Skip to content

fix(csharp): fix */% wildcard semantics and TABLE_CAT identifier echo diverge between Thrift and SEA (#525) #48

fix(csharp): fix */% wildcard semantics and TABLE_CAT identifier echo diverge between Thrift and SEA (#525)

fix(csharp): fix */% wildcard semantics and TABLE_CAT identifier echo diverge between Thrift and SEA (#525) #48

Workflow file for this run

# Copyright (c) 2025 ADBC Drivers Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Reviewer-bot — reviews PRs in this repo and posts inline findings.
#
# ⚠️ DRAFT / NOT YET FUNCTIONAL. Requires (see the PR description):
# - secrets BOT_ENGINE_PAT, REVIEW_BOT_APP_ID/PRIVATE_KEY (DATABRICKS_HOST + DATABRICKS_TOKEN already exist in adbc CI)
# - ENGINE_REF in the install step is pinned to an immutable commit SHA (never @main);
# bump it to adopt engine changes. claude-agent-sdk / @anthropic-ai/claude-code are
# unpinned to match the hub. The engine repo (eric-wang-1990/databricks-bot-engine)
# is PRIVATE for now, so BOT_ENGINE_PAT is scoped to it; when it goes public, drop
# the PAT (anonymous install) but keep ENGINE_REF pinned to a tag/SHA (never @main)
#
# Self-contained (a cross-org `uses:` of the hub's internal composite action does
# NOT work, so the run steps are inline). Posts findings under the review-bot App
# identity; it never merges. It also reviews the bug-fix bot's OWN fix PRs, which
# closes the reviewer -> engineer loop.
#
# When the engine is published publicly: drop the PAT (anonymous git / PyPI).
name: Reviewer Bot
on:
pull_request:
# `labeled` is included so adding `review-bot` to an already-open PR triggers
# a review immediately, not just on the next push. (The `if:` gate below only
# honors `review-bot`; applying `engineer-bot` alone fires this event but the
# job is skipped. Engineer-bot fix PRs are reviewed because engineer-bot.yaml
# separately adds the `review-bot` label after publish.)
types: [opened, synchronize, reopened, ready_for_review, labeled]
permissions:
contents: read
pull-requests: write # post inline review findings
id-token: write # model OIDC, if your endpoint uses it
concurrency:
# Re-review on each push; only the latest matters, so cancel stale runs.
group: reviewer-bot-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
review:
# Non-fork, non-draft, `review-bot`-labeled PRs only:
# - fork PRs must never see the LLM/engine secrets; drafts aren't ready.
# - label gate: review ONLY PRs carrying `review-bot`. `review-bot` guards the
# reviewer; `engineer-bot` guards the engineer — strictly separate, never
# mixed. A maintainer opts a PR in with `review-bot`; the bug-fix bot's own
# fix PRs get `review-bot` applied by engineer-bot.yaml after publish, so
# they're reviewed and the loop still closes. Without the label the reviewer
# stays silent, so it doesn't comment on every PR in the repo.
if: >-
github.event.pull_request.draft == false
&& github.event.pull_request.head.repo.fork == false
&& contains(github.event.pull_request.labels.*.name, 'review-bot')
# ACTIVATION BLOCKER: before taking this workflow out of DRAFT, switch this to
# the protected `peco-driver` self-hosted runner (or adopt OIDC + a scoped,
# short-lived model credential distinct from the CI DATABRICKS_TOKEN). As long
# as the live workspace token is reachable in env, an LLM run over untrusted PR
# content must NOT execute on a shared GitHub-hosted runner. See .bot/SETUP.md.
runs-on: ubuntu-latest # DRAFT default only — replace per the note above before activation
timeout-minutes: 30
steps:
- name: Mint review-bot App token
id: token
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
with:
app-id: ${{ secrets.REVIEW_BOT_APP_ID }}
private-key: ${{ secrets.REVIEW_BOT_PRIVATE_KEY }}
- name: Checkout PR (merge ref)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # reviewer diffs head against base
# The reviewer reads this checkout (diff/grep/read) while the LLM runs
# over untrusted PR content; keep the App token OUT of .git/config so a
# prompt-injection can't read+leak it. The reviewer only POSTS via the
# minted App token in GH_TOKEN; it never uses the checkout's git creds.
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.11'
- name: Install bot engine (interim PAT git-install) + Claude SDK/CLI
env:
ENGINE_PAT: ${{ secrets.BOT_ENGINE_PAT }}
# SUPPLY-CHAIN PIN: the engine is pinned to an immutable commit SHA — never
# install from the force-pushable `@main` ref in a secret-bearing job. Bump
# ENGINE_REF to adopt engine changes (prefer a release tag once the engine
# repo cuts one). claude-agent-sdk / @anthropic-ai/claude-code are left
# unpinned to match the hub (databricks-driver-test); pin them to exact
# versions here if you want full reproducibility.
ENGINE_REF: 7e36703f5cae56a3db12fd25620735315fc4c506
run: |
set -euo pipefail
: "${ENGINE_REF:?pin the engine to a tag/SHA before activation (refusing @main)}"
python -m pip install --upgrade pip
# The dedicated engine repo (PRIVATE for now → install via the PAT). Drop the
# `x-access-token:${ENGINE_PAT}@` prefix once it's public; ENGINE_REF stays pinned.
pip install "databricks-bot-engine @ git+https://x-access-token:${ENGINE_PAT}@github.com/eric-wang-1990/databricks-bot-engine@${ENGINE_REF}"
pip install claude-agent-sdk
npm install -g @anthropic-ai/claude-code
- name: Run reviewer
env:
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
PR_NUMBER: ${{ github.event.pull_request.number }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
GH_TOKEN: ${{ steps.token.outputs.token }}
# Model serving on the same Databricks workspace as adbc's CI: DATABRICKS_HOST is
# the bare hostname hosting the databricks-claude-opus-4-8 serving endpoint;
# DATABRICKS_TOKEN authenticates it (Bearer). Both already exist as adbc CI secrets.
MODEL_ENDPOINT: https://${{ secrets.DATABRICKS_HOST }}/serving-endpoints/databricks-claude-opus-4-8/invocations
DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }}
DRY_RUN: 'false'
RUNNER_TEMP: ${{ runner.temp }}
run: python -m databricks_bot_engine.reviewer_bot.run_review