open-code-review/.github
Lei Zhang 0dac8ac376
fix(ci): prevent duplicate review posts on retry in ocr-review workflow (#250)
* fix(ci): add idempotency check to prevent duplicate review posts on retry

When the batch createReview fails with a 5xx/408/network error, the
request may still have landed on the server. Before retrying per-comment,
the workflow now:

- Tags each review/comment/summary with a per-run HTML comment ID derived
  from runId + runAttempt + content hash.
- Queries existing reviews and review comments to detect whether the batch
  actually landed, and only retries the comments that are missing.
- Before retrying an individual comment whose request may have reached
  GitHub, cools down (honoring rate-limit headers) then checks whether the
  comment already exists, treating it as success instead of posting a
  duplicate.
- Skips posting the summary comment when one with the same run tag already
  exists.
- Adds read-API retry/pacing helpers (withRetry/readWithPacing/readAllPages)
  with shorter spacing than writes (OCR_READ_SUCCESS_DELAY /
  OCR_READ_LOW_REMAINING_SPACING) since reads are cheaper but still consume
  the primary rate limit.

Degrades gracefully to the original fallback (accepting duplicate risk)
when the idempotency read calls themselves fail.

* fix(ci): harden idempotency checks in ocr-review workflow

Address code review findings on the GitHub Actions PR auto-review
workflow (applied to both .github/workflows and examples copies):

- readAllPages: cap pagination at maxPages=50 (default) to prevent
  unbounded loops, and validate the argument is a positive integer.
- getPostedCommentIds: anchor the ID regex to the HTML comment wrapper
  (<!-- ocr-... -->) with a capture group to avoid false positives from
  user-generated content.
- isCommentAlreadyPosted: return null (unknown) instead of false when
  the read API fails, so callers do not silently risk duplicates; accept
  a postedIdsCache to reuse a single paginated walk across retries.
- hasIssueCommentWithId: return null (unknown) on read API failure, and
  match the summary tag with an anchored regex for consistency.
- Call sites: handle null by skipping retry/posting to avoid duplicates
  while surfacing the failure in the summary.

* fix(ci): validate env config and document intentional behaviors

Address code review findings on the ocr-review workflow (applied to
both .github/workflows and examples copies):

- parseNonNegInt: add a validation helper for env-var parsing so
  negative or non-numeric values (e.g. OCR_MAX_RETRIES=-5) fall back to
  defaults instead of bypassing the `|| default` guard (a negative
  parseInt result is truthy). All seven retry/pacing config values now
  use it.
- readAllPages: document that the 50-page cap is an intentional safety
  valve against unbounded loops, not a normal mode; callers that depend
  on completeness already degrade safely to null (unknown), so a
  truncated walk does not silently produce duplicates.
- commentId: document that the 12-hex-char (48-bit) hash collision
  scope is a single PR (listReviewComments is PR-scoped) and a single
  run produces only tens to hundreds of comments, making the
  birthday-bound collision probability negligible (~1e-7 at 10k).

* docs(github_actions): sync README with retry/idempotency features in ocr-review.yml

- Add OCR_READ_SUCCESS_DELAY and OCR_READ_LOW_REMAINING_SPACING variables
  for read API pacing used by the idempotency check
- Document the three GitHub rate-limit retry strategies (primary reset,
  retry-after header, secondary no-header backoff)
- Add 'Idempotency: avoiding duplicate review comments' section describing
  how the workflow detects already-landed comments via per-run HTML tags
  and skips retrying when the read API is unavailable

* fix(ci): use full sha256 hash for review comment idempotency IDs

Drop the .slice(0, 12) truncation in commentId() and use the full 64-char
(256-bit) sha256 hex digest. The truncated 12-char hash carried a tiny but
nonzero collision risk whose failure mode was a silently dropped inline
comment (the idempotency check would mistake two distinct comments for
duplicates). The full hash makes the collision probability effectively
zero with no meaningful downside; the ID regex already used [a-f0-9]+ so
it accepts the longer IDs unchanged.

* fix(ci): use random per-comment IDs and defer body assembly in review workflow

Replace the content-derived commentId() (sha256 of path/line/content) with
a random per-comment ID (crypto.randomBytes) and restructure the inline-
comment flow around an item struct that carries { comment, id, lines }.

This fixes two issues in the idempotency check:

1. ID was recomputed on every failure check. Each inline comment is now
   assigned one random ID up front and carried on the item struct, so the
   retry/idempotency logic reads item.id directly. The comment body (which
   embeds the ID) is assembled only at API-call time in toReviewPayload(),
   eliminating repeated hash computation.

2. Content-derived IDs collided for distinct comments sharing the same
   path/line/content. A random ID guarantees two such comments get
   different IDs, so the idempotency check no longer mistakes the second
   for a duplicate of the first and silently drops it on retry.

formatComment/commentId are removed (no callers remain) and replaced with
newCommentId/resolveLines/toReviewPayload/buildBody. The matching regex
already used [a-f0-9]+ so it accepts the new random tokens unchanged.
README ID-format placeholder updated from <hash> to <token>.

* docs(ci): correct misleading readAllPages truncation comment

The comment claimed 'a truncated walk does not silently produce
duplicates' because callers 'degrade safely by returning null on read
failures.' That reasoning only holds when the read API THROWS (rate
limit, 5xx): isCommentAlreadyPosted/hasIssueCommentWithId then return
null (unknown) and the caller skips retrying. A truncated walk does not
throw — it returns a partial set silently, so isCommentAlreadyPosted
returns false (definitively 'not posted') for comments beyond the cap,
and the retry loop reposts them, producing duplicates.

Rewrite the comment to state the cap is an intentional safety valve and
to explicitly distinguish truncation (partial data, can duplicate) from
thrown read failures (null/unknown, safe). No behavior change.

* fix(ci): drop stale postedIdsCache to prevent duplicate inline comments

isCommentAlreadyPosted reused a single listReviewComments snapshot
(postedIdsCache) across all per-comment retries. As comments landed
during the loop, the snapshot went stale; a 5xx-landed comment checked
against the stale snapshot would be reported as 'not posted' and
retried, posting a duplicate.

Remove the cache and walk fresh on every check. The extra reads are
paced via readAllPages/readWithPacing (with retry honoring retry-after
and x-ratelimit-reset) and degrade to null — skip retry — if the read
API ultimately fails, so they cannot produce duplicates. The cache
provided no real benefit in this path: checked comments are either
genuine misses (correctly false) or just-landed (a fresh walk catches
them), so hits essentially never occurred.
2026-07-01 19:38:10 +08:00
..
ISSUE_TEMPLATE Add issue and PR templates with bilingual contributing guide (#9) 2026-05-30 14:22:50 +08:00
workflows fix(ci): prevent duplicate review posts on retry in ocr-review workflow (#250) 2026-07-01 19:38:10 +08:00
dependabot.yml ci: add govulncheck, job timeout, dependabot and preserve debug symbols in dev builds 2026-06-26 21:02:33 +08:00
pull_request_template.md Add issue and PR templates with bilingual contributing guide (#9) 2026-05-30 14:22:50 +08:00
release.yml feat(release): auto-generate structured release notes from conventional commits 2026-06-22 15:52:06 +08:00