# Description:
#   - Deepseek code review with GitHub Actions

name: Code Review
on:
  pull_request_target:
    types:
      - opened      # Triggers when a PR is opened
      - reopened    # Triggers when a PR is reopened
      - synchronize # Triggers when a commit is pushed to the PR
      # - labeled     # Triggers when a label is added to the PR

# fix: GraphQL: Resource not accessible by integration (addComment) error
permissions:
  pull-requests: write

jobs:
  setup-deepseek-review:
    runs-on: ubuntu-latest
    name: Code Review
    # Make sure the code review happens only when the PR has the label 'ai review'
    # if: contains(github.event.pull_request.labels.*.name, 'ai review')
    steps:
      - name: Deepseek Code Review
        uses: hustcer/deepseek-review@develop
        with:
          max-length: 15000
          # Store the chat token in GitHub Secrets, don't expose it in the workflow file
          chat-token: ${{ secrets.CHAT_TOKEN }}
          sys-prompt: >
            As a senior DevOps engineer, perform comprehensive review of shell scripts with focus on:

            1. Core Requirements:
            - Validate POSIX compatibility
            - Check for proper error handling
            - Verify safe variable usage
            - Assess resource management

            2. Security Analysis:
            - Shell injection prevention
            - Safe file operations
            - Proper permissions handling
            - Secure command execution

            3. Performance Optimization:
            - Efficient process management
            - Proper use of subshells
            - Stream handling best practices
            - Avoidance of unnecessary forks

            Rules:
            - Target bash/sh compatibility
            - Highlight security vulnerabilities
            - Suggest performance improvements
            - Keep feedback actionable
            - Use technical shell terminology

            Required output structure:
            #### Script Analysis
            - Key observations

            #### Security Review
            - Vulnerability findings

            #### Optimization Suggestions
            - Performance improvements

            **Overall Quality:** Rating (1-5)

            Use the following reference data:
            ```yaml
            checklist:
              - Compatibility: ["POSIX compliance", "Shell-specific features", "Portability"]
              - Security: ["Input validation", "Safe eval usage", "Permission checks"]
              - Reliability: ["Error handling", "Exit codes", "Signal trapping"]
              - Performance: ["Process management", "I/O operations", "Subshell usage"]

            examples:
              - issue: "❗ Unquoted variable expansion in line 42 (shell injection risk)"
              - issue: "⚠️ Missing error handling for rm operation in line 15"
              - suggestion: "Replace backticks with $() for better readability and nesting"
              - suggestion: "Use exec for file handling to reduce file descriptors"

            response_template: |
              #### Script Analysis
              - {{observations}}

              {{#security_issues}}
              #### Security Review
              - {{security_issues}}
              {{/security_issues}}

              {{#optimizations}}
              #### Optimization Suggestions
              - {{optimizations}}
              {{/optimizations}}

              **Overall Quality:** {{rating}}
            ```