From 98b9a9667a4256f5efe2a03d26a5494eff960fd8 Mon Sep 17 00:00:00 2001 From: Savio Dsouza Date: Fri, 5 Jun 2026 11:02:54 +0530 Subject: [PATCH 1/3] Update tenet-pr-review.yml --- .github/workflows/tenet-pr-review.yml | 32 +++++++++++++++------------ 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/.github/workflows/tenet-pr-review.yml b/.github/workflows/tenet-pr-review.yml index baf0b60..83aae62 100644 --- a/.github/workflows/tenet-pr-review.yml +++ b/.github/workflows/tenet-pr-review.yml @@ -1,7 +1,7 @@ name: 🤖 TENET Agent - PR Review on: - pull_request: + pull_request_target: types: [opened, synchronize, reopened] permissions: @@ -13,38 +13,42 @@ jobs: tenet-review: name: TENET Security Review runs-on: ubuntu-latest - # Skip bot-created PRs to avoid loops - if: | - github.actor != 'github-actions[bot]' && - github.actor != 'coderabbitai[bot]' + if: github.event.pull_request.user.login != 'github-actions[bot]' && github.event.pull_request.user.login != 'coderabbitai[bot]' + + # SECURITY: Do NOT add `ref: github.event.pull_request.head.sha` here. + # pull_request_target runs with repository secrets. + # Checking out fork code could expose secrets. + # TENET reads PR diffs through the GitHub API using HEAD_SHA. steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0 with: python-version: "3.11" cache: "pip" - cache-dependency-path: .github/tenet_agent/requirements.txt + cache-dependency-path: agent/tenet_agent/requirements.txt - name: Install TENET agent dependencies - run: pip install -r .github/tenet_agent/requirements.txt + run: pip install -r agent/tenet_agent/requirements.txt - name: Check TENET_AI_KEY is configured + id: key_check run: | if [ -z "$TENET_AI_KEY" ]; then - echo "⚠️ TENET_AI_KEY is not set — skipping review." - echo "Add it under Settings → Secrets and variables → Actions." - exit 0 + echo "has_key=false" >> "$GITHUB_OUTPUT" + else + echo "has_key=true" >> "$GITHUB_OUTPUT" fi env: TENET_AI_KEY: ${{ secrets.TENET_AI_KEY }} - name: Run TENET PR Review + if: steps.key_check.outputs.has_key == 'true' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TENET_AI_KEY: ${{ secrets.TENET_AI_KEY }} @@ -56,5 +60,5 @@ jobs: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | - cd .github/tenet_agent - python tenet_review.py + cd agent/tenet_agent + python tenet_review.py \ No newline at end of file From b89669ab47daa6a46a91ce9b392372eb6b41adca Mon Sep 17 00:00:00 2001 From: Savio Dsouza Date: Fri, 5 Jun 2026 11:04:04 +0530 Subject: [PATCH 2/3] Update tenet-pr-review.yml --- .github/workflows/tenet-pr-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tenet-pr-review.yml b/.github/workflows/tenet-pr-review.yml index 83aae62..99ac8e0 100644 --- a/.github/workflows/tenet-pr-review.yml +++ b/.github/workflows/tenet-pr-review.yml @@ -60,5 +60,5 @@ jobs: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | - cd agent/tenet_agent + cd .github/tenet_agent python tenet_review.py \ No newline at end of file From 927e40e111fc8a9361cd90f5fd1265352afc0da0 Mon Sep 17 00:00:00 2001 From: Savio Dsouza Date: Fri, 5 Jun 2026 11:40:12 +0530 Subject: [PATCH 3/3] Update .github/workflows/tenet-pr-review.yml Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> --- .github/workflows/tenet-pr-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tenet-pr-review.yml b/.github/workflows/tenet-pr-review.yml index 99ac8e0..a7328da 100644 --- a/.github/workflows/tenet-pr-review.yml +++ b/.github/workflows/tenet-pr-review.yml @@ -25,6 +25,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0