Skip to content

Refactor Devin PR Code Review workflow#52

Merged
Freedisch merged 2 commits into
mainfrom
feat/devin
May 20, 2026
Merged

Refactor Devin PR Code Review workflow#52
Freedisch merged 2 commits into
mainfrom
feat/devin

Conversation

@Freedisch

Copy link
Copy Markdown
Owner

No description provided.

Signed-off-by: freedisch <freeproduc@gmail.com>
@vercel

vercel Bot commented May 20, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
synapseai Ready Ready Preview, Comment May 20, 2026 2:08pm

devin-ai-integration[bot]

This comment was marked as resolved.

Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@Freedisch Freedisch merged commit 9b3a912 into main May 20, 2026
4 of 5 checks passed
BODY=$(echo "$RESPONSE" | sed '$d')

echo "Status: $HTTP_CODE"
echo "Status: $HTTP_CODE"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Duplicate echo — copy-paste error

This line is a duplicate of line 33. The second commit (f800897) replaced echo "Response: $BODY" with another echo "Status: $HTTP_CODE" instead of simply deleting it. The status code is printed twice for no reason.

Suggested change
echo "Status: $HTTP_CODE"
echo "Status: $HTTP_CODE"

fi

SESSION_ID=$(echo "$BODY" | jq -r '.session_id // .id // empty')
echo "Session ID: $SESSION_ID"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Session ID leaked to CI logs

The original echo "Response: $BODY" was correctly removed to avoid exposing sensitive data in CI logs, but this line re-introduces essentially the same problem. The session ID is a credential-equivalent that can be used to interact with or access the Devin session. GitHub Actions logs are visible to anyone with read access to the repo.

If you need the session ID for a downstream step, use echo "::add-mask::$SESSION_ID" before logging it, or pass it via $GITHUB_OUTPUT without echoing. Better yet, if no downstream step needs it, remove this line entirely.

Suggested change
echo "Session ID: $SESSION_ID"
SESSION_ID=$(echo "$BODY" | jq -r '.session_id // .id // empty')

exit 1
fi

SESSION_ID=$(echo "$BODY" | jq -r '.session_id // .id // empty')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: No validation that SESSION_ID is non-empty

If the API returns a JSON structure without session_id or id (e.g., a changed response schema, or a partial error response that still returns 200/201), jq will output an empty string and the workflow will silently succeed with a blank session ID. You should guard against this:

Suggested change
SESSION_ID=$(echo "$BODY" | jq -r '.session_id // .id // empty')
SESSION_ID=$(echo "$BODY" | jq -r '.session_id // .id // empty')
if [ -z "$SESSION_ID" ]; then
echo "::error::Could not extract session ID from API response"
exit 1
fi

}
}'
"prompt": "Review PR #${{ github.event.pull_request.number }} in ${{ github.repository }}. Look at the diffs, identify logical bugs, code convention violations, and potential edge-case failures. Post your feedback as inline review comments on the PR.",
"idempotent": true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edge case: "idempotent": true without an idempotency key is effectively a no-op

This workflow triggers on synchronize (every push to the PR branch). Each push fires a new API call with the same "idempotent": true but no idempotency key, so the Devin API has no way to deduplicate — it will create a new review session on every push.

If the intent is to prevent duplicate reviews, you need to provide a deterministic idempotency key, e.g.:

Suggested change
"idempotent": true
"prompt": "Review PR #${{ github.event.pull_request.number }} in ${{ github.repository }}. Look at the diffs, identify logical bugs, code convention violations, and potential edge-case failures. Post your feedback as inline review comments on the PR.",
"idempotent": true,
"idempotency_key": "pr-review-${{ github.repository }}-${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}"

- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Waste: checkout step is unnecessary

The only action in this workflow is a curl call to the Devin API. The checked-out code is never read, built, or tested. Moreover, fetch-depth: 0 fetches the entire git history, which is the most expensive checkout option. This adds unnecessary latency to every PR event.

Remove this step entirely, or if you anticipate needing the repo content in a future step, at minimum change fetch-depth: 0 to fetch-depth: 1.

run: |
curl -X POST "https://devin.ai" \
-H "Authorization: Bearer ${{ secrets.DEVIN_API_KEY }}" \
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "https://api.devin.ai/v1/sessions" \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edge case: No curl timeout — workflow can hang indefinitely

If the Devin API is slow or unresponsive, this curl will block until GitHub's own job-level timeout (default 6 hours) kills it. Add --connect-timeout and --max-time to fail fast:

Suggested change
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "https://api.devin.ai/v1/sessions" \
RESPONSE=$(curl -s -w "\n%{http_code}" --connect-timeout 10 --max-time 30 -X POST "https://api.devin.ai/v1/sessions" \

@devin-ai-integration

Copy link
Copy Markdown
Contributor

Review Summary

I reviewed the diff for this PR (refactoring the Devin PR Code Review workflow). Found 6 issues across 3 categories:

🔴 Bugs (2)

Issue Line Description
Duplicate echo L34 echo "Status: $HTTP_CODE" printed twice — copy-paste error from the fix commit
No SESSION_ID validation L42 If the API response lacks session_id/id, the workflow silently succeeds with a blank value

🟡 Security (1)

Issue Line Description
Session ID in CI logs L43 echo "Session ID: $SESSION_ID" exposes a credential-equivalent in publicly-visible logs — the same class of issue the second commit tried to fix

🟠 Edge Cases / Improvements (3)

Issue Line Description
idempotent: true without key L27 No idempotency key means duplicate review sessions on every push to the PR branch
Unnecessary checkout L13-16 Full repo clone (fetch-depth: 0) but code is never used — pure overhead
No curl timeout L22 Missing --connect-timeout/--max-time — workflow hangs if API is unresponsive

All issues have inline comments with suggested fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant