add AI-powered GitHub workflows and development agents#234
Conversation
Implemented AI-powered GitHub workflows and development agents to streamline devops and support. - Implemented 'AI Issue Triage' workflow to automatically analyze new issues using Gemini. - Enhanced 'PR Review & Quality' workflow with automated code complexity analysis, trading risk checks, AI code review, automated backtesting, and documentation impact assessment. - Added a suite of AI agents in scripts/: ai_bug_triager.py, ai_docs_agent.py, ai_pr_reviewer.py, automated_backtest.py, and trading_risk_guard.py. - Introduced AISupportService and a Telegram-based support bot (ai_support_bot_telegram.py) for automated documentation and trade-related queries. - Updated requirements.txt with google-generativeai and PyGithub dependencies.
🤖 Automated PR Quality CheckValidated PR structure, code complexity, and trading safety patterns. Reviewers have been notified. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.10' | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| pip install google-generativeai PyGithub | ||
|
|
||
| - name: Run AI Bug Triager | ||
| env: | ||
| GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| python scripts/ai_bug_triager.py | ||
| --repo "${{ github.repository }}" | ||
| --issue "${{ github.event.issue.number }}" | ||
| --github-token "$GITHUB_TOKEN" | ||
| --gemini-api-key "$GEMINI_API_KEY" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, this issue is fixed by adding an explicit permissions block to the workflow (either at the root level or within the specific job) that grants only the minimal scopes the job needs. For an issue‑triage workflow, the likely needs are read access to repository contents plus the ability to read/write issues (e.g., comment, label, close). That suggests contents: read and issues: write as a good least‑privilege baseline instead of inheriting broad default permissions.
The best fix here, without changing existing functionality, is to add a permissions block to the triage job (or at the workflow root). Since we only see a single job, putting it at the job level keeps the change tightly scoped. Based on the workflow’s purpose (“AI Issue Triage”) and the fact that it passes GITHUB_TOKEN to a script that likely manipulates issues, we will explicitly grant contents: read and issues: write. This both satisfies CodeQL (by constraining the token) and documents the workflow’s expected permissions. The specific change is to insert, in .github/workflows/issue-triage.yml, a permissions: section under triage: before runs-on: ubuntu-latest. No additional imports, methods, or external definitions are needed, as this is purely a YAML configuration change for GitHub Actions.
| @@ -6,6 +6,9 @@ | ||
|
|
||
| jobs: | ||
| triage: | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository |
✅ Deploy Preview for resplendent-shortbread-e830d3 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
2 participants
Pull Request
📋 Description
Briefly describe the changes and their purpose. Explain why this change is needed.
🔄 Type of Change
✅ Checklist
GEMINI.md)🛡️ Critical Checks (Trading App Specific)
alembicmigrations if database models were modified.🔗 Related Issues
Closes #
📸 Screenshots (for UI changes)