Add holon trigger#3886
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
There was a problem hiding this comment.
Pull request overview
This PR adds a new GitHub Actions workflow for triggering Holon, an external automated tool integration. The workflow responds to issue comments, issue labels/assignments, and pull request labels to invoke the holon-solve workflow from the holon-run/holon repository.
- Adds automated trigger workflow for the Holon integration
- Configures triggers for issue comments, issue events, and pull request events
- Sets up necessary permissions and secrets for Anthropic API integration
| jobs: | ||
| holon: | ||
| name: Run Holon (via holon-solve) | ||
| uses: holon-run/holon/.github/workflows/holon-solve.yml@main |
There was a problem hiding this comment.
The referenced external workflow is pinned to the 'main' branch, which is not a secure practice. The holon-run/holon repository's main branch could be updated with malicious code at any time, and this workflow would automatically use it. Consider pinning to a specific commit SHA or version tag instead for better security and reproducibility. For example: uses: holon-run/holon/.github/workflows/holon-solve.yml@v1.0.0 or uses: holon-run/holon@abc123def456...
| uses: holon-run/holon/.github/workflows/holon-solve.yml@main | |
| uses: holon-run/holon/.github/workflows/holon-solve.yml@v1.0.0 |
| # Keep config minimal; holon-solve derives issue_number/comment_body/mode/output_dir from the event. | ||
| log_level: 'debug' | ||
| issue_number: ${{ github.event.issue.number || github.event.pull_request.number }} | ||
| comment_id: ${{ github.event.comment.id }} |
There was a problem hiding this comment.
The secrets ANTHROPIC_AUTH_TOKEN and ANTHROPIC_BASE_URL are referenced but not documented anywhere in the repository. This makes it unclear what these secrets are, how to set them up, or why they're needed. Consider adding documentation about these required secrets, either in the PR description, README.md, or a CONTRIBUTING.md file to help other maintainers understand the setup requirements.
| comment_id: ${{ github.event.comment.id }} | |
| comment_id: ${{ github.event.comment.id }} | |
| # Required secrets: | |
| # - ANTHROPIC_AUTH_TOKEN: Anthropic API token used by Holon to call the Anthropic API. | |
| # Configure this as a GitHub Secret in the repository or organization settings. | |
| # - ANTHROPIC_BASE_URL: Base URL for the Anthropic API (for example a custom gateway endpoint). | |
| # Configure this as a GitHub Secret. If you use the default Anthropic endpoint, align this value | |
| # with the holon-run/holon documentation or your deployment requirements. |
| @@ -0,0 +1,32 @@ | |||
| name: Holon Trigger | |||
There was a problem hiding this comment.
The workflow name should follow the naming convention used by other workflows in this repository. Other workflows use hyphenated names in title case (e.g., "Check-Build-Test", "Deploy TESTNET Seed"). Consider changing "Holon Trigger" to "Holon-Trigger" for consistency.
| name: Holon Trigger | |
| name: Holon-Trigger |
| # Keep config minimal; holon-solve derives issue_number/comment_body/mode/output_dir from the event. | ||
| log_level: 'debug' | ||
| issue_number: ${{ github.event.issue.number || github.event.pull_request.number }} | ||
| comment_id: ${{ github.event.comment.id }} |
There was a problem hiding this comment.
The comment_id parameter may not always be available. When the workflow is triggered by issues being labeled or assigned, or pull_requests being labeled (lines 6-9), there is no comment event, so github.event.comment.id will be null. This could cause issues with the holon-solve workflow if it expects a comment_id. Consider adding conditional logic or removing comment_id from the parameters when it's not applicable to the trigger event.
| comment_id: ${{ github.event.comment.id }} | |
| comment_id: ${{ github.event_name == 'issue_comment' && github.event.comment.id || '' }} |
| contents: write | ||
| issues: write | ||
| pull-requests: write | ||
| id-token: write |
There was a problem hiding this comment.
The permissions granted to this workflow are very broad. The workflow has write access to contents, issues, and pull-requests, plus id-token write permission. Consider whether all these permissions are necessary. If holon-solve only needs to read issues/PRs and comment on them, you should minimize permissions following the principle of least privilege. Review the actual requirements of the holon-solve workflow to determine if these permissions can be reduced.
| contents: write | |
| issues: write | |
| pull-requests: write | |
| id-token: write | |
| contents: read | |
| issues: write | |
| pull-requests: write |
Summary
Summary about this PR