GitHub App that runs Agent-PR Reviewer on pull requests and posts findings as a sticky comment.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Abdullah_Bakir from gravatar.com Abdullah_Bakir

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Abdullah Bakir
  • Tags ci , code-review , developer-tools , github-app , pr-review
  • Requires: Python >=3.11
Classifiers
Report project as malware

Project description

Agent-PR Reviewer — GitHub App (apr-app)

A FastAPI service that runs the apr engine on every pull request and posts the verdict as a sticky comment.

Status

v0.0.1 alpha. Same overall shape as sts-app: HMAC-verified webhooks, GitHub App JWT auth, tempdir-based per-file review.

What it does

  1. Receives pull_request webhook deliveries from GitHub.
  2. Verifies the HMAC signature with APR_APP_WEBHOOK_SECRET.
  3. Calls the GitHub API to:
    • Fetch the PR's title + body + head SHA (GET /pulls/{n})
    • List the PR's changed files (GET /pulls/{n}/files)
    • Download each known-extension changed file's contents (GET /contents/{path}?ref=SHA) into a temp directory
  4. Runs apr.engine.review() against the temp directory with the PR title + description.
  5. Formats the ReviewReport as Markdown and either creates a sticky comment on the PR or updates the existing one (identified by an HTML marker).
  6. Cleans up the temp directory.

Configuration

All settings are read from environment variables prefixed APR_APP_. A .env file in the working directory is also loaded automatically.

Variable Default Required for production
APR_APP_HOST 127.0.0.1 no
APR_APP_PORT 8000 no
APR_APP_LOG_LEVEL info no
APR_APP_RELOAD false no
APR_APP_WEBHOOK_SECRET none yes — without it, signature verification is skipped
APR_APP_APP_ID none yes for production — numeric GitHub App ID
APR_APP_PRIVATE_KEY_PEM none yes for production — App's RSA private key (paste PEM contents)
APR_APP_GITHUB_TOKEN none only for dev — Personal Access Token (ignored when App ID + key are set)
APR_APP_GITHUB_API_URL https://api.github.com no — override for GHES
APR_APP_MAX_CHANGED_FILES 100 no — beyond this we run metadata-only
APR_APP_MAX_FILE_BYTES 512000 no — skip per-file rules on larger files
APR_APP_REQUEST_TIMEOUT_SECONDS 20 no

Running locally

uv sync --all-packages --all-groups
export APR_APP_WEBHOOK_SECRET="something-long-and-random"
export APR_APP_GITHUB_TOKEN="ghp_..."
apr-app
# or
python -m apr_app

# Smoke check
curl http://127.0.0.1:8000/health
curl http://127.0.0.1:8000/version

Endpoints

Method Path Purpose
GET / Service identity (name, version)
GET /health Liveness probe
GET /version App + engine versions
POST /webhooks/github Webhook receiver — must have valid X-Hub-Signature-256
GET /docs OpenAPI spec

Sticky comment format

The bot's comment includes:

  • A hidden HTML marker so subsequent runs find and update it
  • An emoji headline summarizing the worst severity (🛑 critical / ❌ error / ⚠️ warning / ℹ️ info / ✅ clean)
  • Counts by severity
  • A table of up to 30 findings with severity, file:line, rule_id, and message
  • Footer with apr engine version + schema version + changed-file count

Apache-2.0 license. See CHANGELOG.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Abdullah_Bakir from gravatar.com Abdullah_Bakir

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: Apache-2.0
    SPDX License Expression
  • Author: Abdullah Bakir
  • Tags ci , code-review , developer-tools , github-app , pr-review
  • Requires: Python >=3.11
Classifiers

Release history Release notifications | RSS feed

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devtrust_apr_app-0.0.1.tar.gz (16.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

devtrust_apr_app-0.0.1-py3-none-any.whl (14.9 kB view details)

Uploaded Python 3

File details

Details for the file devtrust_apr_app-0.0.1.tar.gz.

File metadata

  • Download URL: devtrust_apr_app-0.0.1.tar.gz
  • Upload date:
  • Size: 16.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for devtrust_apr_app-0.0.1.tar.gz
Algorithm Hash digest
SHA256 b52ba173ae9b9d6cf8ab80740f5a82dbad07c970e47b1e759a36459786ce6b9a
MD5 26727dc5f34dcfc681ca6d80c0ace996
BLAKE2b-256 ca0cb94254ebb3d56d2e11590313a100ef66f7a46a813ff44dab8914f9fac091

See more details on using hashes here.

Provenance

The following attestation bundles were made for devtrust_apr_app-0.0.1.tar.gz:

Publisher: release.yml on AbdullahBakir97/DevTrust

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file devtrust_apr_app-0.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for devtrust_apr_app-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 cdb69727e9e8ba7984b799a8fa3aa2d6b379656f6af054b4c996f2d18fe2d044
MD5 0fc8d1ad3243abf0e87cfa891403dbbd
BLAKE2b-256 3a066e2c1a4fc495fba702be678af8efffd10cf55c158b8573db2c7de47a49a2

See more details on using hashes here.

Provenance

The following attestation bundles were made for devtrust_apr_app-0.0.1-py3-none-any.whl:

Publisher: release.yml on AbdullahBakir97/DevTrust

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page