Add PR Event Logger workflow and authentication methods; remove old r…

[frodo-repo]

…eviewer agent

Summary by CodeRabbit

• New Features

  • Added documentation with setup instructions for the PR Reviewer bot.
  • Introduced a new workflow to log pull request and issue comment events.

• Chores

  • Added a configuration file with credential placeholders.

• Bug Fixes

  • Removed the previous workflow for securely transmitting event data.
  • Disabled all webhook and API endpoint functionality related to pull request review automation.

[frodo-repo]

viewed all

[arvi18]

reviewed by reviewer

[arvi18]

reviewed by reviewer

starting

[arvi18]

/codehelper

[gemini-code-assist]

Warning

There is an error in the Gemini Code Assist config file for this repository at .gemini/config.yaml and the configuration cannot be used until the file is fixed.

[coderabbitai]

Walkthrough

This update introduces new authentication and GitHub API utility modules, adds a README, and configures a new GitHub Actions workflow for logging pull request events. It also removes an existing workflow that performed cryptographic event processing and deletes all webhook handling logic from the listener module, leaving it empty.

Changes

File(s)	Change Summary
.bot	Added file with ID and SECRET credentials in plain text.
README.md	Added documentation for the PR Reviewer bot with setup and usage instructions.
auth.py	Introduced functions for decrypting tokens and verifying webhook signatures.
github.py	Added function to fetch pull request commits from GitHub API with retries and backoff.
.github/workflows/pr-reviewer.yml	New workflow to log PR and issue comment events, echoing selected secrets.
.github/workflows/reviewer.yml	Deleted workflow that handled event payload extraction, signing, encryption, and external API POSTs.
listener.py	Removed all webhook handling logic; file now contains only a placeholder line.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub
    participant GitHub Actions (PR Event Logger)

    GitHub->>GitHub Actions (PR Event Logger): PR/issue comment event (opened, edited, etc.)
    GitHub Actions (PR Event Logger)->>GitHub Actions (PR Event Logger): Checkout repo, setup Python, echo secrets

Loading

sequenceDiagram
    participant User
    participant README
    participant Developer Environment

    User->>README: Read setup instructions
    User->>Developer Environment: Install dependencies, run server, setup ngrok

Loading

Poem

A bunny hopped through code anew,
With secrets tucked and workflows too.
The old reviewer's gone away,
New docs and helpers here to stay.
With paws on keys and logs in tow,
This rabbit keeps the PRs in flow!
🐇✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[arvi18]

/codehelper review

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (1)

listener.py (1)

1-2: 🛠️ Refactor suggestion

Remove or repurpose the empty file.

This file now only contains ## which appears to be an incomplete comment or placeholder. Since all webhook handling logic has been moved to other modules (auth.py and github.py), consider either:

• Deleting this file entirely if it's no longer needed
• Adding meaningful content if this file will be used in the future

♻️ Duplicate comments (2)

.bot (1)

1-2: ⚠️ Potential issue

Critical Security Risk: Remove hardcoded credentials immediately.

This file contains hardcoded credentials which poses a severe security risk. These credentials are exposed in plain text and accessible to anyone with repository access.

Immediate Actions Required:

1. Remove this file from the repository
2. Invalidate/rotate these credentials immediately
3. Store credentials securely using GitHub Secrets or environment variables
4. Update any code that references these credentials to use secure storage

-ID=Iv23liGyTZJYhySo4cEM
-SECRET=a0d16e1977f5dbd754649d9daa7d19d8ef32f38b

🧰 Tools

🪛 Gitleaks (8.26.0)

2-2: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

github.py (1)

16-27: Well-implemented retry logic with proper error handling!

The function now includes comprehensive error handling that addresses the previous review comment's concerns:

• Try/except blocks for request exceptions
• Retry mechanism with exponential backoff
• Proper logging of failures
• Timeout configuration on requests

🧹 Nitpick comments (1)

auth.py (1)

7-31: Cryptographic implementation looks solid.

The decrypt_token function correctly implements AES-256-CBC decryption with proper key derivation and includes good defensive programming with the padding fallback logic.

Minor suggestion for improved error handling:

Consider adding more specific error handling for the base64 decoding step:

-    # Base64 decode the encrypted token
-    encrypted_data = base64.b64decode(encrypted_token)
+    # Base64 decode the encrypted token
+    try:
+        encrypted_data = base64.b64decode(encrypted_token)
+    except Exception as e:
+        raise ValueError(f"Invalid base64 encoded token: {e}")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e79d5de and a285e69.

📒 Files selected for processing (7)

• .bot (1 hunks)
• .github/workflows/pr-reviewer.yml (1 hunks)
• .github/workflows/reviewer.yml (0 hunks)
• README.md (1 hunks)
• auth.py (1 hunks)
• github.py (1 hunks)
• listener.py (1 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/reviewer.yml

🧰 Additional context used

🪛 Gitleaks (8.26.0)

.bot

2-2: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 actionlint (1.7.7)

.github/workflows/pr-reviewer.yml

17-17: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

.github/workflows/pr-reviewer.yml

[error] 22-22: trailing spaces

(trailing-spaces)

---

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

auth.py (1)

34-38: Excellent implementation of webhook signature verification.

The function correctly implements GitHub webhook signature verification using HMAC-SHA256 and includes timing attack protection with hmac.compare_digest().

[coderabbitai]

🛠️ Refactor suggestion

Enhance documentation with more comprehensive information.

The README provides basic setup instructions but could be more helpful with additional details.

Suggested improvements:

 # PR Reviewer bot
-A bot that helps you to review the PRs in your repository.
+A bot that helps you to review the PRs in your repository by providing automated analysis and feedback.

 ## Get started

+### Prerequisites
+- Python 3.9 or higher
+- A GitHub repository with webhook access
+- ngrok (optional, for local development)
+
 ### Install the dependencies
 ```bash
 pip3 install -r requirements.txt

+### Configuration
+Set up the required environment variables or update the configuration as needed.
+

To run the bot

uvicorn main:app --host 0.0.0.0 --port 8000 --reload

Forward the port using ngrok

+For local development and testing:

ngrok http 8000

+## Features
+- Automated PR review and analysis
+- GitHub webhook integration
+- Secure authentication and token handling

<details>
<summary>🤖 Prompt for AI Agents</summary>

In README.md lines 1 to 19, the documentation is minimal and lacks important
details. Enhance it by adding a "Configuration" section that explains setting up
environment variables or configuration files needed for the bot. Also, add a
"Features" section listing key functionalities like automated PR review, GitHub
webhook integration, and secure authentication. This will provide users with
clearer guidance and a better understanding of the bot's capabilities.

</details>

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue

Critical Security Issue: Secrets exposed in workflow logs.

The workflow logs secrets to stdout, which exposes them in GitHub Actions logs where they can be viewed by anyone with repository access.

Remove the secret logging immediately:

-      - name: log existing secrets
-        env: 
-          API_TOKEN: ${{ secrets.API_TOKEN }}
-          WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
-          ORG_TOKEN: ${{ secrets.ORG_TOKEN }}
-        run: echo $API_TOKEN $WEBHOOK_SECRET $ORG_TOKEN
+      - name: Verify secrets exist
+        env: 
+          API_TOKEN: ${{ secrets.API_TOKEN }}
+          WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
+          ORG_TOKEN: ${{ secrets.ORG_TOKEN }}
+        run: |
+          if [ -z "$API_TOKEN" ]; then echo "API_TOKEN not set"; exit 1; fi
+          if [ -z "$WEBHOOK_SECRET" ]; then echo "WEBHOOK_SECRET not set"; exit 1; fi  
+          if [ -z "$ORG_TOKEN" ]; then echo "ORG_TOKEN not set"; exit 1; fi
+          echo "All required secrets are configured"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: log existing secrets
	env:
	API_TOKEN: ${{ secrets.API_TOKEN }}
	WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
	ORG_TOKEN: ${{ secrets.ORG_TOKEN }}
	run: echo $API_TOKEN $WEBHOOK_SECRET $ORG_TOKEN
	- name: Verify secrets exist
	env:
	API_TOKEN: ${{ secrets.API_TOKEN }}
	WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
	ORG_TOKEN: ${{ secrets.ORG_TOKEN }}
	run: |
	if [ -z "$API_TOKEN" ]; then echo "API_TOKEN not set"; exit 1; fi
	if [ -z "$WEBHOOK_SECRET" ]; then echo "WEBHOOK_SECRET not set"; exit 1; fi
	if [ -z "$ORG_TOKEN" ]; then echo "ORG_TOKEN not set"; exit 1; fi
	echo "All required secrets are configured"

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 22-22: trailing spaces

(trailing-spaces)

---

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In .github/workflows/pr-reviewer.yml around lines 21 to 26, the workflow logs
sensitive secrets to stdout, exposing them in GitHub Actions logs. Remove the
entire step or at least the run command that echoes the secrets to prevent them
from being printed in the logs and ensure secrets remain confidential.

[coderabbitai]

🛠️ Refactor suggestion

Fix workflow formatting and version issues.

Static analysis identified several issues that should be addressed.

Apply these fixes:

       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.9'

-      - name: log existing secrets
-        env: 
+      - name: log existing secrets  
+        env:
           API_TOKEN: ${{ secrets.API_TOKEN }}
           WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
           ORG_TOKEN: ${{ secrets.ORG_TOKEN }}
-        run: echo $API_TOKEN $WEBHOOK_SECRET $ORG_TOKEN
+        run: echo $API_TOKEN $WEBHOOK_SECRET $ORG_TOKEN

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 actionlint (1.7.7)

17-17: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 YAMLlint (1.37.1)

[error] 22-22: trailing spaces

(trailing-spaces)

---

[error] 26-26: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In .github/workflows/pr-reviewer.yml around lines 17 to 26, the workflow
formatting is incorrect and the Python setup action version should be updated.
Fix the indentation and structure of the YAML to comply with GitHub Actions
syntax, and update the actions/setup-python version to the latest stable release
(e.g., v4). Also, ensure environment variables are properly referenced and
echoed in the run step without syntax errors.

[coderabbitai]

⚠️ Potential issue

Fix the Authorization header format.

The Authorization header should include the authentication scheme. GitHub API expects either Bearer or token prefix.

Apply this diff to fix the header format:

-        "Authorization": f"{github_token}",
+        "Authorization": f"Bearer {github_token}",

If the token is a personal access token (classic), you can also use:

-        "Authorization": f"{github_token}",
+        "Authorization": f"token {github_token}",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Authorization": f"{github_token}",
	"Authorization": f"Bearer {github_token}",

🤖 Prompt for AI Agents

In github.py at line 12, the Authorization header is missing the required
authentication scheme prefix. Update the header value to include the prefix
"Bearer " or "token " before the github_token variable to comply with GitHub API
requirements.

[do-refacto]

Critical Security Issue: This workflow step exposes sensitive secrets in GitHub Actions logs. The echo $API_TOKEN $WEBHOOK_SECRET $ORG_TOKEN command will print all secrets to the build logs, making them accessible to anyone with repository access. Remove this step immediately and rotate the exposed credentials.

[do-refacto]

Critical Security Issue: Hardcoded credentials should never be committed to version control. This file contains what appears to be actual GitHub App ID and secret values. Remove this file immediately, add .bot to .gitignore, and rotate these credentials.