docs(examples): add concurrency control to CI workflow examples (#60)

* docs(examples): add concurrency control to CI workflow examples

- GitHub Actions: add concurrency group with cancel-in-progress to avoid
  redundant review runs on rapid pushes
- GitLab CI: add interruptible and resource_group to cancel outdated
  review jobs when new commits are pushed to the same MR

* docs(examples): improve GitLab CI example with fork MR and concurrency support

- Support forked MR pipelines by using CI_COMMIT_SHA as --to target
- Fall back to CI_JOB_TOKEN when GITLAB_API_TOKEN is unavailable
- Use appropriate auth header (JOB-TOKEN vs PRIVATE-TOKEN) based on token source
- Add --audience agent flag for machine-consumable review output
- Make diff_refs required for inline comments, simplify post_discussion signature
- Improve summary with inline vs fallback comment breakdown
- Add documentation comments for fork MR setup requirements

* docs(examples): use pull_request_target and SHA refs for fork PR support

- Switch trigger from pull_request to pull_request_target so secrets
  are available for PRs from forks
- Use head SHA instead of branch ref for checkout and ocr --to, since
  fork branches don't exist on the origin remote
- Add explicit fetch step to ensure fork commits are available
- Update condition checks and comments to reflect the new event name

* docs: sync READMEs with CI script changes for fork PR/MR support
This commit is contained in:
Lei Zhang 2026-06-08 21:33:20 +08:00 committed by GitHub
parent 4043e9ee33
commit a32b8c7e30
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 84 additions and 47 deletions

View file

@ -10,10 +10,10 @@ PR Created/Updated → GitHub Actions Triggered → OCR Reviews Diff → Comment
Comment with trigger keyword ↗
```
1. When a PR is opened, synchronized, or reopened, the workflow triggers
1. When a PR is opened, the workflow triggers (uses `pull_request_target` for fork secret access)
2. Alternatively, when a comment containing `/open-code-review` or `@open-code-review` is posted on a PR, the workflow triggers
3. It installs OCR via `npm install -g @alibaba-group/open-code-review`
4. Runs `ocr review --from origin/<base> --to origin/<head> --format json` to analyze the diff
4. Runs `ocr review --from origin/<base> --to <head_sha> --format json` to analyze the diff (uses commit SHA to support fork PRs)
5. Parses the JSON output and posts inline review comments on the PR using GitHub's Pull Request Review API
## Setup
@ -46,11 +46,11 @@ Go to your repository's **Settings → Secrets and variables → Actions** and a
### Change the trigger events
Modify the `on.pull_request.types` array in the workflow file:
Modify the `on.pull_request_target.types` array in the workflow file:
```yaml
on:
pull_request:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
```
@ -60,7 +60,7 @@ By default, the workflow triggers when a PR comment starts with `/open-code-revi
```yaml
if: |
github.event_name == 'pull_request' ||
github.event_name == 'pull_request_target' ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/review')) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '@mybot'))
```
@ -69,7 +69,7 @@ Or use a more flexible pattern with `contains` to trigger on any comment contain
```yaml
if: |
github.event_name == 'pull_request' ||
github.event_name == 'pull_request_target' ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '/review'))
```

View file

@ -4,7 +4,7 @@
# and posts review comments directly on the PR.
#
# Triggers:
# - PR opened, synchronized, or reopened
# - PR opened (uses pull_request_target for fork secret access)
# - Comment on PR containing '/open-code-review' or '@open-code-review'
#
# Required secrets:
@ -18,8 +18,15 @@
name: OpenCodeReview PR Review
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on:
pull_request:
# Use pull_request_target instead of pull_request so that secrets are
# available even for PRs from forks. This is safe because OCR only reads
# the diff and does not execute any code from the PR.
pull_request_target:
types: [opened]
issue_comment:
types: [created]
@ -33,13 +40,13 @@ jobs:
runs-on: ubuntu-latest
# Run on PR events, or on comments starting with trigger keywords
if: |
github.event_name == 'pull_request' ||
github.event_name == 'pull_request_target' ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/open-code-review')) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '@open-code-review'))
steps:
- name: Get PR context
id: pr-context
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request_target'
uses: actions/github-script@v7
with:
script: |
@ -58,7 +65,10 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history needed for merge-base diff
ref: ${{ github.event_name != 'pull_request' && steps.pr-context.outputs.head_sha || '' }}
ref: ${{ github.event.pull_request.head.sha || steps.pr-context.outputs.head_sha }}
- name: Fetch PR head ref (ensures fork commits are available)
run: git fetch origin pull/${{ github.event.pull_request.number || github.event.issue.number }}/head
- name: Setup Node.js
uses: actions/setup-node@v4
@ -79,21 +89,23 @@ jobs:
- name: Run OpenCodeReview
id: review
run: |
# Get base and head refs from PR context (different for comment triggers)
if [ "${{ github.event_name }}" = "pull_request" ]; then
# Get base ref and head SHA from PR context (different for comment triggers)
# Note: We use HEAD_SHA instead of origin/${HEAD_REF} to support fork PRs,
# because fork branches don't exist on the origin remote.
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
BASE_REF="${{ github.event.pull_request.base.ref }}"
HEAD_REF="${{ github.event.pull_request.head.ref }}"
HEAD_SHA="${{ github.event.pull_request.head.sha }}"
else
BASE_REF="${{ steps.pr-context.outputs.base_ref }}"
HEAD_REF="${{ steps.pr-context.outputs.head_ref }}"
HEAD_SHA="${{ steps.pr-context.outputs.head_sha }}"
fi
echo "Reviewing PR: ${HEAD_REF} against ${BASE_REF}"
echo "Reviewing PR: ${HEAD_SHA} against origin/${BASE_REF}"
# Run OCR in range mode with JSON output
ocr review \
--from "origin/${BASE_REF}" \
--to "origin/${HEAD_REF}" \
--to "${HEAD_SHA}" \
--format json \
> /tmp/ocr-result.json 2>/tmp/ocr-stderr.log || true
@ -150,7 +162,7 @@ jobs:
let commitSha;
// Get commit SHA from event context
if (context.eventName === 'pull_request') {
if (context.eventName === 'pull_request_target') {
commitSha = context.payload.pull_request.head.sha;
} else {
// For comment events, we need to fetch the PR