rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

fix(vcs): thread CommitID through abstraction layer (#114) #117

Merged
aweiker merged 2 commits from review-bot-issue-114 into feature/github-support 2026-05-13 23:13:21 +00:00
Conversation 13 Commits 2 Files Changed 9
+255 -18
rodin commented 2026-05-13 20:31:06 +00:00
Owner
Copy Link
Copy Source

Summary

Fixes #114 — threads CommitID through the VCS abstraction layer so the commit anchor is not silently dropped when using the vcs.Client interface.

Problem

PR #112 added commitID support to gitea.Client.PostReview at the transport level, but vcs.ReviewRequest had no CommitID field. The gitea.Adapter.PostReview (the vcs.Client implementation) called the underlying client without passing a commit anchor, silently dropping it for any caller using the abstraction.

Changes

  1. vcs/types.go: Added CommitID string field to ReviewRequest with omitempty JSON tag
  2. gitea/client.go: Added commitID string parameter to PostReview, included in API payload
  3. gitea/adapter.go: Passes req.CommitID to the underlying client.PostReview
  4. github/review.go: Uses req.CommitID as primary commit anchor, falls back to comment-level CommitID
  5. cmd/review-bot/main.go: Sets CommitID: pr.Head.SHA on the ReviewRequest

Testing

  • New tests verify CommitID appears in Gitea API payload when set
  • New tests verify CommitID is omitted (omitempty) when empty
  • New tests verify GitHub req-level CommitID takes priority over comment-level
  • New tests verify conflict detection when req.CommitID disagrees with comment CommitID
  • All existing tests updated and passing
## Summary Fixes #114 — threads CommitID through the VCS abstraction layer so the commit anchor is not silently dropped when using the `vcs.Client` interface. ## Problem PR #112 added `commitID` support to `gitea.Client.PostReview` at the transport level, but `vcs.ReviewRequest` had no `CommitID` field. The `gitea.Adapter.PostReview` (the `vcs.Client` implementation) called the underlying client without passing a commit anchor, silently dropping it for any caller using the abstraction. ## Changes 1. **`vcs/types.go`**: Added `CommitID string` field to `ReviewRequest` with `omitempty` JSON tag 2. **`gitea/client.go`**: Added `commitID string` parameter to `PostReview`, included in API payload 3. **`gitea/adapter.go`**: Passes `req.CommitID` to the underlying `client.PostReview` 4. **`github/review.go`**: Uses `req.CommitID` as primary commit anchor, falls back to comment-level `CommitID` 5. **`cmd/review-bot/main.go`**: Sets `CommitID: pr.Head.SHA` on the `ReviewRequest` ## Testing - New tests verify CommitID appears in Gitea API payload when set - New tests verify CommitID is omitted (omitempty) when empty - New tests verify GitHub req-level CommitID takes priority over comment-level - New tests verify conflict detection when req.CommitID disagrees with comment CommitID - All existing tests updated and passing
rodin added the wip label 2026-05-13 20:31:06 +00:00
rodin added 1 commit 2026-05-13 20:31:06 +00:00
fix(vcs): thread CommitID through abstraction layer (#114)
CI / test (pull_request) Successful in 20s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 39s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 46s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m24s
Details
7e3b6ec8f1 
Add CommitID field to vcs.ReviewRequest so the commit anchor propagates
through the vcs.Client interface to platform adapters.

Changes:
- vcs/types.go: Add CommitID string field to ReviewRequest
- gitea/client.go: Add commitID parameter to PostReview, include in API payload
- gitea/adapter.go: Pass req.CommitID to underlying client
- github/review.go: Use req.CommitID as primary, fall back to comment-level
- cmd/review-bot/main.go: Set CommitID on ReviewRequest from pr.Head.SHA

Fixes #114
rodin removed the wip label 2026-05-13 20:31:10 +00:00
sonnet-review-bot approved these changes 2026-05-13 20:31:50 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 7e3b6ec8)

Sonnet Review

Summary

This PR correctly threads CommitID through the VCS abstraction layer. The changes are well-scoped, tests are comprehensive, and the implementation follows established patterns in the codebase. CI is passing.

Findings

# Severity File Line Finding
1 [NIT] vcs/types.go 99 Inconsistent alignment: CommitID string has extra whitespace padding (string json:...) that doesn't match the adjacent Event ReviewEventfield. Likely a gofmt artefact from editing — should be cleaned up sogo vet/gofmt` stays clean.
2 [NIT] github/review.go 110 The conflict-detection logic in the comment-processing loop still guards with if payload.CommitID == "" before assigning from a comment's CommitID. This means: if req.CommitID is set AND a comment also has a CommitID that matches req.CommitID, the if payload.CommitID == "" branch is skipped and the comment's matching SHA is silently ignored rather than validated as matching. In practice this is harmless (they match), but the invariant is slightly under-documented. A brief inline comment clarifying that the matching case is intentionally a no-op would help future readers.

Recommendation

APPROVE — Approve. The core fix is correct and complete: CommitID is added to vcs.ReviewRequest, threaded through gitea.Adapter.PostReview and gitea.Client.PostReview, used as the primary anchor in github.Client.PostReview, and set from pr.Head.SHA in main.go. Tests cover the new field, the omitempty behaviour, the fallback path, and conflict detection. The two NIT-level observations (alignment noise in vcs/types.go and a minor comment gap in the GitHub conflict-detection loop) do not warrant blocking the merge.

Review by sonnet

Evaluated against 7e3b6ec8

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/117#pullrequestreview-3440) for up-to-date findings. <details><summary>Previous findings (commit 7e3b6ec8)</summary> # Sonnet Review ## Summary This PR correctly threads CommitID through the VCS abstraction layer. The changes are well-scoped, tests are comprehensive, and the implementation follows established patterns in the codebase. CI is passing. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [NIT] | `vcs/types.go` | 99 | Inconsistent alignment: `CommitID string` has extra whitespace padding (`string `json:...`) that doesn't match the adjacent `Event ReviewEvent` field. Likely a gofmt artefact from editing — should be cleaned up so `go vet`/`gofmt` stays clean. | | 2 | [NIT] | `github/review.go` | 110 | The conflict-detection logic in the comment-processing loop still guards with `if payload.CommitID == ""` before assigning from a comment's CommitID. This means: if req.CommitID is set AND a comment also has a CommitID that matches req.CommitID, the `if payload.CommitID == ""` branch is skipped and the comment's matching SHA is silently ignored rather than validated as matching. In practice this is harmless (they match), but the invariant is slightly under-documented. A brief inline comment clarifying that the matching case is intentionally a no-op would help future readers. | ## Recommendation **APPROVE** — Approve. The core fix is correct and complete: `CommitID` is added to `vcs.ReviewRequest`, threaded through `gitea.Adapter.PostReview` and `gitea.Client.PostReview`, used as the primary anchor in `github.Client.PostReview`, and set from `pr.Head.SHA` in `main.go`. Tests cover the new field, the omitempty behaviour, the fallback path, and conflict detection. The two NIT-level observations (alignment noise in `vcs/types.go` and a minor comment gap in the GitHub conflict-detection loop) do not warrant blocking the merge. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against 7e3b6ec8* </details> <!-- review-bot:sonnet -->
vcs/types.go
@@ -97,0 +96,4 @@
Event ReviewEvent `json:"event"`
// CommitID anchors the review to a specific commit SHA.
// If empty, the platform defaults to the current PR head.
// Adapters use this as the primary commit anchor for the review submission.
sonnet-review-bot commented 2026-05-13 20:31:50 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] Inconsistent alignment: CommitID string has extra whitespace padding (string json:...) that doesn't match the adjacent Event ReviewEventfield. Likely a gofmt artefact from editing — should be cleaned up sogo vet/gofmt` stays clean.

**[NIT]** Inconsistent alignment: `CommitID string` has extra whitespace padding (`string `json:...`) that doesn't match the adjacent `Event ReviewEvent` field. Likely a gofmt artefact from editing — should be cleaned up so `go vet`/`gofmt` stays clean.
security-review-bot requested review from security-review-bot 2026-05-13 20:32:13 +00:00
security-review-bot approved these changes 2026-05-13 20:32:13 +00:00
Dismissed
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 7e3b6ec8)

Security Review

Summary

Changes cleanly thread commit IDs through the VCS abstraction for both Gitea and GitHub, with comprehensive tests. No new security risks are introduced; inputs are JSON-encoded, URL path components are escaped, and sensitive tokens are not logged.

Recommendation

APPROVE — Approve as submitted. The commit anchoring logic is sound and defensive (e.g., conflict detection for GitHub). Optional hardening (non-blocking): validate commit ID format (e.g., 40-hex chars) before sending to providers, though provider-side validation already mitigates risk.

Review by security

Evaluated against 7e3b6ec8

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/117#pullrequestreview-3442) for up-to-date findings. <details><summary>Previous findings (commit 7e3b6ec8)</summary> # Security Review ## Summary Changes cleanly thread commit IDs through the VCS abstraction for both Gitea and GitHub, with comprehensive tests. No new security risks are introduced; inputs are JSON-encoded, URL path components are escaped, and sensitive tokens are not logged. ## Recommendation **APPROVE** — Approve as submitted. The commit anchoring logic is sound and defensive (e.g., conflict detection for GitHub). Optional hardening (non-blocking): validate commit ID format (e.g., 40-hex chars) before sending to providers, though provider-side validation already mitigates risk. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against 7e3b6ec8* </details> <!-- review-bot:security -->
gpt-review-bot approved these changes 2026-05-13 20:32:52 +00:00
Dismissed
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 7e3b6ec8)

Gpt Review

Summary

Change cleanly threads CommitID through the VCS abstraction, updates the Gitea client and adapter, and adjusts GitHub logic to prioritize request-level CommitID with clear conflict handling. Tests comprehensively cover new behavior across both providers and omitempty semantics.

Recommendation

APPROVE — The implementation is consistent and idiomatic: acronyms are capitalized correctly, request-level CommitID is honored with clear conflict detection on GitHub, and Gitea payloads omit empty commit_id as intended. All call sites and tests were updated, CI passed, and no regressions are evident. Proceed with merge.

Review by gpt

Evaluated against 7e3b6ec8

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/117#pullrequestreview-3443) for up-to-date findings. <details><summary>Previous findings (commit 7e3b6ec8)</summary> # Gpt Review ## Summary Change cleanly threads CommitID through the VCS abstraction, updates the Gitea client and adapter, and adjusts GitHub logic to prioritize request-level CommitID with clear conflict handling. Tests comprehensively cover new behavior across both providers and omitempty semantics. ## Recommendation **APPROVE** — The implementation is consistent and idiomatic: acronyms are capitalized correctly, request-level CommitID is honored with clear conflict detection on GitHub, and Gitea payloads omit empty commit_id as intended. All call sites and tests were updated, CI passed, and no regressions are evident. Proceed with merge. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against 7e3b6ec8* </details> <!-- review-bot:gpt -->
rodin added the wip label 2026-05-13 20:37:26 +00:00
rodin commented 2026-05-13 20:38:47 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #117

Self-review against 7e3b6ec8f1c73fcad9c3c400c05ad96cd71b46c6

Phase 1: Independent Findings

  1. [NIT] vcs/types.go line 99CommitID string field has excessive whitespace padding (string \json:...`) that doesn't match the adjacent Event ReviewEventfield. This is agofmt` inconsistency and should be cleaned up for CI/linting hygiene.

  2. [NIT] github/review.go conflict-detection loop — When req.CommitID is already populated and a comment also carries a non-empty CommitID that matches req.CommitID, the if payload.CommitID == "" guard is false so the comment's matching SHA is silently accepted without explicit validation. This is correct behavior (matches are harmless), but the intent is under-documented. A brief inline comment noting "matching SHA is a no-op by design" would aid future readers.

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
[NIT] vcs/types.go extra whitespace on CommitID field sonnet-review-bot ⚠️ STILL PRESENT Alignment inconsistency remains in the diff — CommitID string \json:"commit_id,omitempty"``
[NIT] github/review.go silent no-op in conflict loop under-documented sonnet-review-bot ⚠️ STILL PRESENT No inline comment added clarifying the matching-SHA no-op intent
Optional: validate commit_id format (40-hex) before sending security-review-bot ℹ️ NOT ADDRESSED Explicitly non-blocking per security review; provider-side validation mitigates

Assessment: ⚠️ Needs attention

The core feature is correct and well-tested: CommitID is properly threaded through vcs.ReviewRequest, the Gitea client/adapter, and the GitHub client, and main.go now anchors reviews to pr.Head.SHA. All three bots approved. Two NIT-level items from the sonnet review remain open: the whitespace alignment in vcs/types.go and the undocumented silent-pass case in the GitHub conflict-detection loop. These are non-blocking for merge but should be addressed to keep the codebase clean.

## Self-Review: PR #117 Self-review against `7e3b6ec8f1c73fcad9c3c400c05ad96cd71b46c6` ### Phase 1: Independent Findings 1. **[NIT] `vcs/types.go` line 99** — `CommitID string` field has excessive whitespace padding (`string \`json:...\``) that doesn't match the adjacent `Event ReviewEvent` field. This is a `gofmt` inconsistency and should be cleaned up for CI/linting hygiene. 2. **[NIT] `github/review.go` conflict-detection loop** — When `req.CommitID` is already populated and a comment also carries a non-empty `CommitID` that *matches* `req.CommitID`, the `if payload.CommitID == ""` guard is false so the comment's matching SHA is silently accepted without explicit validation. This is correct behavior (matches are harmless), but the intent is under-documented. A brief inline comment noting "matching SHA is a no-op by design" would aid future readers. ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | [NIT] `vcs/types.go` extra whitespace on `CommitID` field | sonnet-review-bot | ⚠️ STILL PRESENT | Alignment inconsistency remains in the diff — `CommitID string \`json:"commit_id,omitempty"\`` | | [NIT] `github/review.go` silent no-op in conflict loop under-documented | sonnet-review-bot | ⚠️ STILL PRESENT | No inline comment added clarifying the matching-SHA no-op intent | | Optional: validate commit_id format (40-hex) before sending | security-review-bot | ℹ️ NOT ADDRESSED | Explicitly non-blocking per security review; provider-side validation mitigates | ### Assessment: ⚠️ Needs attention The core feature is correct and well-tested: `CommitID` is properly threaded through `vcs.ReviewRequest`, the Gitea client/adapter, and the GitHub client, and `main.go` now anchors reviews to `pr.Head.SHA`. All three bots approved. Two NIT-level items from the sonnet review remain open: the whitespace alignment in `vcs/types.go` and the undocumented silent-pass case in the GitHub conflict-detection loop. These are non-blocking for merge but should be addressed to keep the codebase clean.
rodin removed the wip label 2026-05-13 20:38:50 +00:00
rodin added the wip label 2026-05-13 20:47:14 +00:00
rodin commented 2026-05-13 20:47:53 +00:00
Author
Owner
Copy Link
Copy Source

Fix Plan against 7e3b6ec8f1:

Findings to address:

  1. [NIT] vcs/types.go line 99 — CommitID field alignment

    • Problem: CommitID string has excessive whitespace padding that doesn't match adjacent fields
    • Fix: Remove extra spaces so alignment is consistent with Event ReviewEvent and other fields in the struct

  2. [NIT] github/review.go — silent no-op in conflict-detection loop

    • Problem: When req.CommitID matches a comment's CommitID, the matching case is silently skipped without explanation
    • Fix: Add inline comment noting "matching SHA is a no-op by design" to clarify intent for future readers

Not addressing:

  • Security review optional finding (validate commit_id format as 40-hex) — explicitly non-blocking per security review; provider-side validation mitigates

Steps:

  1. Navigate to existing worktree at /home/aweiker/src/worktrees/review-bot-issue-114
  2. Fix whitespace in vcs/types.go
  3. Add comment in github/review.go
  4. Run go test ./...
  5. Commit and push
## Fix Plan against 7e3b6ec8f1c73fcad9c3c400c05ad96cd71b46c6: ### Findings to address: 1. **[NIT] `vcs/types.go` line 99 — CommitID field alignment** - Problem: `CommitID string` has excessive whitespace padding that doesn't match adjacent fields - Fix: Remove extra spaces so alignment is consistent with `Event ReviewEvent` and other fields in the struct 2. **[NIT] `github/review.go` — silent no-op in conflict-detection loop** - Problem: When `req.CommitID` matches a comment's CommitID, the matching case is silently skipped without explanation - Fix: Add inline comment noting "matching SHA is a no-op by design" to clarify intent for future readers ### Not addressing: - Security review optional finding (validate commit_id format as 40-hex) — explicitly non-blocking per security review; provider-side validation mitigates ### Steps: 1. Navigate to existing worktree at `/home/aweiker/src/worktrees/review-bot-issue-114` 2. Fix whitespace in `vcs/types.go` 3. Add comment in `github/review.go` 4. Run `go test ./...` 5. Commit and push
rodin added 1 commit 2026-05-13 20:49:46 +00:00
fix(nit): align CommitID field in vcs/types.go and document no-op in github/review.go
PR Ready Gate / clear-labels (pull_request) Successful in 2s
Details
CI / test (pull_request) Successful in 19s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 29s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 48s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m38s
Details
25cb55449e
rodin removed the wip label 2026-05-13 20:49:49 +00:00
sonnet-review-bot approved these changes 2026-05-13 20:50:34 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Sonnet Review

Summary

This PR correctly threads CommitID through the VCS abstraction layer, fixing a real bug where the commit anchor was silently dropped. The implementation is clean, well-tested, and follows established patterns. CI passes.

Findings

# Severity File Line Finding
1 [NIT] gitea/client.go 208 The PostReview function signature now has 8 parameters (ctx, owner, repo, number, event, body, commitID, comments). This is somewhat long and could be a candidate for a request struct (matching the vcs.ReviewRequest pattern used in the GitHub client and the vcs.Client interface). However, since this is an internal/lower-level client method not exposed via the vcs.Client interface directly, and changing it now would be a separate refactor, this is just a nit rather than a blocker.
2 [NIT] github/review.go 108 The comment // else: matching SHA is a no-op by design is helpful but slightly inconsistent with Go style (comments above the code they describe, not as trailing-else). Minor style point with no functional impact.

Recommendation

APPROVE — Approve. The fix is correct and complete: CommitID is added to vcs.ReviewRequest with omitempty, threaded through the Gitea adapter to the underlying client's new parameter, and used as the primary commit anchor in the GitHub client (falling back to comment-level CommitID when absent). All changes are well-tested with comprehensive new test cases covering the happy path, the omitempty behavior, conflict detection, and fallback logic. The implementation follows the repository's patterns (table-driven tests, httptest for HTTP mocking, errors wrapped with context). The two findings are pure nits with no correctness or maintainability impact.

Review by sonnet

Evaluated against 25cb5544

# Sonnet Review ## Summary This PR correctly threads CommitID through the VCS abstraction layer, fixing a real bug where the commit anchor was silently dropped. The implementation is clean, well-tested, and follows established patterns. CI passes. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [NIT] | `gitea/client.go` | 208 | The `PostReview` function signature now has 8 parameters (ctx, owner, repo, number, event, body, commitID, comments). This is somewhat long and could be a candidate for a request struct (matching the vcs.ReviewRequest pattern used in the GitHub client and the vcs.Client interface). However, since this is an internal/lower-level client method not exposed via the vcs.Client interface directly, and changing it now would be a separate refactor, this is just a nit rather than a blocker. | | 2 | [NIT] | `github/review.go` | 108 | The comment `// else: matching SHA is a no-op by design` is helpful but slightly inconsistent with Go style (comments above the code they describe, not as trailing-else). Minor style point with no functional impact. | ## Recommendation **APPROVE** — Approve. The fix is correct and complete: CommitID is added to vcs.ReviewRequest with omitempty, threaded through the Gitea adapter to the underlying client's new parameter, and used as the primary commit anchor in the GitHub client (falling back to comment-level CommitID when absent). All changes are well-tested with comprehensive new test cases covering the happy path, the omitempty behavior, conflict detection, and fallback logic. The implementation follows the repository's patterns (table-driven tests, httptest for HTTP mocking, errors wrapped with context). The two findings are pure nits with no correctness or maintainability impact. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against 25cb5544*
github/review.go
@@ -104,6 +108,7 @@ func (c *Client) PostReview(ctx context.Context, owner, repo string, number int,
} else if payload.CommitID != comment.CommitID {
sonnet-review-bot commented 2026-05-13 20:50:34 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The comment // else: matching SHA is a no-op by design is helpful but slightly inconsistent with Go style (comments above the code they describe, not as trailing-else). Minor style point with no functional impact.

**[NIT]** The comment `// else: matching SHA is a no-op by design` is helpful but slightly inconsistent with Go style (comments above the code they describe, not as trailing-else). Minor style point with no functional impact.
security-review-bot requested review from security-review-bot 2026-05-13 20:50:55 +00:00
security-review-bot approved these changes 2026-05-13 20:50:55 +00:00
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Security Review

Summary

The changes cleanly thread CommitID through the VCS abstraction and add sensible conflict detection on GitHub without introducing new security risks. Payloads use omitempty appropriately and stale-check logic remains intact.

Recommendation

APPROVE — Approve this PR. The CommitID propagation is implemented safely across adapters and clients, with GitHub-side validation to prevent mismatched anchors. No injection, authorization, secrets exposure, or error-handling regressions are introduced by these changes, and CI is passing.

Review by security

Evaluated against 25cb5544

# Security Review ## Summary The changes cleanly thread CommitID through the VCS abstraction and add sensible conflict detection on GitHub without introducing new security risks. Payloads use omitempty appropriately and stale-check logic remains intact. ## Recommendation **APPROVE** — Approve this PR. The CommitID propagation is implemented safely across adapters and clients, with GitHub-side validation to prevent mismatched anchors. No injection, authorization, secrets exposure, or error-handling regressions are introduced by these changes, and CI is passing. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against 25cb5544*
gpt-review-bot approved these changes 2026-05-13 20:51:45 +00:00
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Gpt Review

Summary

The changes cleanly thread CommitID through the VCS abstraction, update the Gitea client and adapter accordingly, and enhance the GitHub client to prioritize request-level CommitID with robust conflict handling. Tests comprehensively cover inclusion/omission and priority rules, and all call sites were updated consistently.

Recommendation

APPROVE — The implementation aligns with idiomatic Go configuration patterns (adding an optional field to a request struct) and maintains backward compatibility. The adapter and client changes are consistent, and the additional tests provide solid coverage for the new behavior. No further changes are required.

Review by gpt

Evaluated against 25cb5544

# Gpt Review ## Summary The changes cleanly thread CommitID through the VCS abstraction, update the Gitea client and adapter accordingly, and enhance the GitHub client to prioritize request-level CommitID with robust conflict handling. Tests comprehensively cover inclusion/omission and priority rules, and all call sites were updated consistently. ## Recommendation **APPROVE** — The implementation aligns with idiomatic Go configuration patterns (adding an optional field to a request struct) and maintains backward compatibility. The adapter and client changes are consistent, and the additional tests provide solid coverage for the new behavior. No further changes are required. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against 25cb5544*
rodin added the wip label 2026-05-13 20:52:13 +00:00
rodin commented 2026-05-13 20:54:34 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #117

Self-review against 25cb55449e5ee975d0eca9c642d238d6b42a41bc

Phase 1: Independent Findings

None — diff looks clean.

The implementation correctly threads CommitID through the full stack:

  • vcs.ReviewRequest gains CommitID with omitempty and clear doc comment
  • main.go anchors the review to pr.Head.SHA (the actual bug fix)
  • Gitea client/adapter: CommitID forwarded in the JSON payload; per-comment CommitID correctly not forwarded (Gitea has no per-comment commit_id field at the API level)
  • GitHub client: req.CommitID is the primary anchor; fallback to comment-level SHA works correctly; conflict detection fires when comment SHA differs from already-set payload SHA (verified logic path manually)
  • The // else: matching SHA is a no-op by design comment clarifies the silent-pass case in the conflict loop

Test coverage is thorough: omitempty behavior, priority/fallback semantics, conflict detection, and round-trip verification across both client and adapter layers. All tests pass locally (go test ./vcs/... ./gitea/... ./github/...).

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
[NIT] vcs/types.go CommitID field extra whitespace padding sonnet-review-bot Resolved Field alignment is clean and consistent with adjacent fields
[NIT] github/review.go silent no-op in conflict loop under-documented sonnet-review-bot Resolved // else: matching SHA is a no-op by design comment added
Optional: validate commit_id format (40-hex) before sending security-review-bot 🚫 Invalid (non-blocking) Explicitly deferred per security review; provider-side validation mitigates; no action required

Assessment: Clean

All prior NIT findings are resolved. The diff is well-scoped, tests are comprehensive, and the implementation follows established patterns. Ready for merge.

## Self-Review: PR #117 Self-review against `25cb55449e5ee975d0eca9c642d238d6b42a41bc` ### Phase 1: Independent Findings None — diff looks clean. The implementation correctly threads `CommitID` through the full stack: - `vcs.ReviewRequest` gains `CommitID` with `omitempty` and clear doc comment - `main.go` anchors the review to `pr.Head.SHA` (the actual bug fix) - Gitea client/adapter: `CommitID` forwarded in the JSON payload; per-comment CommitID correctly not forwarded (Gitea has no per-comment commit_id field at the API level) - GitHub client: `req.CommitID` is the primary anchor; fallback to comment-level SHA works correctly; conflict detection fires when comment SHA differs from already-set payload SHA (verified logic path manually) - The `// else: matching SHA is a no-op by design` comment clarifies the silent-pass case in the conflict loop Test coverage is thorough: `omitempty` behavior, priority/fallback semantics, conflict detection, and round-trip verification across both client and adapter layers. All tests pass locally (`go test ./vcs/... ./gitea/... ./github/...`). ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | [NIT] `vcs/types.go` `CommitID` field extra whitespace padding | sonnet-review-bot | ✅ Resolved | Field alignment is clean and consistent with adjacent fields | | [NIT] `github/review.go` silent no-op in conflict loop under-documented | sonnet-review-bot | ✅ Resolved | `// else: matching SHA is a no-op by design` comment added | | Optional: validate commit_id format (40-hex) before sending | security-review-bot | 🚫 Invalid (non-blocking) | Explicitly deferred per security review; provider-side validation mitigates; no action required | ### Assessment: ✅ Clean All prior NIT findings are resolved. The diff is well-scoped, tests are comprehensive, and the implementation follows established patterns. Ready for merge.
rodin removed the wip label 2026-05-13 20:54:38 +00:00
aweiker was assigned by rodin 2026-05-13 20:58:31 +00:00
rodin added the ready label 2026-05-13 20:58:31 +00:00
rodin removed the ready label 2026-05-13 21:42:21 +00:00
aweiker was unassigned by rodin 2026-05-13 21:42:21 +00:00
rodin self-assigned this 2026-05-13 21:42:21 +00:00
rodin added the wip label 2026-05-13 21:42:44 +00:00
rodin commented 2026-05-13 21:44:00 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #117

Self-review against 25cb55449e5ee975d0eca9c642d238d6b42a41bc

Phase 1: Independent Findings

None — diff looks clean.

The implementation correctly threads CommitID through the full VCS abstraction:

  • vcs.ReviewRequest gains CommitID string with omitempty and clear doc comment
  • main.go sets CommitID: pr.Head.SHA — the actual bug fix ensuring reviews are anchored
  • Gitea client/adapter: CommitID forwarded in the JSON payload via omitempty; per-comment CommitID correctly not forwarded (Gitea's API has no per-comment commit_id field)
  • GitHub client: req.CommitID is the primary commit anchor; falls back to first comment's CommitID when empty; conflict detection fires correctly when a comment disagrees with the resolved SHA
  • The // else: matching SHA is a no-op by design comment clarifies the silent-pass case

Test coverage is thorough across both providers: omitempty behavior verified, priority/fallback semantics tested, conflict detection asserted, and round-trip verification covers both client and adapter layers.

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
[NIT] vcs/types.goCommitID field extra whitespace sonnet-review-bot Resolved Field alignment is clean and consistent with adjacent fields
[NIT] github/review.go — silent no-op in conflict loop undocumented sonnet-review-bot Resolved // else: matching SHA is a no-op by design comment present
[NIT] gitea/client.go — 8-param function signature sonnet-review-bot (re-review) 🚫 Invalid Internal client method, not exposed via interface; refactor is a separate concern
[NIT] github/review.go — trailing-else comment style sonnet-review-bot (re-review) 🚫 Invalid Standard Go inline comment; no style violation
Optional: validate commit_id format (40-hex) security-review-bot 🚫 Invalid (non-blocking) Explicitly deferred; provider-side validation mitigates

Assessment: Clean

All actionable prior findings are resolved. The diff is well-scoped, tests are comprehensive, CI passes, and the implementation follows established patterns. Ready for merge.

## Self-Review: PR #117 Self-review against `25cb55449e5ee975d0eca9c642d238d6b42a41bc` ### Phase 1: Independent Findings None — diff looks clean. The implementation correctly threads `CommitID` through the full VCS abstraction: - `vcs.ReviewRequest` gains `CommitID string` with `omitempty` and clear doc comment - `main.go` sets `CommitID: pr.Head.SHA` — the actual bug fix ensuring reviews are anchored - Gitea client/adapter: `CommitID` forwarded in the JSON payload via `omitempty`; per-comment CommitID correctly not forwarded (Gitea's API has no per-comment `commit_id` field) - GitHub client: `req.CommitID` is the primary commit anchor; falls back to first comment's CommitID when empty; conflict detection fires correctly when a comment disagrees with the resolved SHA - The `// else: matching SHA is a no-op by design` comment clarifies the silent-pass case Test coverage is thorough across both providers: `omitempty` behavior verified, priority/fallback semantics tested, conflict detection asserted, and round-trip verification covers both client and adapter layers. ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | [NIT] `vcs/types.go` — `CommitID` field extra whitespace | sonnet-review-bot | ✅ Resolved | Field alignment is clean and consistent with adjacent fields | | [NIT] `github/review.go` — silent no-op in conflict loop undocumented | sonnet-review-bot | ✅ Resolved | `// else: matching SHA is a no-op by design` comment present | | [NIT] `gitea/client.go` — 8-param function signature | sonnet-review-bot (re-review) | 🚫 Invalid | Internal client method, not exposed via interface; refactor is a separate concern | | [NIT] `github/review.go` — trailing-else comment style | sonnet-review-bot (re-review) | 🚫 Invalid | Standard Go inline comment; no style violation | | Optional: validate commit_id format (40-hex) | security-review-bot | 🚫 Invalid (non-blocking) | Explicitly deferred; provider-side validation mitigates | ### Assessment: ✅ Clean All actionable prior findings are resolved. The diff is well-scoped, tests are comprehensive, CI passes, and the implementation follows established patterns. Ready for merge.
rodin removed the wip label 2026-05-13 21:44:03 +00:00
rodin removed their assignment 2026-05-13 21:47:35 +00:00
aweiker was assigned by rodin 2026-05-13 21:47:35 +00:00
rodin added the ready label 2026-05-13 21:47:35 +00:00
rodin removed the ready label 2026-05-13 22:03:23 +00:00
aweiker was unassigned by rodin 2026-05-13 22:03:23 +00:00
rodin self-assigned this 2026-05-13 22:03:23 +00:00
rodin added the wip label 2026-05-13 22:03:28 +00:00
rodin commented 2026-05-13 22:04:15 +00:00
Author
Owner
Copy Link
Copy Source

Inline comment 20187 (vcs/types.go alignment NIT): Addressed in 25cb554 — alignment cleaned up to match adjacent fields.
Inline comment 20240 (github/review.go comment style NIT): Flagged invalid in self-review — inline trailing comment is standard Go style; no change needed.

Inline comment 20187 (vcs/types.go alignment NIT): Addressed in 25cb554 — alignment cleaned up to match adjacent fields. Inline comment 20240 (github/review.go comment style NIT): Flagged invalid in self-review — inline trailing comment is standard Go style; no change needed.
rodin removed the wip label 2026-05-13 22:04:18 +00:00
rodin removed their assignment 2026-05-13 22:08:22 +00:00
aweiker was assigned by rodin 2026-05-13 22:08:22 +00:00
rodin added the ready label 2026-05-13 22:08:22 +00:00
rodin removed the ready label 2026-05-13 22:32:31 +00:00
aweiker was unassigned by rodin 2026-05-13 22:32:31 +00:00
rodin self-assigned this 2026-05-13 22:32:31 +00:00
rodin added the wip label 2026-05-13 22:32:37 +00:00
rodin commented 2026-05-13 22:34:21 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #117

Self-review against 25cb55449e5ee975d0eca9c642d238d6b42a41bc

Phase 1: Independent Findings

None — diff looks clean.

The implementation correctly threads CommitID through the VCS abstraction:

  • vcs.ReviewRequest gains CommitID string with json:"commit_id,omitempty" and clear doc comment
  • main.go sets CommitID: pr.Head.SHA — the actual bug fix ensuring reviews are anchored to the correct commit
  • Gitea client/adapter: CommitID forwarded in the JSON payload with omitempty; per-comment CommitID correctly not forwarded (Gitea API has no per-comment field)
  • GitHub client: req.CommitID is the primary commit anchor; falls back to first comment's CommitID when empty; conflict detection rejects mismatched SHAs
  • Added // else: matching SHA is a no-op by design clarifies the silent pass-through case

Tests are comprehensive across both providers: omitempty behavior verified via raw JSON decode, priority/fallback semantics tested, conflict detection asserted, and round-trip verification covers client and adapter layers.

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
[NIT] vcs/types.goCommitID field extra whitespace alignment sonnet-review-bot (review 3424) Resolved Field alignment cleaned up — Event ReviewEvent and CommitID string now consistent
[NIT] github/review.go — trailing-else comment style sonnet-review-bot (review 3440) 🚫 Invalid Inline trailing comments are standard Go style; no change needed
[NIT] gitea/client.go — 8-param function signature sonnet-review-bot (review 3440) 🚫 Invalid Internal client method not exposed via interface; separate refactor concern
Optional: validate commit_id format (40-hex chars) security-review-bot (review 3426) 🚫 Invalid (non-blocking) Provider-side validation mitigates; adding client-side validation is a separate enhancement

Assessment: Clean

All actionable findings from prior reviews are resolved. No independent issues found. The diff is well-scoped, tests are thorough, CI passes, and the implementation follows established repository patterns. Ready for merge.

## Self-Review: PR #117 Self-review against `25cb55449e5ee975d0eca9c642d238d6b42a41bc` ### Phase 1: Independent Findings None — diff looks clean. The implementation correctly threads `CommitID` through the VCS abstraction: - `vcs.ReviewRequest` gains `CommitID string` with `json:"commit_id,omitempty"` and clear doc comment - `main.go` sets `CommitID: pr.Head.SHA` — the actual bug fix ensuring reviews are anchored to the correct commit - Gitea client/adapter: `CommitID` forwarded in the JSON payload with `omitempty`; per-comment CommitID correctly not forwarded (Gitea API has no per-comment field) - GitHub client: `req.CommitID` is the primary commit anchor; falls back to first comment's CommitID when empty; conflict detection rejects mismatched SHAs - Added `// else: matching SHA is a no-op by design` clarifies the silent pass-through case Tests are comprehensive across both providers: omitempty behavior verified via raw JSON decode, priority/fallback semantics tested, conflict detection asserted, and round-trip verification covers client and adapter layers. ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | [NIT] `vcs/types.go` — `CommitID` field extra whitespace alignment | sonnet-review-bot (review 3424) | ✅ Resolved | Field alignment cleaned up — `Event ReviewEvent` and `CommitID string` now consistent | | [NIT] `github/review.go` — trailing-else comment style | sonnet-review-bot (review 3440) | 🚫 Invalid | Inline trailing comments are standard Go style; no change needed | | [NIT] `gitea/client.go` — 8-param function signature | sonnet-review-bot (review 3440) | 🚫 Invalid | Internal client method not exposed via interface; separate refactor concern | | Optional: validate commit_id format (40-hex chars) | security-review-bot (review 3426) | 🚫 Invalid (non-blocking) | Provider-side validation mitigates; adding client-side validation is a separate enhancement | ### Assessment: ✅ Clean All actionable findings from prior reviews are resolved. No independent issues found. The diff is well-scoped, tests are thorough, CI passes, and the implementation follows established repository patterns. Ready for merge.
rodin removed the wip label 2026-05-13 22:34:25 +00:00
rodin removed their assignment 2026-05-13 22:37:30 +00:00
aweiker was assigned by rodin 2026-05-13 22:37:30 +00:00
rodin added the ready label 2026-05-13 22:37:30 +00:00
aweiker approved these changes 2026-05-13 23:13:18 +00:00
aweiker merged commit b2c83c00bc into feature/github-support 2026-05-13 23:13:21 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
sonnet-review-bot
security-review-bot
gpt-review-bot
aweiker
Labels
Clear labels
ai-review
bug
needs-review
ready
Ready for human review
 self-reviewed
Self-review passed since last push
 wip
Work in progress - do not start new work on this PR
No Label ready
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
security-review-bot rodin (Rodin)
No Assignees aweiker
5 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: rodin/review-bot#117
Delete Branch "review-bot-issue-114"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?