Add PR-Agent job to GitLab CI for merge-request review

Run PR-Agent's `review` and `improve` commands against each merge
request from the canonical repository, posting an automated review
and code-improvement suggestions as MR comments. The rule restricts
the job to MRs whose source project matches CI_PROJECT_PATH so the
OpenAI key and GitLab personal access token are never exposed to
fork pipelines.

(cherry picked from commit 07345b25d931eec3342c9c1c57381896fa7de7cb)
(cherry picked from commit 425745426247b24b36d3e6eb36529d6166104140)
(cherry picked from commit 5550fb84ae1f80382c1a4f44edd3888f8391dca9)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 4c90de77da61e42172395311f8b4cdc767bfc726..a07d13313c3f2f7b9a259175e009ead219fa0869 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2797,3 +2797,23 @@ autorebase-sub:
   <<: *autorebase
   rules:
     - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "pipeline" && $CI_COMMIT_REF_NAME =~ /^bind-9\.[0-9]+-sub$/ && $REBASE_ONLY == "1" && $CI_COMMIT_REF_NAME =~ $AUTOREBASED_BRANCHES'
+
+pr-agent:
+  <<: *other_checks_job
+  image:
+    name: registry.gitlab.isc.org/isc-projects/images/pr-agent:latest
+    entrypoint: [""]
+  script:
+    - cd /app
+    - export MR_URL="$CI_MERGE_REQUEST_PROJECT_URL/-/merge_requests/$CI_MERGE_REQUEST_IID"
+    - echo "MR_URL=$MR_URL"
+    - export gitlab__url="$CI_SERVER_URL"
+    - export gitlab__PERSONAL_ACCESS_TOKEN="$GITLAB_PERSONAL_ACCESS_TOKEN"
+    - export config__git_provider="gitlab"
+    - export openai__key="$OPENAI_KEY"
+    - python -m pr_agent.cli --pr_url="$MR_URL" review
+    - python -m pr_agent.cli --pr_url="$MR_URL" improve
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_SOURCE_PROJECT_PATH == $CI_PROJECT_PATH && $GITLAB_PERSONAL_ACCESS_TOKEN && $OPENAI_KEY'
+      when: manual
+    - when: never