ci: use lambdaclass/actions reusable workflows for AI review

[MegaRedHand]

Summary

• Consolidate three separate AI review workflows into a unified workflow using reusable workflows from lambdaclass/actions
• Rename prompt file to match standardized naming convention
• Enable on-demand reviews via /kimi, /codex, /claude commands

Changes

• Add .github/workflows/ai-review.yml - unified workflow using lambdaclass/actions@v1
• Rename .github/prompts/pr_review.md → ai-review.md
• Remove legacy workflows: pr_review_chatgpt.yaml, pr_review_claude.yaml, pr_review_kimi.yaml

Test plan

• Verify workflow runs on PR open/ready_for_review
• Test on-demand review commands (/kimi, /codex, /claude)
• Confirm all three AI reviewers execute in parallel
• Validate custom prompt is read from new location

[github-actions]

🤖 Kimi Code Review

Review Summary

This PR replaces individual AI review workflows with a unified approach using lambdaclass/actions reusable workflows. The changes are infrastructure-only and don't affect consensus-critical code.

Issues Found

1. Missing Secrets Validation (ai-review.yml:18-36)

The workflow will fail silently if required secrets are missing. Add validation:

- name: Validate secrets
  run: |
    if [ -z "${{ secrets.KIMI_API_KEY }}" ]; then
      echo "::warning::KIMI_API_KEY not configured - Kimi reviews disabled"
    fi
    if [ -z "${{ secrets.OPENAI_API_KEY }}" ]; then
      echo "::warning::OPENAI_API_KEY not configured - Codex reviews disabled"
    fi
    if [ -z "${{ secrets.ANTHROPIC_API_KEY }}" ]; then
      echo "::warning::ANTHROPIC_API_KEY not configured - Claude reviews disabled"
    fi

2. Workflow Trigger Inconsistency (ai-review.yml:19-22)

The new workflow triggers on [opened, ready_for_review] but the old ones also included synchronize and reopened. This means:

• Pushes to existing PRs won't trigger reviews (breaking change)
• Reopened PRs won't get reviews

Fix: Add missing trigger types:

types: [opened, synchronize, reopened, ready_for_review]

3. Comment Trigger Support Unclear

The PR description mentions /kimi, /codex, /claude triggers, but the workflow doesn't show how these are handled. Verify the reusable workflows support these triggers or add explicit handling.

4. Permission Regression

Old workflows had explicit permissions blocks. The new reusable workflows should preserve:

• contents: read
• pull-requests: write
• issues: write (for Claude)

Verify these are set in the reusable workflows.

Positive Changes

✅ Cleaner maintenance - Single workflow file vs 3 separate ones
✅ DRY principle - Reusable workflows reduce duplication
✅ Updated prompt filename - More specific naming (ai-review.md)

Recommendation

Address the trigger inconsistency (#2) before merging - this is the only user-visible regression.

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

Findings

• High – potential secret exposure on issue_comment: This workflow runs on every created issue comment and passes API secrets into reusable workflows. If those reusable workflows don’t strictly gate on trusted commenters/trigger phrases, a comment on a PR from a fork could execute with secrets. Please verify hard gating inside the reusable workflows, or add an explicit if: guard here to only run on trusted actors/commands. /.github/workflows/ai-review.yml:16-34
• Medium – missing explicit permissions: The previous workflows declared permissions; the new workflow doesn’t. If the reusable workflows need to post PR comments, they may fail with the default read-only token. Consider adding permissions: pull-requests: write, contents: read (or per-job) to avoid silent failures. /.github/workflows/ai-review.yml:14-36

Consensus-layer review

• No consensus/state-transition/XMSS/SSZ code changes in this PR; nothing to assess for fork choice, attestation processing, or finalization logic.

If the reusable workflows already enforce trusted-commenter gating and set permissions internally, this looks fine.

---

Automated review by OpenAI Codex · custom prompt

[greptile-apps]

Greptile Overview

Greptile Summary

This PR consolidates three separate AI review workflows (ChatGPT, Claude, Kimi) into a single unified workflow that uses reusable workflows from lambdaclass/actions@v1. The prompt file was renamed to match standardized naming (ai-review.md).

Key changes:

• Unified workflow triggers all three reviewers in parallel
• Changed trigger commands from @chatgpt/@kimi/@claude to /codex//kimi//claude
• Simplified maintenance by delegating implementation to reusable workflows

Critical behavioral change:

• Missing synchronize trigger - the new workflow won't run when PRs are updated with new commits, only on initial open and ready_for_review events. This is a significant regression from the old workflows.

Other considerations:

• No explicit permissions defined (relies on reusable workflow defaults)
• No concurrency control to cancel outdated reviews when new commits arrive

Confidence Score: 3/5

• Safe to merge after addressing the missing synchronize trigger, which is a critical behavioral regression
• The consolidation approach is solid and reduces duplication, but the missing synchronize trigger means reviews won't run on PR updates - a significant regression. The other missing features (permissions, concurrency) are less critical but still worth addressing.
• .github/workflows/ai-review.yml requires attention to add the synchronize trigger

Important Files Changed

Filename	Overview
.github/workflows/ai-review.yml	New unified workflow using reusable workflows, but missing key configurations like permissions, concurrency control, and synchronize trigger

Sequence Diagram

sequenceDiagram
    participant User
    participant GitHub
    participant AI Review Workflow
    participant Kimi Reusable WF
    participant Codex Reusable WF
    participant Claude Reusable WF
    participant Kimi API
    participant OpenAI API
    participant Anthropic API

    alt PR opened or ready_for_review
        User->>GitHub: Open/Ready PR
        GitHub->>AI Review Workflow: Trigger workflow
    else On-demand via comment
        User->>GitHub: Comment /kimi, /codex, or /claude
        GitHub->>AI Review Workflow: Trigger workflow
    end

    par Parallel Reviews
        AI Review Workflow->>Kimi Reusable WF: Call reusable workflow
        Kimi Reusable WF->>Kimi API: Request review
        Kimi API-->>Kimi Reusable WF: Return review
        Kimi Reusable WF->>GitHub: Post review comment
    and
        AI Review Workflow->>Codex Reusable WF: Call reusable workflow
        Codex Reusable WF->>OpenAI API: Request review
        OpenAI API-->>Codex Reusable WF: Return review
        Codex Reusable WF->>GitHub: Post review comment
    and
        AI Review Workflow->>Claude Reusable WF: Call reusable workflow
        Claude Reusable WF->>Anthropic API: Request review
        Anthropic API-->>Claude Reusable WF: Return review
        Claude Reusable WF->>GitHub: Post review comment
    end

    GitHub-->>User: Display review comments

Loading

[greptile-apps]

_{1 file reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Missing synchronize trigger - old workflows ran on PR updates (synchronize), this only runs on opened and ready_for_review

Suggested change

	pull_request:
	types: [opened, ready_for_review]
	pull_request:
	types: [opened, ready_for_review, synchronize]

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/ai-review.yml
Line: 17:18

Comment:
Missing `synchronize` trigger - old workflows ran on PR updates (`synchronize`), this only runs on `opened` and `ready_for_review`

```suggestion
  pull_request:
    types: [opened, ready_for_review, synchronize]
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Check that permissions are correctly inherited from the reusable workflows - old workflows explicitly set contents: read, pull-requests: write (Claude also had issues: write and id-token: write)

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/ai-review.yml
Line: 14:20

Comment:
Check that permissions are correctly inherited from the reusable workflows - old workflows explicitly set `contents: read`, `pull-requests: write` (Claude also had `issues: write` and `id-token: write`)

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Consider adding concurrency control to cancel in-progress runs when new commits are pushed, preventing wasted API credits:

Suggested change

	jobs:
	kimi-review:
	uses: lambdaclass/actions/.github/workflows/ai-review-kimi.yml@v1
	secrets:
	KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
	codex-review:
	uses: lambdaclass/actions/.github/workflows/ai-review-codex.yml@v1
	secrets:
	OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
	claude-review:
	uses: lambdaclass/actions/.github/workflows/ai-review-claude.yml@v1
	secrets:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
	jobs:
	kimi-review:
	concurrency:
	group: ${{ github.workflow }}-kimi-${{ github.head_ref || github.run_id }}
	cancel-in-progress: true
	uses: lambdaclass/actions/.github/workflows/ai-review-kimi.yml@v1
	secrets:
	KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
	codex-review:
	concurrency:
	group: ${{ github.workflow }}-codex-${{ github.head_ref || github.run_id }}
	cancel-in-progress: true
	uses: lambdaclass/actions/.github/workflows/ai-review-codex.yml@v1
	secrets:
	OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
	claude-review:
	concurrency:
	group: ${{ github.workflow }}-claude-${{ github.head_ref || github.run_id }}
	cancel-in-progress: true
	uses: lambdaclass/actions/.github/workflows/ai-review-claude.yml@v1
	secrets:
	ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/ai-review.yml
Line: 22:36

Comment:
Consider adding concurrency control to cancel in-progress runs when new commits are pushed, preventing wasted API credits:

```suggestion
jobs:
  kimi-review:
    concurrency:
      group: ${{ github.workflow }}-kimi-${{ github.head_ref || github.run_id }}
      cancel-in-progress: true
    uses: lambdaclass/actions/.github/workflows/ai-review-kimi.yml@v1
    secrets:
      KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}

  codex-review:
    concurrency:
      group: ${{ github.workflow }}-codex-${{ github.head_ref || github.run_id }}
      cancel-in-progress: true
    uses: lambdaclass/actions/.github/workflows/ai-review-codex.yml@v1
    secrets:
      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

  claude-review:
    concurrency:
      group: ${{ github.workflow }}-claude-${{ github.head_ref || github.run_id }}
      cancel-in-progress: true
    uses: lambdaclass/actions/.github/workflows/ai-review-claude.yml@v1
    secrets:
      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
```

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.