Add comment to newly opened PR

[satnam72]

Description

• Create new GitHub actions workflow to add comment on newly opened PR.

Related Issue

• Closes N/A

Type of Change

• Other (please describe): GitHub actions workflow

Checklist

• My code follows the project’s style guidelines
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

Additional Notes

N/A

Summary by CodeRabbit

• Chores
  • Added an automated workflow that posts or updates a friendly welcome comment whenever a new pull request is opened. The message addresses the author by username and thanks them for the contribution, providing consistent, prompt acknowledgment to improve contributor experience and streamline project communication.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow that runs on pull_request_target (opened) and posts a greeting comment to the PR author using peter-evans/create-or-update-comment@v4 without checking out the repository.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow .github/workflows/pull-request-comment.yml	Adds workflow named "Add Comment to PR" triggered on pull_request_target for opened PRs; defines job comment on ubuntu-latest with a single step using peter-evans/[email protected] to post body Hi @${{ github.event.pull_request.user.login }}! Thank you for the contribution.; no checkout step included.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor PR_Author as PR Author
    participant GH as GitHub
    participant WF as Workflow (pull_request_target)
    participant ACT as peter-evans/create-or-update-comment@v4
    participant API as GitHub PR API

    PR_Author->>GH: Open Pull Request
    GH-->>WF: Trigger on pull_request_target (opened)
    WF->>ACT: Run action with issue-number = PR number<br/>body = "Hi @login! Thank you for the contribution."
    ACT->>API: Create or update PR comment
    API-->>ACT: Comment created/updated
    ACT-->>WF: Step complete
    WF-->>GH: Job complete

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit peeks at code anew,
Leaves a tiny note: "Hello to you!"
Hop, clap, a friendly little cheer,
A welcome comment, soft and clear. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch github-actions/add-comment-to-PR

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/pull-request-comment.yml (2)

8-9: Tighten permissions to the minimum required.

create-or-update-comment works with either issues: write or pull-requests: write. For clarity, grant the minimal scope explicitly (issues: write is the direct API used to create PR comments). (github.com, docs.github.com)

-permissions:
-  pull-requests: write
+permissions:
+  issues: write

Alternative (also OK): keep pull-requests: write. Do not grant extra scopes.

---

23-24: Nit: Consider a richer, future-proof welcome message.

Optionally include links (CONTRIBUTING, CI status hints) or a reaction. Example:

• Add reactions: reactions: '+1'
• Use a template file body for easier edits later.

This is purely optional polish. (github.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge Base: Disabled due to data retention organization setting

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 65b1f4f and f88ccbe.

📒 Files selected for processing (1)

• .github/workflows/pull-request-comment.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/pull-request-comment.yml

17-17: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (1)

.github/workflows/pull-request-comment.yml (1)

3-7: Ensure PR Comment Workflow Supports Forked Pull Requests

We’ve confirmed the workflow is currently triggered on the pull_request event and includes both a checkout step and the create-or-update-comment action, which means:

• With on: pull_request, the GITHUB_TOKEN will be read-only when a PR originates from a fork, causing the comment step to fail with “Resource not accessible by integration.”
• Switching to pull_request_target allows write permissions on forks, since the workflow runs in the context of the base branch.

Please confirm whether you need to support commenting on PRs opened from forks. If so, update the trigger and carefully handle the checkout step (so you don’t inadvertently run untrusted code):

-on:
-  pull_request:
-    types:
-      - opened
+on:
+  pull_request_target:
+    types:
+      - opened

Security note: either remove the checkout step or guard it to avoid checking out PR author’s code when using pull_request_target.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/pull-request-comment.yml (1)

12-15: Nice: addressed earlier feedback (no checkout, updated to v4).

You’ve removed the unnecessary checkout and are on the latest major of the peter-evans action, resolving prior review notes.

🧹 Nitpick comments (1)

.github/workflows/pull-request-comment.yml (1)

13-18: Make the comment idempotent and skip bot-authored PRs.

Re-running the workflow (manual re-run, transient failure) will post duplicates. Also, you likely don’t want to greet bots (Dependabot, Renovate).

Apply this diff to dedupe via a marker and avoid bot PRs:

       - name: Create or Update Comment
-        uses: peter-evans/[email protected]
+        if: ${{ github.event.pull_request.user.type != 'Bot' }}
+        uses: peter-evans/[email protected]
         with:
           issue-number: ${{ github.event.pull_request.number }}
+          body-includes: "[auto-pr-greeting]"
+          edit-mode: replace
           body: |
-            Hi @${{ github.event.pull_request.user.login }}! Thank you for the contribution.
+            [auto-pr-greeting]
+            Hi @${{ github.event.pull_request.user.login }}! Thank you for the contribution.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge Base: Disabled due to data retention organization setting

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f88ccbe and 3746ef2.

📒 Files selected for processing (1)

• .github/workflows/pull-request-comment.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/pull-request-comment.yml (1)

3-7: Good choice of event; safe as no repo code is executed.

Using pull_request_target (types: opened) is appropriate for commenting on PRs from forks. With no checkout or script execution, you avoid the common RCE pitfalls of this event.

[coderabbitai]

🛠️ Refactor suggestion

Harden the GITHUB_TOKEN scope (least privilege).

pull_request_target grants a broad, write-scoped token by default. This job only needs to read contents and write an issue-style comment. Restrict permissions at the workflow root.

Apply this diff to set minimal permissions:

 name: Add Comment to PR
+permissions:
+  contents: read
+  pull-requests: read
+  issues: write

🤖 Prompt for AI Agents

In .github/workflows/pull-request-comment.yml lines 1-4, the workflow uses
pull_request_target which grants a broad GITHUB_TOKEN scope; restrict
permissions at the workflow root by adding a permissions block that grants only
what's needed (e.g., contents: read and issues: write — or pull-requests: write
if you use the Pull Requests API) so the job can read repository contents and
post an issue-style PR comment without broad write permissions.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Pin the third-party action to a commit SHA.

Using a floating tag (even v4.0.0) risks supply-chain drift. Pin to the exact commit for v4.0.0 and optionally add an allowlist comment.

Apply this diff after resolving the release’s commit SHA:

-        uses: peter-evans/[email protected]
+        # v4.0.0 (pin to immutable commit for supply-chain safety)
+        uses: peter-evans/create-or-update-comment@<commit-sha-for-v4.0.0>

Use one of the commands below to retrieve the exact commit SHA for v4.0.0:

---

🏁 Script executed:

#!/bin/bash
# Get the commit SHA for the v4.0.0 tag (select the commit, not the tag object)
git ls-remote https://github.com/peter-evans/create-or-update-comment refs/tags/v4.0.0 | awk 'END{print $1}'

Length of output: 151

---

Pin GitHub Action to immutable commit SHA

The peter-evans/[email protected] reference should be pinned to the exact commit to prevent supply-chain drift.

• File: .github/workflows/pull-request-comment.yml
Line: 14

Suggested diff:

-        uses: peter-evans/[email protected]
+        # v4.0.0 (pin to immutable commit for supply-chain safety)
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: peter-evans/[email protected]
	- name: Comment on PR
	# v4.0.0 (pin to immutable commit for supply-chain safety)
	uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043
	with:
	issue-number: ${{ github.event.pull_request.number }}
	body: |
	Hi @${{ github.event.pull_request.user.login }}! Thank you for the contribution.