Skip to content

Consume BC PR review engine instead of hosting it#9210

Open
gggdttt wants to merge 6 commits into
mainfrom
feature/pr-review-use-engine
Open

Consume BC PR review engine instead of hosting it#9210
gggdttt wants to merge 6 commits into
mainfrom
feature/pr-review-use-engine

Conversation

@gggdttt

@gggdttt gggdttt commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

DRAFT — depends on microsoft/BC-PRReviewerAgent#4. Do not merge until the engine PR merges and the pinned SHA below is repointed to a reviewed engine main SHA (or release tag). Security-sensitive (repoints the production review pipeline cross-repo) — needs team buy-in.

What

Stops BCApps from hosting the Copilot PR-review engine and makes it a caller of the reusable engine that now lives in microsoft/BC-PRReviewerAgent.

This is PR 2 of 3:

  1. microsoft/BC-PRReviewerAgent#4 — engine scripts + reusable review.yml.
  2. This PR — BCApps consumes the engine.
  3. BC-Bench — drop its vendored snapshot and invoke the same engine.

Changes

  • Deleted tools/Code Review/ (orchestrator + README) and tools/BCQuality/scripts/ — all moved to the engine repo. (-3384 lines)
  • Rewrote .github/workflows/CopilotPRReviewRunner.yaml from three inline jobs to a thin uses: microsoft/BC-PRReviewerAgent/.github/workflows/review.yml@<sha> caller with secrets: inherit and the existing vars.* mapped to workflow inputs.
  • Kept tools/BCQuality/bcquality.config.yaml (BCApps' auditable policy) and CopilotPRReview.yaml (unprivileged pull_request intake), both unchanged.
  • Rewrote tools/BCQuality/README.md to describe the policy config only.

Security model (unchanged)

The reusable workflow preserves the pull_requestworkflow_run pattern: a read-only review job runs the tool-enabled Copilot CLI over the untrusted diff (no write token); a separate publish job holds issues/pull-requests: write and only posts saved artifacts. The trusted-code provider shifts from BCApps main to BC-PRReviewerAgent@<pinned-sha>.

Before merge

  • Engine PR merged; repoint the @<sha> in uses: and engine_ref: to a reviewed engine main SHA / release tag.
  • End-to-end dry run on a test PR.

AB#641717

The Copilot PR-review orchestrator and BCQuality clone+filter scripts moved to microsoft/BC-PRReviewerAgent. Replace the inline CopilotPRReviewRunner.yaml (resolve/review/publish jobs) with a thin caller of that engine's reusable review.yml, pinned to a reviewed SHA. BCApps keeps only its policy config (tools/BCQuality/bcquality.config.yaml) and the pull_request intake workflow. Security model unchanged: read-only review job runs the model on the untrusted diff; separate write-scoped publish job posts saved artifacts.
@github-actions github-actions Bot added the Build: Automation Workflows and other setup in .github folder label Jul 8, 2026
@github-actions github-actions Bot added this to the Version 29.0 milestone Jul 8, 2026
wenjiefan added 2 commits July 8, 2026 16:05
The engine now lives in the new public repo microsoft/BC-PullRequestReviewAgent so BCApps (and partner forks) can consume the reusable workflow cross-repo. Update uses: and engine_ref: to f9f7302.
Pins uses:+engine_ref to the BC-PullRequestReviewAgent v1.0.2 release, which adds private-repo authenticated fetch and reliable findings-file harvest (verified end-to-end). Replaces the pre-release SHA f9f7302.
@gggdttt gggdttt marked this pull request as ready for review July 9, 2026 07:34
@gggdttt gggdttt requested review from a team July 9, 2026 07:34
…-engine

# Conflicts:
#	.github/workflows/CopilotPRReviewRunner.yaml
#	tools/Code Review/scripts/Invoke-CopilotPRReview.ps1
run:
shell: pwsh
outputs:
pr_number: ${{ steps.pr.outputs.number }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$\textbf{🟡\ Medium\ Severity\ —\ Agent} \quad \color{gray}{\texttt{\small Iteration\ 1}}$

The 'review' job calls the external reusable workflow 'microsoft/BC-PullRequestReviewAgent/.github/workflows/review.yml@v1.0.2' and passes 'secrets: inherit', forwarding every repo/org secret to that external workflow.

v1.0.2 is a mutable tag, not a commit SHA: every other action reference in this same file (actions/checkout, actions/setup-node, actions/upload-artifact, etc., in the pre-change version) is pinned to a full commit SHA with a version comment, and the called workflow's own header comment explicitly documents the expected pattern as 'uses: microsoft/BC-PullRequestReviewAgent/.github/workflows/review.yml@'. If the v1.0.2 tag were ever moved (accidentally or via a compromised release process) the workflow would silently execute different code with full access to inherited secrets. Given the impact this would represent if it occurred, the concern would normally warrant a major/blocker rating, but per policy this unbacked agent finding is capped at minor -- recommend pinning both the 'uses:' ref and the 'engine_ref' input to the resolved commit SHA for v1.0.2 (currently 7fbb20ce36970abfbc1716effe48d6f72bcb1610), consistent with this workflow's own SHA-pinning convention and the engine's documented guidance.

👍 useful · ❤️ especially valuable · 👎 wrong - reply with why

Comment thread tools/BCQuality/README.md
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Copilot PR Review

Iteration 3 · Outcome: completed

PR touches only workflow YAML, PowerShell orchestration scripts, and Markdown docs; no AL objects are present so every AL-domain leaf found an empty worklist (performance/security/privacy/style: completed with empty findings; upgrade/ui: not-applicable, no page or upgrade/install objects in diff). Findings below come from the super-skill's cross-cutting self-review pass over the CI/CD delegation change.

Knowledge source: https://github.com/microsoft/BCQuality@822cae1b2771ac25f665f73369f69093bd4fd630

Findings by domain

Findings split into Knowledge-backed (cite a BCQuality article) and Agent (the agent's own judgement, no matching BCQuality rule).

Domain Findings Knowledge-backed Agent Inline Fallback
Agent 2 0 2 0 0

Totals: 0 knowledge-backed · 2 agent findings.

Orchestrator pre-filter (13 file(s) excluded)

  • layer-disabled (knowledge) : 13 file(s)

Findings produced by the Copilot CLI agent against BCQuality at 822cae1b2771ac25f665f73369f69093bd4fd630. Reply 👎 on any inline comment to flag false positives.

if-no-files-found: warn
# Pin BOTH the workflow ref and engine_ref to the same reviewed engine release.
uses: microsoft/BC-PullRequestReviewAgent/.github/workflows/review.yml@v1.0.3
secrets: inherit

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this mean?

path: ${{ github.workspace }}/review-output
if-no-files-found: warn
# Pin BOTH the workflow ref and engine_ref to the same reviewed engine release.
uses: microsoft/BC-PullRequestReviewAgent/.github/workflows/review.yml@v1.0.3

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix renaming

secrets: inherit
with:
target_repo: ${{ github.repository }}
engine_ref: v1.0.3

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

with:
target_repo: ${{ github.repository }}
engine_ref: v1.0.3
config_path: tools/BCQuality/bcquality.config.yaml

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Delete config files and lets use workflow parameters as it is safer

engine_ref: v1.0.3
config_path: tools/BCQuality/bcquality.config.yaml
# BCQuality policy overrides (operator escape-hatch; config file is the default)
bcquality_repo: ${{ vars.BCQUALITY_REPO }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Encapsulated in the PRReviewRepo

knowledge_allow: ${{ vars.BCQUALITY_KNOWLEDGE_ALLOW }}
knowledge_deny: ${{ vars.BCQUALITY_KNOWLEDGE_DENY }}
# Reviewer behaviour overrides
copilot_model: ${{ vars.COPILOT_REVIEW_MODEL }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only add parameters that we need to customize in BCApps, otherwise we accept default parameters from PRReview template

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Build: Automation Workflows and other setup in .github folder

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants