From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 16 May 2026 06:23:50 +0000 (+0200)
Subject: Add PR-Agent job to GitLab CI for merge-request review
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07345b25d931eec3342c9c1c57381896fa7de7cb;p=thirdparty%2Fbind9.git

Add PR-Agent job to GitLab CI for merge-request review

Run PR-Agent's `review` and `improve` commands against each merge
request from the canonical repository, posting an automated review
and code-improvement suggestions as MR comments. The rule restricts
the job to MRs whose source project matches CI_PROJECT_PATH so the
OpenAI key and GitLab personal access token are never exposed to
fork pipelines.
---

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 88c0c971795..dce77627d79 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2670,3 +2670,22 @@ autorebase-security:
   <<: *autorebase
   rules:
     - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "pipeline" && $CI_COMMIT_REF_NAME =~ /^security-(main|bind-9\.[0-9]+)$/ && $REBASE_ONLY == "1" && $CI_COMMIT_REF_NAME =~ $AUTOREBASED_BRANCHES'
+
+pr-agent:
+  stage: other-checks
+  image:
+    name: registry.gitlab.isc.org/isc-projects/images/pr-agent:latest
+    entrypoint: [""]
+  script:
+    - cd /app
+    - export MR_URL="$CI_MERGE_REQUEST_PROJECT_URL/-/merge_requests/$CI_MERGE_REQUEST_IID"
+    - echo "MR_URL=$MR_URL"
+    - export gitlab__url="$CI_SERVER_URL"
+    - export gitlab__PERSONAL_ACCESS_TOKEN="$GITLAB_PERSONAL_ACCESS_TOKEN"
+    - export config__git_provider="gitlab"
+    - export openai__key="$OPENAI_KEY"
+    - python -m pr_agent.cli --pr_url="$MR_URL" review
+    - python -m pr_agent.cli --pr_url="$MR_URL" improve
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_SOURCE_PROJECT_PATH == $CI_PROJECT_PATH && $GITLAB_PERSONAL_ACCESS_TOKEN && $OPENAI_KEY'
+    - when: never