docs: README クイックスタートを更新#1
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Summary of ChangesHello @s977043, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! このプルリクエストは、README.mdファイルを大幅に更新し、プロジェクトの目的、クイックスタート手順、および貢献ガイドラインを明確にすることを目的としています。特に、AIコードレビューの導入と運用に関するフレームワークとしての役割を強調し、GitHub Actions を利用した新しいクイックスタートを提供することで、ユーザーがより迅速にプロジェクトを開始できるように改善されています。 Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Pull Request Overview
This PR refreshes the README quickstart documentation to better align with the project's current structure and purpose. The changes shift focus from a generic AI code review system to a specific framework with Docusaurus documentation.
- Updated project description to emphasize the Docusaurus-based documentation and knowledge base approach
- Replaced Python-based linting quickstart with GitHub Actions AI review workflow
- Added structured sections for documentation editing, directory overview, and contribution guidelines
Comments suppressed due to low confidence (1)
README.md:1
- The term '抽象者' appears to be a typo. It should likely be '担当者' (person in charge) or '専門者' (specialist) based on the context of AppSec professionals.
# AI Review Kit
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Code Review
このプルリクエストは、README.mdを更新し、より正確で有用なクイックスタートガイドを提供するものです。以前のガイドは一般的なPythonリンターに関するものでしたが、新しいガイドはai-review-kitプロジェクトに特化し、そのGitHub Actionを使用するものになっています。また、新しいREADMEにはプロジェクトのテーマ、ローカルでの開発手順、ディレクトリ構造に関するセクションも追加されており、新規ユーザーやコントリビューターにとっての入り口として、ドキュメントの品質が大幅に向上しています。
レビューの中で、GitHub Actionsのサンプルコードに古いバージョンのactions/checkoutとactions/setup-nodeが使われている点を指摘しました。パフォーマンスとセキュリティを向上させるため、最新のメジャーバージョン(v4)に更新することを提案しています。
全体として、これはプロジェクトのドキュメントに対する素晴らしい改善です。
| - uses: actions/checkout@v3 | ||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v3 |
There was a problem hiding this comment.
GitHub Actionsのバージョンを更新することをお勧めします。
actions/checkoutはv4が利用可能です。actions/setup-nodeはv4が利用可能です。
主要なバージョン(例:@v4)を指定することで、破壊的変更を避けつつ、最新の機能やセキュリティパッチを自動的に取り込むことができます。1
| - uses: actions/checkout@v3 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v3 | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 |
Style Guide References
Footnotes
-
GitHub Actionsでは、セキュリティと安定性の観点から、アクションを特定のバージョンに固定することが推奨されています。メジャーバージョンタグ(例: v4)を使用すると、最新のマイナーバージョンとパッチバージョンが自動的に適用され、セキュリティ修正などが反映されます。常に最新のメジャーバージョンを利用することがベストプラクティスです。 ↩
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - uses: actions/checkout@v3 | ||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v3 |
There was a problem hiding this comment.
Using outdated action versions. Consider updating to actions/checkout@v4 and actions/setup-node@v4 for better security and performance.
| - uses: actions/checkout@v3 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v3 | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
| uses: s977043/ai-review-kit-action@v1 | ||
| with: | ||
| python-version: '3.11' | ||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install pylint | ||
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | ||
| - name: Run pylint | ||
| run: | | ||
| pylint $(git ls-files '*.py') --fail-under=8.0 | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| openai-api-key: ${{ secrets.OPENAI_API_KEY }} |
There was a problem hiding this comment.
[P1] Document fork-secret limitation in quickstart workflow
The quickstart workflow triggers on pull_request and passes OPENAI_API_KEY from repository secrets to the action. GitHub does not expose repository secrets to workflows triggered from forked pull requests, so following these instructions verbatim will cause the job to fail for every external contribution without an obvious workaround. Consider adding a note or guard (e.g., run only on push or use pull_request_target with scoped permissions) so teams adopting this example do not end up with a permanently failing check on forked PRs.
Useful? React with 👍 / 👎.
0053ae9 to
684fb26
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
README.md:1
- The term '抽象者' (abstractor) appears to be a typo. This should likely be '担当者' (person in charge) or '専門者' (specialist) in the context of AppSec professionals.
# AI Review Kit
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # TODO: Replace with your actual action reference | ||
| uses: s977043/ai-review-kit-action@v1 # <--- Replace with your action |
There was a problem hiding this comment.
The TODO comment on line 33 says to replace with 'your actual action reference', but line 34 already contains a specific action reference 's977043/ai-review-kit-action@v1'. This creates confusion about whether this is a placeholder or an actual reference. Either remove the TODO and clarify that this is an example, or use a clearly generic placeholder like 'your-org/your-action@v1'.
| # TODO: Replace with your actual action reference | |
| uses: s977043/ai-review-kit-action@v1 # <--- Replace with your action | |
| uses: s977043/ai-review-kit-action@v1 |
| このプロジェクトはコミュニティの力で成長します。新しいチェック項目やエージェントの実装例、ドキュメントの改善など、あらゆる貢献を歓迎します。詳しくは [`CONTRIBUTING.md`](CONTRIBUTING.md) を参照してください。 | ||
| ## 🤝 コントリビューション | ||
| - 変更提案の前に [`CONTRIBUTING.md`](CONTRIBUTING.md) と `docs/governance/CONTRIBUTING.md` を確認してください。 | ||
| - 作業範囲や禁止事項は `AGENTS.md` に記載されています。編集前に必ず確認します。 |
There was a problem hiding this comment.
Corrected verb tense from '確認します' to '確認してください' for consistency with imperative form used in other bullet points.
| - 作業範囲や禁止事項は `AGENTS.md` に記載されています。編集前に必ず確認します。 | |
| - 作業範囲や禁止事項は `AGENTS.md` に記載されています。編集前に必ず確認してください。 |
- 日本語の動詞形式を統一 ('確認します' → '確認してください')
- アクション参照のコメントを明確化
- フォークPRでのsecrets利用に関する警告を追加
Vercelデプロイ失敗の原因となっていた scripts/postbuild.js への 参照を削除。このファイルは存在しないためビルドが失敗していた。
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ### ワークフローファイルの作成 | ||
| リポジトリのルートに `.github/workflows/lint.yml` を作成して以下を記述してください。 | ||
| > **⚠️ 重要**: フォークされたリポジトリからのPRでは、GitHub がセキュリティ上の理由でリポジトリのsecretsを公開しません。外部コントリビューターからのPRでレビューを実行する場合は、`pull_request_target` イベントの使用を検討するか、適切な権限スコープを設定してください。詳細は [GitHub Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) を参照してください。 |
There was a problem hiding this comment.
The warning about pull_request_target should be more explicit about the security implications. Using pull_request_target with untrusted code can allow malicious PRs to access repository secrets. Consider adding a warning that when using pull_request_target, the workflow should not checkout or execute code from the PR without additional security measures.
| > **⚠️ 重要**: フォークされたリポジトリからのPRでは、GitHub がセキュリティ上の理由でリポジトリのsecretsを公開しません。外部コントリビューターからのPRでレビューを実行する場合は、`pull_request_target` イベントの使用を検討するか、適切な権限スコープを設定してください。詳細は [GitHub Docs](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) を参照してください。 | |
| > **⚠️ 重要**: フォークされたリポジトリからのPRでは、GitHub がセキュリティ上の理由でリポジトリのsecretsを公開しません。外部コントリビューターからのPRでレビューを実行する場合は、`pull_request_target` イベントの使用を検討するか、適切な権限スコープを設定してください。 |
|
PR #2で同様の内容(より新しいクイックスタート)がマージされたため、このPRを閉じます。 |
- Remove unused `import matter from 'gray-matter'` (Copilot #4) - Add explicit ID collision deduplication in convertAgentSkillToRR() so duplicate frontmatter IDs get `-2` suffix instead of silent overwrite (Sentry #1, Copilot #2) - Resolve fromPath relative to projectRoot instead of CWD in discoverAgentSkillPaths() (Copilot #3) - Clarify --to help text for import/export subcommands (Gemini #5) - Add test for colliding explicit IDs Co-Authored-By: Claude Opus 4.6 <[email protected]>
* docs(runbook): add release-smoke.md (codex final-pass review item #3) Close the third drift item from Codex's final-pass review (after the v0.51.0–v0.55.0 sprint). Items #1 and #2 already landed: - #1 README Epic 1 status drift (PR #889) - #2 risk-map example (PR #896) - #3 release smoke runbook (this PR) Add docs/runbook/release-smoke.md as a sibling to docs/runbook/dev.md. It is not a release runbook (release-please handles tagging), but the smoke test that confirms a fresh tag installs cleanly for an adopter. Sections - When to run: post release-please merge, post dependabot prod-dep bump, pre announcement. - What it verifies: lint/tests/skills validate, river run dry-run, npm pack --dry-run, npm audit --omit=dev, GitHub Release presence. - Smoke sequence: single bash block, all commands must exit 0. - Release confirmation via gh: tagName / publishedAt / changelog body. - When the smoke fails: concrete recovery moves for the 5 common failure modes (lockfile drift, dist staleness, audit vuln, release 404, skill loader error), pointing at the existing docs and PRs that document each fix. - Out of scope: cross-platform install, npx river try, real LLM, Vercel. No code change. Refs: PRs #889, #896 (sibling Codex final-pass items), docs/development/npm-distribution-design.md, AGENT_LEARNINGS.md gh-api empty-commit entry. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * docs(runbook): apply gemini PR #897 review on release-smoke Both gemini comments are valid; apply. 1. Resolve TAG via the upstream GitHub Release instead of the local package.json. The previous form trusted that the operator had already pulled main after the release-please merge; if they had not, the local package.json could point at the previous version and the smoke would run against the wrong commit. Use `gh release view --json tagName --jq .tagName` so the upstream release is the source of truth. 2. The "feedback_release_please_workflow_race.md memory if available" pointer was misleading — that file is Claude's internal memory, not a repo doc. Replace with a concrete pointer to the AGENT_LEARNINGS.md 2026-05-24 entry that actually carries the gh-api empty-commit pattern in the repo. No content change beyond these two clarifications. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
…alidation - Consume positional target path after subcommand in review parse block (#1) - Pass targetPath to routeReviewMode (#1) - Warn instead of silently dropping riskMap load errors (#3) - Reject unsupported --format values with exit code 3 (#7) Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
…1324) * feat: add Review Mode Router for risk-based review depth selection - Add `src/lib/review-mode-router.mjs`: routeReviewMode() and formatRouterResultMarkdown() — pure heuristic, no LLM calls - Add `tests/review-mode-router.test.mjs`: 17 unit tests (all pass) - Add `river review route` CLI subcommand (--format json|markdown) - Add `docs/development/review-mode-router-design.md`: design doc Routing priority: risk-map require_human_review > escalate > migration/schema > large diff (≥20 files or ≥500 lines) > infra/config > docs/test-only > standard (default). Fixes #1323 Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix: cli route handler path parsing, riskMap error handling, format validation - Consume positional target path after subcommand in review parse block (#1) - Pass targetPath to routeReviewMode (#1) - Warn instead of silently dropping riskMap load errors (#3) - Reject unsupported --format values with exit code 3 (#7) Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * docs: sync review-policy.md SSoT with Review Mode Router vocabulary Add mode taxonomy (light/standard/team/human-required), routing triggers, and CLI usage for `river review route`. Closes SSoT gap from PR #1324 (#4). Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(review-mode-router): address second review cycle findings - fix: river review route without --format flags defaulted to parsed.output='text' and always exited code 3; use formatExplicit/outputExplicit to default to json - fix: quote targetPath in buildNextCommand when path contains spaces - refactor: hasAnyFiles now uses fileCount > 0 (dedup with existing var) - docs: add comment to Rule 5 guard explaining suppression intent - docs: add §8 Review Mode Router section to review-policy.en.md (SSoT sync) - docs: update review-mode-router-design.md — add targetPath to RouterInput, narrow confidence to 'high'|'medium', parameterize nextCommand examples Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * build: rebuild action dist after cli.mjs changes src/cli.mjs is bundled into runners/github-action/dist/index.mjs via ncc. Rebuild required after route handler and format validation fixes. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix(review-mode-router): address CodeQL and Gemini bot review findings - fix: escape backslashes before double-quotes in buildNextCommand (CodeQL: incomplete string escaping in shell command suggestion) - fix: treat unknown file types as substantive to prevent incorrect demotion to light mode (Gemini: .rs/.py files classified as unknown were erroneously routed to light) - test: add unknown-file-only → standard mode regression test - build: rebuild action dist Co-Authored-By: Claude Sonnet 4.6 <[email protected]> --------- Co-authored-by: Claude Sonnet 4.6 <[email protected]>
概要
テスト