add a 'go vet ./...' step to conform to repository conventions, and consider making asset uploads idempotent to handle reruns without failure. With these changes, the PR should be safe to merge.

gpt-review-bot approved these changes 2026-05-01 19:14:06 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

The changes add a release workflow, an install action, LLM temperature support, and richer prompts while updating clients and tests. The code is well integrated, tests were extended accordingly, and I found no blocking defects; only minor suggestions and nits to improve robustness and clarity.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	gitea/client.go	110	doGet() and PostReview() unconditionally set the Authorization header even when Client.Token is empty. Sending an empty token header may cause unexpected auth behavior for public endpoints; consider setting the header only when c.Token != "".
2	[NIT]	cmd/review-bot/main.go	15	The package-level variable version is declared but never referenced in the CLI. This is fine for ldflags injection, but consider using it (e.g. expose --version) so the compiled binary can report its version at runtime.
3	[MINOR]	llm/client.go	44	Temperature is marshaled using omitempty (good). However, floating-point zero values can be subtle; the current approach relies on zero meaning 'omit'. If callers may explicitly want temperature=0.0, document this behavior clearly (or use *float64 to distinguish unset vs. set-to-zero).
4	[NIT]	.gitea/actions/review/action.yml	24	The composite action uses python3 and sha256sum in the runner to determine the latest tag and verify checksums. This may be fine on your runners, but document runner prerequisites (python3, sha256sum, awk) or add checks to fail fast if missing.
5	[MINOR]	review/prompt.go	40	The system prompt was expanded to include additional context and rules (helpful). Keep an eye on prompt length and duplication between system/user prompts; consider trimming or referencing only the necessary parts in the system prompt to avoid hitting token limits for very large repositories/diffs.

Recommendation

APPROVE — Approve: the PR is well-structured and the new functionality (release workflow, installer, version variable, LLM temperature support, expanded prompts, and corresponding tests) integrates cleanly. Address the minor robustness items: conditionally set Authorization headers when token is empty in gitea client, consider exposing the injected version in the CLI, document the runner prerequisites used by the composite action, and optionally clarify temperature semantics (or use a pointer) if you need to distinguish unset vs explicit zero. None of these changes are blocking; run the usual go test ./... and go vet ./... (CI already passed) and consider the small improvements above in a follow-up commit.

## Summary The changes add a release workflow, an install action, LLM temperature support, and richer prompts while updating clients and tests. The code is well integrated, tests were extended accordingly, and I found no blocking defects; only minor suggestions and nits to improve robustness and clarity. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `gitea/client.go` | 110 | doGet() and PostReview() unconditionally set the Authorization header even when Client.Token is empty. Sending an empty token header may cause unexpected auth behavior for public endpoints; consider setting the header only when c.Token != "". | | 2 | [NIT] | `cmd/review-bot/main.go` | 15 | The package-level variable `version` is declared but never referenced in the CLI. This is fine for ldflags injection, but consider using it (e.g. expose --version) so the compiled binary can report its version at runtime. | | 3 | [MINOR] | `llm/client.go` | 44 | Temperature is marshaled using `omitempty` (good). However, floating-point zero values can be subtle; the current approach relies on zero meaning 'omit'. If callers may explicitly want temperature=0.0, document this behavior clearly (or use *float64 to distinguish unset vs. set-to-zero). | | 4 | [NIT] | `.gitea/actions/review/action.yml` | 24 | The composite action uses python3 and sha256sum in the runner to determine the latest tag and verify checksums. This may be fine on your runners, but document runner prerequisites (python3, sha256sum, awk) or add checks to fail fast if missing. | | 5 | [MINOR] | `review/prompt.go` | 40 | The system prompt was expanded to include additional context and rules (helpful). Keep an eye on prompt length and duplication between system/user prompts; consider trimming or referencing only the necessary parts in the system prompt to avoid hitting token limits for very large repositories/diffs. | ## Recommendation **APPROVE** — Approve: the PR is well-structured and the new functionality (release workflow, installer, version variable, LLM temperature support, expanded prompts, and corresponding tests) integrates cleanly. Address the minor robustness items: conditionally set Authorization headers when token is empty in gitea client, consider exposing the injected version in the CLI, document the runner prerequisites used by the composite action, and optionally clarify temperature semantics (or use a pointer) if you need to distinguish unset vs explicit zero. None of these changes are blocking; run the usual `go test ./...` and `go vet ./...` (CI already passed) and consider the small improvements above in a follow-up commit.

rodin added 1 commit 2026-05-01 19:14:22 +00:00

feat: multi-repo patterns + directory recursion ... 56f5abda3c

patterns-repo now accepts a comma-separated list of repos:
  PATTERNS_REPO="rodin/elixir-patterns,rodin/phoenix-conventions"

patterns-files accepts files AND directories:
  PATTERNS_FILES="README.md,docs/"

When a path is a directory, all files within it are fetched
recursively via the Gitea contents API. Only .md, .txt, .yml,
and .yaml files are included as pattern content.

New API methods:
- ListContents: list files/dirs at a path via contents API
- GetAllFilesInPath: recursively fetch all file contents

This allows a single review action to pull idioms from multiple
pattern repos (e.g. elixir-patterns + phoenix-conventions) and
include entire directories of documentation as review criteria.

rodin added 1 commit 2026-05-01 19:15:27 +00:00

ci: add go-patterns as review reference ... f77ea171c3

Self-reviews now use rodin/go-patterns (README.md + docs/) as
language idiom criteria alongside CONVENTIONS.md.

gpt-review-bot approved these changes 2026-05-01 19:16:34 +00:00

Dismissed

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Well-structured addition of release/workflow files and LLM/PR enhancements. Code compiles logically and tests have been updated to exercise new functionality; changes are idiomatic and conform to the repo conventions. I have a few minor suggestions to improve robustness and correctness edge-cases.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	cmd/review-bot/main.go	13	Introduced package-level variable 'version' for ldflags injection. This is fine, but consider documenting its usage in a comment so maintainers understand it's intentionally unused at runtime and set at build time.
2	[MINOR]	gitea/client.go	72	GetPullRequestFiles and GetFileContentRef build URLs by simple fmt.Sprintf without URL-escaping file paths or refs. If file paths or refs contain special characters (e.g. spaces, #, ?), the request URL can be invalid. Consider using url.PathEscape / url.QueryEscape where appropriate.
3	[MINOR]	gitea/client.go	26	doGet always sets Authorization header to 'token '+c.Token, even when Token is empty. This leaks an empty Authorization header and could be undesirable. Consider setting the header only when c.Token is non-empty.
4	[NIT]	llm/client.go	14	ChatRequest.Temperature is now 'omitempty' and the client populates Temperature from the client struct. Good behavior. Small style nit: the reqBody literal has an extra blank line after the Messages field—trim for clarity.
5	[MINOR]	llm/client_test.go	150	Tests check the presence/absence and value of 'temperature' by decoding into map[string]interface{} and comparing interface{} to a float literal (e.g. if temp != 0.7). This generally works but can be slightly brittle depending on decoding; consider type asserting to float64 before comparison for clearer intent and error messages.
6	[NIT]	.gitea/workflows/ci.yml	1	Minor formatting changes (extra blank line after 'name: CI') are harmless but add noise to the diff; no functional issue.
7	[NIT]	.gitea/actions/review/action.yml	1	Composite action relies on python3 and sha256sum availability on the runner. This is fine for ubuntu runners but worth documenting in the action README to avoid surprises on other runners.

Recommendation

APPROVE — Approve these changes. The new workflows and installer script are well integrated and the Go code updates add useful capabilities (version injection, fetching file contexts, patterns, and LLM temperature control). Please consider addressing the minor robustness suggestions: URL-escape file paths/refs in client methods, avoid sending empty Authorization header, and optionally tighten the tests by type-asserting interface values before numeric comparisons. Also add a short comment explaining the package-level 'version' variable is for ldflags. These are small improvements and not blockers.

## Summary Well-structured addition of release/workflow files and LLM/PR enhancements. Code compiles logically and tests have been updated to exercise new functionality; changes are idiomatic and conform to the repo conventions. I have a few minor suggestions to improve robustness and correctness edge-cases. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `cmd/review-bot/main.go` | 13 | Introduced package-level variable 'version' for ldflags injection. This is fine, but consider documenting its usage in a comment so maintainers understand it's intentionally unused at runtime and set at build time. | | 2 | [MINOR] | `gitea/client.go` | 72 | GetPullRequestFiles and GetFileContentRef build URLs by simple fmt.Sprintf without URL-escaping file paths or refs. If file paths or refs contain special characters (e.g. spaces, #, ?), the request URL can be invalid. Consider using url.PathEscape / url.QueryEscape where appropriate. | | 3 | [MINOR] | `gitea/client.go` | 26 | doGet always sets Authorization header to 'token '+c.Token, even when Token is empty. This leaks an empty Authorization header and could be undesirable. Consider setting the header only when c.Token is non-empty. | | 4 | [NIT] | `llm/client.go` | 14 | ChatRequest.Temperature is now 'omitempty' and the client populates Temperature from the client struct. Good behavior. Small style nit: the reqBody literal has an extra blank line after the Messages field—trim for clarity. | | 5 | [MINOR] | `llm/client_test.go` | 150 | Tests check the presence/absence and value of 'temperature' by decoding into map[string]interface{} and comparing interface{} to a float literal (e.g. if temp != 0.7). This generally works but can be slightly brittle depending on decoding; consider type asserting to float64 before comparison for clearer intent and error messages. | | 6 | [NIT] | `.gitea/workflows/ci.yml` | 1 | Minor formatting changes (extra blank line after 'name: CI') are harmless but add noise to the diff; no functional issue. | | 7 | [NIT] | `.gitea/actions/review/action.yml` | 1 | Composite action relies on python3 and sha256sum availability on the runner. This is fine for ubuntu runners but worth documenting in the action README to avoid surprises on other runners. | ## Recommendation **APPROVE** — Approve these changes. The new workflows and installer script are well integrated and the Go code updates add useful capabilities (version injection, fetching file contexts, patterns, and LLM temperature control). Please consider addressing the minor robustness suggestions: URL-escape file paths/refs in client methods, avoid sending empty Authorization header, and optionally tighten the tests by type-asserting interface values before numeric comparisons. Also add a short comment explaining the package-level 'version' variable is for ldflags. These are small improvements and not blockers.

sonnet-review-bot approved these changes 2026-05-01 19:16:38 +00:00

Dismissed

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Overall, this PR cleanly adds a release workflow, a composite install/run action, and extends the CLI and clients with patterns support and temperature handling. The implementations are correct and tests cover the new exported functions. I have a few minor suggestions to strengthen robustness and alignment with repo conventions.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	.gitea/workflows/release.yml	20	The release workflow runs tests but does not run go vet ./.... Repository conventions require vet to pass before commit; consider adding a vet step to the release workflow as well to keep parity with CI.
2	[MINOR]	.gitea/actions/review/action.yml	46	Determining the latest version uses releases?limit=1 and assumes the API returns the newest first. If the API order changes or differs, this could select the wrong release. Consider explicitly ensuring sort order or handling pagination to robustly pick the latest tag.
3	[MINOR]	cmd/review-bot/main.go	181	fetchFileContext wraps file content in triple backticks without a language. Using ```text (or similar) can improve rendering consistency and reduce mis-highlighting risk in downstream consumers.
4	[MINOR]	gitea/client.go	206	GetAllFilesInPath falls back to treating the path as a file on any error from ListContents. This may mask non-404 errors (e.g., auth or transient failures). Consider distinguishing not-found from other errors (e.g., by inspecting error text) to avoid silently returning partial results.

Recommendation

APPROVE — The changes are well-structured and adhere to the repository's conventions. The new features (release workflow, composite action installer, patterns loading, and LLM temperature control) are implemented cleanly, with good test coverage for newly exported functions. Please consider the minor improvements: add go vet to the release workflow, make the latest-version detection in the composite action more robust, use an explicit language for file-context code fences, and refine error handling in GetAllFilesInPath to avoid masking non-404 errors. None of these are blockers; approving as-is.

## Summary Overall, this PR cleanly adds a release workflow, a composite install/run action, and extends the CLI and clients with patterns support and temperature handling. The implementations are correct and tests cover the new exported functions. I have a few minor suggestions to strengthen robustness and alignment with repo conventions. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `.gitea/workflows/release.yml` | 20 | The release workflow runs tests but does not run `go vet ./...`. Repository conventions require vet to pass before commit; consider adding a vet step to the release workflow as well to keep parity with CI. | | 2 | [MINOR] | `.gitea/actions/review/action.yml` | 46 | Determining the latest version uses `releases?limit=1` and assumes the API returns the newest first. If the API order changes or differs, this could select the wrong release. Consider explicitly ensuring sort order or handling pagination to robustly pick the latest tag. | | 3 | [MINOR] | `cmd/review-bot/main.go` | 181 | fetchFileContext wraps file content in triple backticks without a language. Using ```text (or similar) can improve rendering consistency and reduce mis-highlighting risk in downstream consumers. | | 4 | [MINOR] | `gitea/client.go` | 206 | GetAllFilesInPath falls back to treating the path as a file on any error from ListContents. This may mask non-404 errors (e.g., auth or transient failures). Consider distinguishing not-found from other errors (e.g., by inspecting error text) to avoid silently returning partial results. | ## Recommendation **APPROVE** — The changes are well-structured and adhere to the repository's conventions. The new features (release workflow, composite action installer, patterns loading, and LLM temperature control) are implemented cleanly, with good test coverage for newly exported functions. Please consider the minor improvements: add `go vet` to the release workflow, make the latest-version detection in the composite action more robust, use an explicit language for file-context code fences, and refine error handling in `GetAllFilesInPath` to avoid masking non-404 errors. None of these are blockers; approving as-is.

gpt-review-bot approved these changes 2026-05-01 19:17:26 +00:00

gpt-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Well-structured addition of release workflow, composite action, installer integration points, and LLM/PR context enhancements. Changes are consistent, tests updated accordingly, and CI passed.

Findings

#	Severity	File	Line	Finding
1	[MINOR]	.gitea/actions/review/action.yml	1	The composite action determines the latest release using python3 and later verifies checksums using sha256sum. Consider documenting or guarding for the availability of python3 and sha256sum on the target runner (or using a pure-shell fallback) to avoid surprising failures on constrained runners.
2	[MINOR]	llm/client.go	44	Temperature is now optional (omitempty) which is good. Ensure callers expect that a zero value means 'omit' and not explicit 0.0. The current tests cover this behavior, but adding a short comment in the struct/WithTemperature explaining that 0 means 'server default / omitted' would improve clarity.
3	[MINOR]	gitea/client.go	120	PostReview builds the request body via strings.NewReader(string(data)), which makes an extra conversion from []byte -> string -> io.Reader. Using bytes.NewReader(data) would avoid an extra allocation. This is a small optimization but worth changing in hot paths.
4	[MINOR]	.gitea/workflows/release.yml	1	The release job uploads assets to a release but doesn't handle the case where an asset with the same name already exists (Gitea may reject with 409 or similar). Consider checking and deleting existing assets or using the API to replace assets to make repeated runs idempotent.
5	[NIT]	cmd/review-bot/main.go	13	The version variable is added for ldflags injection and is unused at runtime. Consider printing the version with a --version flag or logging it on startup to make embedded build metadata visible to users.

Recommendation

APPROVE — Approve the changes. The new workflows, CLI flags, LLM temperature support, and expanded Gitea client functionality are coherent and well-tested. Address the minor recommendations: (1) ensure required runner tools (python3, sha256sum) are present or documented in the composite action, (2) consider small optimization in PostReview to avoid an extra allocation, (3) make release asset uploads idempotent by handling existing assets, and (4) optionally expose the embedded version at runtime for easier debugging/troubleshooting. None of these are blockers for merging.

## Summary Well-structured addition of release workflow, composite action, installer integration points, and LLM/PR context enhancements. Changes are consistent, tests updated accordingly, and CI passed. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `.gitea/actions/review/action.yml` | 1 | The composite action determines the latest release using python3 and later verifies checksums using sha256sum. Consider documenting or guarding for the availability of python3 and sha256sum on the target runner (or using a pure-shell fallback) to avoid surprising failures on constrained runners. | | 2 | [MINOR] | `llm/client.go` | 44 | Temperature is now optional (omitempty) which is good. Ensure callers expect that a zero value means 'omit' and not explicit 0.0. The current tests cover this behavior, but adding a short comment in the struct/WithTemperature explaining that 0 means 'server default / omitted' would improve clarity. | | 3 | [MINOR] | `gitea/client.go` | 120 | PostReview builds the request body via strings.NewReader(string(data)), which makes an extra conversion from []byte -> string -> io.Reader. Using bytes.NewReader(data) would avoid an extra allocation. This is a small optimization but worth changing in hot paths. | | 4 | [MINOR] | `.gitea/workflows/release.yml` | 1 | The release job uploads assets to a release but doesn't handle the case where an asset with the same name already exists (Gitea may reject with 409 or similar). Consider checking and deleting existing assets or using the API to replace assets to make repeated runs idempotent. | | 5 | [NIT] | `cmd/review-bot/main.go` | 13 | The version variable is added for ldflags injection and is unused at runtime. Consider printing the version with a --version flag or logging it on startup to make embedded build metadata visible to users. | ## Recommendation **APPROVE** — Approve the changes. The new workflows, CLI flags, LLM temperature support, and expanded Gitea client functionality are coherent and well-tested. Address the minor recommendations: (1) ensure required runner tools (python3, sha256sum) are present or documented in the composite action, (2) consider small optimization in PostReview to avoid an extra allocation, (3) make release asset uploads idempotent by handling existing assets, and (4) optionally expose the embedded version at runtime for easier debugging/troubleshooting. None of these are blockers for merging.

sonnet-review-bot approved these changes 2026-05-01 19:17:33 +00:00

sonnet-review-bot left a comment

First-time contributor

Copy Link

Copy Source

Summary

Well-structured addition of a release workflow, composite install/action, and enhancements to support patterns, file context, and LLM temperature. Code is idiomatic, tests cover new functionality, and CI has passed.

Recommendation

APPROVE — The release workflow, composite action, and code changes look solid and consistent with the repository conventions. New functionality (file context, external patterns, and temperature handling) is implemented cleanly with corresponding tests. Since CI has passed and no major issues were found, this is good to merge.

## Summary Well-structured addition of a release workflow, composite install/action, and enhancements to support patterns, file context, and LLM temperature. Code is idiomatic, tests cover new functionality, and CI has passed. ## Recommendation **APPROVE** — The release workflow, composite action, and code changes look solid and consistent with the repository conventions. New functionality (file context, external patterns, and temperature handling) is implemented cleanly with corresponding tests. Since CI has passed and no major issues were found, this is good to merge.

aweiker merged commit 582ebf7ff6 into main 2026-05-01 19:24:16 +00:00

aweiker referenced this issue from a commit 2026-05-01 19:24:17 +00:00

Merge pull request 'ci: add release workflow + install script' (#2) from ci/release-workflow into main

rodin referenced this issue from a commit 2026-05-01 19:45:54 +00:00

fix: log warnings instead of swallowing errors

rodin referenced this issue from a commit 2026-05-02 05:10:52 +00:00

fix: handle single-line hunks and no-newline markers in diff parser

sonnet-review-bot referenced this pull request 2026-05-10 15:35:27 +00:00

feat(persona): add role-based review personas #55

sonnet-review-bot referenced this pull request 2026-05-10 15:35:27 +00:00

feat(persona): add role-based review personas #55

rodin referenced this pull request 2026-05-10 23:50:22 +00:00

feat: add YAML support for persona files #58

rodin referenced this pull request 2026-05-11 00:53:58 +00:00

feat: add YAML support for persona files #58

rodin referenced this pull request 2026-05-11 15:52:42 +00:00

feat: add GitHub Actions support #75

rodin referenced this pull request 2026-05-12 16:59:58 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #82

sonnet-review-bot referenced this pull request 2026-05-12 20:31:49 +00:00

feat(vcs): Gitea adapter with diff-position translation (Phase 2) #90

sonnet-review-bot referenced this pull request 2026-05-12 20:31:49 +00:00

feat(vcs): Gitea adapter with diff-position translation (Phase 2) #90

rodin referenced this issue from a commit 2026-05-12 21:14:04 +00:00

fix(review): address feedback from reviews 2788, 2789, 2791

rodin referenced this pull request 2026-05-12 21:33:32 +00:00

fix(deps): replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml #89

rodin referenced this pull request 2026-05-12 21:36:53 +00:00

fix(deps): replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml #89

rodin referenced this issue from a commit 2026-05-12 21:57:01 +00:00

Wrap errors in GetPullRequest and PostReview for consistency

rodin referenced this pull request 2026-05-12 22:02:06 +00:00

feat(vcs): Gitea adapter with diff-position translation (Phase 2) #90

sonnet-review-bot referenced this pull request 2026-05-12 22:19:53 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-12 22:37:34 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-12 22:44:04 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

sonnet-review-bot referenced this pull request 2026-05-12 22:44:49 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

sonnet-review-bot referenced this pull request 2026-05-12 22:44:49 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-12 22:52:31 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-12 23:00:32 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-12 23:20:30 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue from a commit 2026-05-12 23:39:06 +00:00

fix: address review findings from rounds 2843-2846

rodin referenced this pull request 2026-05-12 23:39:31 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-12 23:45:09 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-13 00:30:10 +00:00

Add safeguards against accidental AllowInsecureHTTP use in production #96

rodin referenced this issue from a commit 2026-05-13 00:30:29 +00:00

fix(github): address review findings from rounds 2867/2870

rodin referenced this issue from a commit 2026-05-13 00:39:43 +00:00

docs: address review findings on YAML depth validation

rodin referenced this pull request 2026-05-13 00:40:03 +00:00

fix(deps): replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml #89

rodin referenced this issue from a commit 2026-05-13 01:16:47 +00:00

refactor(github): address review findings from round 2872

rodin referenced this pull request 2026-05-13 01:26:10 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue from a commit 2026-05-13 01:41:48 +00:00

fix(github): address review findings from round 2880/2883

rodin referenced this pull request 2026-05-13 01:49:34 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue from a commit 2026-05-13 02:29:12 +00:00

fix(github): address review findings from rounds 2884/2885/2887

rodin referenced this pull request 2026-05-13 02:29:25 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this pull request 2026-05-13 02:35:51 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue from a commit 2026-05-13 03:28:58 +00:00

fix: address sonnet review MINOR findings (#2916)

rodin referenced this pull request 2026-05-13 03:37:42 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue from a commit 2026-05-13 03:48:04 +00:00

refactor(github): extract handleResponse for safe defer body close

rodin referenced this pull request 2026-05-13 03:56:22 +00:00

feat(github): implement PRReader + FileReader client (#80) #93

rodin referenced this issue from a commit 2026-05-13 04:31:49 +00:00

fix(github): address review findings - remove panic, validate at config time

rodin referenced this pull request 2026-05-13 04:32:00 +00:00

feat(github): implement GitHub API client foundation #101

rodin referenced this issue from a commit 2026-05-13 04:36:50 +00:00

fix: address review feedback on PR #102

rodin referenced this pull request 2026-05-13 04:46:45 +00:00

feat(github): implement FileReader interface #103

aweiker referenced this issue from a commit 2026-05-13 04:47:16 +00:00

fix: address review feedback on PR #102

rodin referenced this pull request 2026-05-13 05:42:34 +00:00

feat(github): implement FileReader interface #103

rodin referenced this pull request 2026-05-13 07:42:59 +00:00

feat(github): implement Reviewer and Identity interfaces (#81) #105

rodin referenced this pull request 2026-05-13 08:33:14 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 09:31:16 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 09:36:16 +00:00

PostReview: pass CommitID explicitly via ReviewRequest #107

rodin referenced this pull request 2026-05-13 09:36:30 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this issue from a commit 2026-05-13 10:29:50 +00:00

fix(review): address bot review feedback on PR #106

rodin referenced this pull request 2026-05-13 10:30:17 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 10:47:37 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 10:54:56 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 11:01:34 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 11:29:29 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this pull request 2026-05-13 12:08:45 +00:00

feat(gitea): harden GetPullRequestDiff against unbounded diff size #109

rodin referenced this pull request 2026-05-13 12:48:04 +00:00

feat(gitea): harden GetPullRequestDiff against unbounded diff size #109

rodin referenced this pull request 2026-05-13 13:03:23 +00:00

feat(github): support HTTP-date format in Retry-After header #110

rodin referenced this pull request 2026-05-13 13:15:34 +00:00

feat(github): support HTTP-date format in Retry-After header #110

aweiker referenced this issue from a commit 2026-05-13 13:19:46 +00:00

fix(review): address bot review feedback on PR #106

rodin referenced this issue from a commit 2026-05-13 13:43:50 +00:00

Wrap errors in GetPullRequest and PostReview for consistency

rodin referenced this issue from a commit 2026-05-13 13:43:50 +00:00

fix(github): address review findings - remove panic, validate at config time

rodin referenced this issue from a commit 2026-05-13 13:43:50 +00:00

fix: address review feedback on PR #102

rodin referenced this issue from a commit 2026-05-13 13:43:51 +00:00

fix(review): address bot review feedback on PR #106

rodin referenced this issue from a commit 2026-05-13 13:47:45 +00:00

fix(review): address feedback from reviews 2788, 2789, 2791

rodin referenced this issue from a commit 2026-05-13 13:47:45 +00:00

docs: address review findings on YAML depth validation

rodin referenced this issue from a commit 2026-05-13 13:47:46 +00:00

fix(review): address bot review feedback on PR #106

rodin referenced this pull request 2026-05-13 14:02:44 +00:00

feat(cmd): wire --provider and --base-url flags into CLI (Phase 5) #106

rodin referenced this issue from a commit 2026-05-13 15:48:40 +00:00

fix(review): address bot review feedback on PR #106

rodin referenced this pull request 2026-05-13 16:27:11 +00:00

feat: reject cross-host redirects and HTTPS→HTTP downgrades (#95) #111

rodin referenced this pull request 2026-05-13 17:46:42 +00:00

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

rodin referenced this issue from a commit 2026-05-13 17:48:20 +00:00

address review feedback: export_test.go for AllowInsecureHTTPForTest, avoid url.Parse in doRequest

rodin referenced this pull request 2026-05-13 18:07:56 +00:00

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

rodin referenced this pull request 2026-05-13 18:32:56 +00:00

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

rodin referenced this pull request 2026-05-13 18:34:58 +00:00

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

rodin referenced this pull request 2026-05-13 19:57:58 +00:00

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

rodin referenced this pull request 2026-05-13 20:03:17 +00:00

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

rodin referenced this issue from a commit 2026-05-13 20:04:29 +00:00

Address review feedback on PR #113

rodin referenced this pull request 2026-05-13 20:44:16 +00:00

feat(vcs): add CommitID to ReviewRequest (#115) #118

rodin referenced this pull request 2026-05-13 21:10:17 +00:00

feat(vcs): add CommitID to ReviewRequest (#115) #118

rodin referenced this pull request 2026-05-14 04:11:04 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 04:13:07 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 04:27:26 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 04:30:20 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 04:36:56 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this issue from a commit 2026-05-14 04:38:54 +00:00

fix(action): use REST API for GitHub asset downloads, enforce trusted GITEA_URL

rodin referenced this pull request 2026-05-14 04:39:05 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 04:47:04 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 05:02:46 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 05:05:06 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 05:21:21 +00:00

fix(action): detect VCS host type for version resolution and binary download #121

rodin referenced this pull request 2026-05-14 05:48:07 +00:00

feat(action): derive binary name from uname for multi-arch support (#124) #127

rodin referenced this issue from a commit 2026-05-15 03:32:32 +00:00

fix(#137): address review findings in docmap.go

rodin referenced this issue from a commit 2026-05-15 03:32:32 +00:00

fix(#137): address review findings in budget.go

rodin referenced this issue from a commit 2026-05-15 03:32:32 +00:00

docs(#137): add doc-map and doc-map-max-bytes to action inputs table (gpt #2)

rodin referenced this pull request 2026-05-15 06:47:43 +00:00

feat(#141): validate-docmap subcommand — CI hard-fail on missing docmap coverage #142

rodin referenced this issue from a commit 2026-05-15 06:50:17 +00:00

fix(#141): address security-review-bot REQUEST_CHANGES findings

rodin referenced this pull request 2026-05-15 07:23:25 +00:00

feat(#141): validate-docmap subcommand — CI hard-fail on missing docmap coverage #142

rodin referenced this issue from a commit 2026-05-15 07:33:53 +00:00

fix(#141): harden docmap file path — confine to repo-root, reject symlinks, cap size

rodin referenced this pull request 2026-05-15 08:34:59 +00:00

test(#146): add TestMainSubprocess_InvalidDocMapPath and TestMainSubprocess_InvalidDocMapFile #151

rodin referenced this pull request 2026-05-15 08:36:05 +00:00

refactor: extract shared base-args helper in main_test.go subprocess tests #154

rodin referenced this pull request 2026-05-15 14:49:58 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this issue from a commit 2026-05-15 14:55:41 +00:00

docs(#150): fix stale comments in validateDocmapPath — reflect new in-repo-symlink semantic

rodin referenced this pull request 2026-05-15 14:55:55 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-15 14:57:35 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-15 15:02:35 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-15 15:05:43 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this issue from a commit 2026-05-15 18:06:17 +00:00

docs(#150): fix stale comments in validateDocmapPath — reflect new in-repo-symlink semantic

rodin referenced this pull request 2026-05-16 00:14:16 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 00:18:32 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 00:22:30 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 00:30:08 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 00:37:59 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 00:54:09 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 00:58:47 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 01:07:15 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

rodin referenced this pull request 2026-05-16 03:22:55 +00:00

fix(#150): add EvalSymlinks to validateDocmapPath — close dir-symlink bypass #152

Sign in to join this conversation.

Reviewers

No Reviewers

gpt-review-bot

sonnet-review-bot

Labels

Clear labels

ai-review

bug

needs-review

ready

Ready for human review

self-reviewed

Self-review passed since last push

wip

Work in progress - do not start new work on this PR

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

security-review-bot rodin (Rodin)

No Assignees

3 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: rodin/review-bot#2