Skip to content

Add Tabnine code review workflow for pull requests#5

Merged
Pavel-tabnine merged 1 commit into
mainfrom
Pavel/add-code-review-actions
Mar 9, 2026
Merged

Add Tabnine code review workflow for pull requests#5
Pavel-tabnine merged 1 commit into
mainfrom
Pavel/add-code-review-actions

Conversation

@Pavel-tabnine

Copy link
Copy Markdown
Collaborator

No description provided.

Comment thread .github/workflows/tabnine-review-pr.yml
@Pavel-tabnine Pavel-tabnine force-pushed the Pavel/add-code-review-actions branch from b53914b to d0ff0f4 Compare March 9, 2026 07:58
ref: ${{ github.event.pull_request.head.sha }}

- name: Code Review
uses: codota/tabnine-pr-agent@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tabnine PR Bot

[Warning] Supply Chain Security — Unpinned action reference

codota/tabnine-pr-agent@main pins to a mutable branch rather than an immutable commit SHA. If that repository is ever compromised or has an accidental breaking push to main, the next PR against this repo will run the updated (potentially malicious) code with pull-requests: write permissions — without any review gate.

This is the only unpinned third-party action across all workflows in this repo; everything else already uses tagged versions.

Suggested fix: Pin to a specific commit SHA instead of @main:

Suggested change
uses: codota/tabnine-pr-agent@main
uses: codota/tabnine-pr-agent@<COMMIT_SHA>

You can find the current HEAD SHA with:

gh api repos/codota/tabnine-pr-agent/commits/main --jq .sha

Then update the ref and add a comment with the version it corresponds to, e.g.:

uses: codota/tabnine-pr-agent@abc1234  # v1.2.3

@github-actions

github-actions Bot commented Mar 9, 2026

Copy link
Copy Markdown

Tabnine PR Bot

[Low Risk] — CI configuration and context documentation addition.

What This PR Does
Integrates Tabnine's automated PR review agent into the repository by adding a trigger workflow and a TABNINE.md context document that describes the project architecture, tech stack, and conventions for Tabnine's AI tools.

Assessment
Looks good to merge. The workflow is well-structured: it scopes permissions minimally (contents: read, pull-requests: write), correctly excludes bot actors to prevent recursive triggering, sets a sensible 30-minute timeout, and uses continue-on-error: true so a Tabnine failure never blocks a PR. One supply-chain concern worth addressing before or shortly after merge (see inline comment).

Key Findings

  • [Warning] codota/tabnine-pr-agent@main is pinned to a mutable branch ref. All other actions in this repo use pinned versions. A compromised or accidentally broken push to that main branch would execute with pull-requests: write access on the next triggered PR. Recommend pinning to a commit SHA.

Cross-Repository Impact
Skipped (Tier 1).

Coaching Guidelines
No Python or application code was changed; coaching guidelines are not applicable to CI YAML/Markdown additions.

What Looks Good

  • Bot actor exclusions are thorough — dependabot[bot], github-actions[bot], and the Tabnine service account are all blocked, preventing infinite review loops.
  • TABNINE.md is accurate and well-organized; it will meaningfully improve AI review quality for this repo.
  • Minimal permission scope — the workflow requests only what it needs.
Review metadata
  • Risk tier: Tier 1
  • Files reviewed: 2
  • Inline comments posted: 1
  • Highest severity: Warning
  • Cross-repo analysis: skipped

@Pavel-tabnine Pavel-tabnine merged commit e5d4b2b into main Mar 9, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant