Skip to content

ci: add Kimi Code Review Action #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
howardpen9 merged 1 commit into from
Mar 3, 2026
Merged

ci: add Kimi Code Review Action #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/kimi-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Kimi Code Review

on:
pull_request:
types: [opened, synchronize]

permissions:
contents: read
pull-requests: write
checks: write

jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: howardpen9/kimi-code-reviewer@v1

Check notice on line 17 in .github/workflows/kimi-review.yml

View workflow job for this annotation

GitHub Actions / Kimi Code Review

[suggestion] Pin third-party action to specific SHA 

Using a mutable version tag (`@v1`) for third-party actions introduces supply chain security risks. If the action's repository is compromised, malicious code could automatically execute in your workflow with `pull-requests: write` and `checks: write` permissions.

**Recommendation:** Pin to a specific commit SHA and use Dependabot or Renovate to update it:
```yaml
- uses: howardpen9/kimi-code-reviewer@<commit-sha> # v1.x.x
```
Raw output 
      - uses: howardpen9/kimi-code-reviewer@<commit-sha> # v1
Copy link

@github-actions github-actions bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [suggestion] Pin third-party action to specific SHA

Using a mutable version tag (@v1) for third-party actions introduces supply chain security risks. If the action's repository is compromised, malicious code could automatically execute in your workflow with pull-requests: write and checks: write permissions.

Recommendation: Pin to a specific commit SHA and use Dependabot or Renovate to update it:

- uses: howardpen9/kimi-code-reviewer@<commit-sha> # v1.x.x

Suggested fix:

Suggested change
- uses: howardpen9/kimi-code-reviewer@v1
- uses: howardpen9/kimi-code-reviewer@<commit-sha> # v1

with:
kimi_api_key: ${{ secrets.MOONSHOT_API_KEY }}
language: zh-TW
fail_on: never
6 changes: 6 additions & 0 deletions src/kimi-runner.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,17 @@
import * as os from 'os'
import * as fs from 'fs'

/** Configuration for running a Kimi CLI session */
export interface KimiRunConfig {
/** The analysis prompt to send to Kimi */
prompt: string
/** Absolute path to the codebase root directory */
workDir?: string
/** Resume a specific session by ID */
sessionId?: string
/** Enable thinking mode for deeper analysis */
thinking?: boolean
/** Timeout in milliseconds (default: 600000) */

Check warning on line 16 in src/kimi-runner.ts

View workflow job for this annotation

GitHub Actions / Kimi Code Review

[warning] JSDoc default value mismatch 

The JSDoc comment states the default timeout is 600000ms (10 minutes), but the actual default value in the `runKimi` function implementation is `300_000` (5 minutes). This inconsistency can mislead developers using this API.

**Current code (`runKimi` function):**
```typescript
const { prompt, workDir, sessionId, thinking, timeoutMs = 300_000 } = config
```

**Suggested fix:** Update the JSDoc to match the actual default value, or vice versa.
Raw output 
  /** Timeout in milliseconds (default: 300000) */
Copy link

@github-actions github-actions bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [warning] JSDoc default value mismatch

The JSDoc comment states the default timeout is 600000ms (10 minutes), but the actual default value in the runKimi function implementation is 300_000 (5 minutes). This inconsistency can mislead developers using this API.

Current code (runKimi function):

const { prompt, workDir, sessionId, thinking, timeoutMs = 300_000 } = config

Suggested fix: Update the JSDoc to match the actual default value, or vice versa.

Suggested fix:

Suggested change
/** Timeout in milliseconds (default: 600000) */
/** Timeout in milliseconds (default: 300000) */

timeoutMs?: number
}

Expand Down