Migrate PR review plugin to extensions repository

.github/workflows/pr-review-by-openhands.yml

@@ -37,17 +37,82 @@ jobs:
             cancel-in-progress: true
         runs-on: ubuntu-24.04
         steps:
-            - name: Run PR Review
-              uses: OpenHands/software-agent-sdk/.github/actions/pr-review@main
+            - name: Checkout extensions repository
+              uses: actions/checkout@v4
               with:
-                  # LLM model(s) to use. Can be comma-separated for A/B testing
-                  # - one model will be randomly selected per review
-                  llm-model: litellm_proxy/claude-sonnet-4-5-20250929
-                  llm-base-url: https://llm-proxy.app.all-hands.dev
-                  # Review style: roasted (other option: standard)
-                  review-style: roasted
-                  # Use the PR's head commit SHA to test SDK changes on the SDK repo itself
-                  sdk-version: ${{ github.event.pull_request.head.sha }}
-                  llm-api-key: ${{ secrets.LLM_API_KEY }}
-                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
-                  lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}
+                  repository: OpenHands/extensions
+                  ref: main
+                  path: extensions
+
+            - name: Checkout PR repository
+              uses: actions/checkout@v4
+              with:
+                  repository: ${{ github.event.pull_request.head.repo.full_name }}
+                  ref: ${{ github.event.pull_request.head.ref }}
+                  fetch-depth: 0
+                  persist-credentials: false
+                  path: pr-repo
+
+            - name: Set up Python
+              uses: actions/setup-python@v5
+              with:
+                  python-version: '3.12'
+
+            # Security: this workflow executes untrusted PR content (diff/title/body) via an
+            # LLM-powered reviewer agent that can run Bash. GitHub Actions caches are shared
+            # across workflows within a repository and can enable cache-poisoning pivots into
+            # more-privileged workflows. Keep caching disabled here.
+            - name: Install uv
+              uses: astral-sh/setup-uv@v6
+              with:
+                  enable-cache: false
+
+            - name: Install GitHub CLI
+              shell: bash
+              run: |
+                  sudo apt-get update
+                  sudo apt-get install -y gh
+
+            - name: Install OpenHands dependencies
+              shell: bash
+              run: |
+                  # Install openhands SDK and tools from PyPI
+                  uv pip install --system openhands-sdk openhands-tools lmnr
+
+            - name: Run PR review
+              shell: bash
+              env:
+                  LLM_MODEL: litellm_proxy/claude-sonnet-4-5-20250929
+                  LLM_BASE_URL: https://llm-proxy.app.all-hands.dev
+                  REVIEW_STYLE: roasted
+                  LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
+                  GITHUB_TOKEN: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+                  LMNR_PROJECT_API_KEY: ${{ secrets.LMNR_SKILLS_API_KEY }}
+                  PR_NUMBER: ${{ github.event.pull_request.number }}
+                  PR_TITLE: ${{ github.event.pull_request.title }}
+                  PR_BODY: ${{ github.event.pull_request.body }}
+                  PR_BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
+                  PR_HEAD_BRANCH: ${{ github.event.pull_request.head.ref }}
+                  REPO_NAME: ${{ github.repository }}
+              run: |
+                  cd pr-repo
+                  uv run python ../extensions/plugins/pr-review/scripts/agent_script.py
+
+            - name: Upload logs as artifact
+              uses: actions/upload-artifact@v4
+              if: always()
+              with:
+                  name: openhands-pr-review-logs
+                  path: |
+                      *.log
+                      output/
+                  retention-days: 7
+
+            - name: Upload Laminar trace info for evaluation
+              uses: actions/upload-artifact@v4
+              if: success()
+              with:
+                  name: pr-review-trace-${{ github.event.pull_request.number }}
+                  path: pr-repo/laminar_trace_info.json
+                  retention-days: 30
+                  if-no-files-found: ignore

.github/workflows/pr-review-evaluation.yml

@@ -57,22 +57,22 @@ jobs:
                     echo "This PR may not have been reviewed by the agent, skipping evaluation"
                   fi
 
-            - name: Checkout software-agent-sdk repository
+            - name: Checkout extensions repository
               if: steps.check-trace.outputs.trace_exists == 'true'
-              uses: actions/checkout@v5
+              uses: actions/checkout@v4
               with:
-                  repository: OpenHands/software-agent-sdk
-                  path: software-agent-sdk
+                  repository: OpenHands/extensions
+                  path: extensions
 
             - name: Set up Python
               if: steps.check-trace.outputs.trace_exists == 'true'
-              uses: actions/setup-python@v6
+              uses: actions/setup-python@v5
               with:
-                  python-version: '3.13'
+                  python-version: '3.12'
 
             - name: Install uv
               if: steps.check-trace.outputs.trace_exists == 'true'
-              uses: astral-sh/setup-uv@v7
+              uses: astral-sh/setup-uv@v6
               with:
                   enable-cache: true
 
@@ -92,7 +92,7 @@ jobs:
                   cp trace-info/laminar_trace_info.json .
 
                   # Run the evaluation script
-                  uv run python software-agent-sdk/examples/03_github_workflows/02_pr_review/evaluate_review.py
+                  uv run python extensions/plugins/pr-review/workflows/evaluate_review.py
 
             - name: Upload evaluation logs
               uses: actions/upload-artifact@v5