Skip to content

feat(cmd): add kit github install command (#60)#61

Merged
ezynda3 merged 2 commits into
masterfrom
feat/60-github-install
Jun 15, 2026
Merged

feat(cmd): add kit github install command (#60)#61
ezynda3 merged 2 commits into
masterfrom
feat/60-github-install

Conversation

@ezynda3

@ezynda3 ezynda3 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Description

Adds a turnkey kit github install command that scaffolds a GitHub Actions workflow so Kit can run as an automated collaborator/reviewer in a repository. The generated .github/workflows/kit.yml triggers when someone comments /kit ... on an issue or pull request review, runs the agent non-interactively inside the runner, and lets it respond.

This is the Phase 1 slice of the GitHub integration designed in #60 — the setup/scaffolding path only. The generated workflow mirrors established security practice: least-privilege permissions, persist-credentials: false, and authentication via the built-in secrets.GITHUB_TOKEN plus a provider repository secret (e.g. ANTHROPIC_API_KEY). The GitHub handler logic and the external composite action are intentionally deferred to follow-up PRs.

The command prompts for the model interactively (pre-filled with a sensible default) or accepts --model to skip the prompt. The provider's secret env var is resolved from the model registry, falling back to <PROVIDER>_API_KEY for unknown providers. When the gh CLI is detected on PATH and the key is present in the environment, it offers to set the repository secret automatically. It refuses to clobber an existing workflow unless --force.

kit github install                                          # interactive
kit github install --model anthropic/claude-sonnet-4-5-20250929
kit github install --force --no-secret

Part of #60 (this is the Phase 1 slice; the issue stays open to track the remaining phases).

Type of Change

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactor / chore

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have added tests that prove my feature works
  • New and existing unit tests pass locally (go test ./cmd/ -race)
  • I have updated the documentation accordingly
  • go vet ./cmd/... passes

Additional Information

Added:

  • cmd/github.gokit github parent command and kit github install subcommand (flags: --model, --force, --no-secret)
  • cmd/github_test.go — unit tests for provider secret resolution, workflow rendering, and the write/no-clobber/--force paths

Modified (docs):

  • README.md — Features bullet, CLI Reference entry, and a dedicated GitHub Integration section
  • www/pages/cli/commands.md — GitHub integration command reference
  • www/pages/index.md — homepage feature bullet

Backward compatibility: Purely additive — introduces a new command and documentation only; no existing behavior changes.

Scope note: This PR is intentionally limited to the install scaffolding command. The generated workflow references mark3labs/kit-action@v1, which is planned as a separate follow-up PR (the action repo), as is the GitHub handler extension. See the design discussion on #60.

Summary by CodeRabbit

  • New Features
    • GitHub Integration: Added kit github install command to scaffold a GitHub Actions workflow that runs Kit when /kit is posted as a comment on issues or pull request review threads.
  • Documentation
    • Updated README, CLI commands reference, and the product feature list with setup details, supported flags (--model, --force, --no-secret), and workflow behavior/permissions.
  • Tests
    • Added unit tests covering secret-name mapping, workflow rendering, and safe workflow file writing behavior.

- Add `kit github` parent command and `kit github install` subcommand
  that scaffolds .github/workflows/kit.yml to run Kit as a GitHub
  Actions collaborator/reviewer triggered by `/kit` comments
- Generate a least-privilege workflow with persist-credentials: false,
  resolve the provider secret env var from the model registry, and
  refuse to clobber an existing file unless --force
- Offer to set the provider secret via the gh CLI when available;
  flags: --model, --force, --no-secret
- Add unit tests for secret resolution, workflow rendering, and write
- Document the command in README and the docs site (cli/commands, index)

Fixes #60
@mark-iii-labs-huly

Copy link
Copy Markdown

Connected to Huly®: KIT-62

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a kit github install CLI command that scaffolds a .github/workflows/kit.yml GitHub Actions workflow triggered by /kit comments on issues and PRs. The command resolves the AI model via flag, interactive prompt, or default; derives the provider secret name; writes the YAML; optionally sets the secret via gh CLI; and prints next-step instructions. Tests and documentation are included.

Changes

kit github install command

Layer / File(s) Summary
Command wiring and model resolution
cmd/github.go
Defines constants, the top-level github Cobra command, the install subcommand with --model/--force/--no-secret flags, and resolveGitHubModel which picks a model from the flag, an interactive prompt, or a compiled-in default.
Workflow YAML generation and file writing
cmd/github.go
providerSecretEnvVar maps a provider to its repository secret name; renderGitHubWorkflow builds the Actions YAML (triggers, permissions, model, env vars); writeGitHubWorkflow creates .github/workflows/kit.yml and gates overwriting on --force.
Install orchestration, secret setup, and next steps
cmd/github.go
runGitHubInstall drives the full flow; maybeSetProviderSecret conditionally reads the provider API key from the environment and calls gh secret set; printGitHubInstallNextSteps prints the commit/secret/comment checklist.
Unit and integration tests
cmd/github_test.go
Three tests cover secret-name mapping for known/unknown providers, workflow YAML substring correctness, and write/no-overwrite/force-overwrite behavior in a temp directory.
Documentation
README.md, www/pages/cli/commands.md, www/pages/index.md
Adds the GitHub Integration feature bullet, kit github install usage examples, and a flags reference across README and website docs.

Sequence Diagram

sequenceDiagram
  participant User
  participant runGitHubInstall as kit github install
  participant resolveGitHubModel
  participant writeGitHubWorkflow
  participant maybeSetProviderSecret
  participant ghCLI as gh CLI

  User->>runGitHubInstall: kit github install [--model M] [--force] [--no-secret]
  runGitHubInstall->>resolveGitHubModel: resolve model
  resolveGitHubModel-->>runGitHubInstall: model string (flag / prompt / default)
  runGitHubInstall->>writeGitHubWorkflow: render + write .github/workflows/kit.yml
  writeGitHubWorkflow-->>runGitHubInstall: written (or error if exists and not --force)
  runGitHubInstall->>maybeSetProviderSecret: conditionally set secret
  maybeSetProviderSecret->>ghCLI: gh secret set PROVIDER_API_KEY
  ghCLI-->>maybeSetProviderSecret: exit code
  maybeSetProviderSecret-->>runGitHubInstall: done
  runGitHubInstall->>User: print next steps (commit, set secret, comment /kit)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 Hop hop, a workflow blooms today,
/kit comments now light the way.
The rabbit writes YAML with care,
A secret set—no manual flair!
Push and commit, then watch it run—
GitHub collaboration, done! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: adding a 'kit github install' command, which is the core feature implemented in this PR.
Linked Issues check ✅ Passed The PR successfully implements Phase 1 objectives: the 'kit github install' command with model selection, secure provider secret handling, author association gating, workflow scaffolding, and comprehensive documentation.
Out of Scope Changes check ✅ Passed All changes are directly scoped to Phase 1 GitHub integration: command implementation, tests, README updates, and CLI documentation. No Phase 2 handler logic or Phase 3 GitHub App infrastructure is included.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/60-github-install

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
cmd/github.go (1)

3-14: ⚡ Quick win

Separate the local Kit import from third-party imports.

github.com/mark3labs/kit/pkg/kit is a local import and should be in its own group after third-party imports.

As per coding guidelines, “Organize imports in order: stdlib → third-party → local, with blank lines between groups.”

Proposed import grouping
 import (
 	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 
 	"charm.land/huh/v2"
 	"github.com/charmbracelet/log"
-	kit "github.com/mark3labs/kit/pkg/kit"
 	"github.com/spf13/cobra"
+
+	kit "github.com/mark3labs/kit/pkg/kit"
 )
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/github.go` around lines 3 - 14, The imports in cmd/github.go are not
properly organized according to the coding guidelines. Reorganize the import
block to follow the standard order: standard library imports (fmt, os, os/exec,
path/filepath, strings), then third-party imports (charm.land/huh/v2,
github.com/charmbracelet/log, github.com/spf13/cobra), and finally local imports
(kit "github.com/mark3labs/kit/pkg/kit"). Add blank lines between each group to
separate the import categories.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/github.go`:
- Around line 84-102: Fix the API key exposure in the gh secret set command by
preventing the value from being passed as a command-line argument. Add the
"context" import at the top of the file, modify the runGitHubInstall function
signature to use the cmd *cobra.Command parameter instead of ignoring it with
underscore, and pass cmd.Context() to the maybeSetProviderSecret function.
Update the maybeSetProviderSecret function to accept context.Context as its
first parameter, then use exec.CommandContext with that context instead of
exec.Command, remove the --body flag argument, and feed the secret value through
standard input (stdin) instead of as a command-line argument to prevent the API
key from appearing in the process argument list.
- Around line 160-168: The workflow condition in the `if` statement grants write
permissions and access to secrets but allows any commenter to trigger it.
Additionally, the `contains(github.event.comment.body, ' /kit')` pattern
incorrectly matches incidental mentions of /kit anywhere in the comment body,
not just as a command invocation. Add an author-association gate to the
condition to restrict execution only to repository owners, members, and
collaborators by checking github.event.comment.author_association against a list
of trusted roles. Also refine the command matching pattern to ensure `/kit` is
recognized as a leading command token rather than matching it as an incidental
substring within text.

---

Nitpick comments:
In `@cmd/github.go`:
- Around line 3-14: The imports in cmd/github.go are not properly organized
according to the coding guidelines. Reorganize the import block to follow the
standard order: standard library imports (fmt, os, os/exec, path/filepath,
strings), then third-party imports (charm.land/huh/v2,
github.com/charmbracelet/log, github.com/spf13/cobra), and finally local imports
(kit "github.com/mark3labs/kit/pkg/kit"). Add blank lines between each group to
separate the import categories.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a1d6b85f-1919-4774-802f-587c7bffe84c

📥 Commits

Reviewing files that changed from the base of the PR and between feaec42 and 41ab071.

📒 Files selected for processing (5)
  • README.md
  • cmd/github.go
  • cmd/github_test.go
  • www/pages/cli/commands.md
  • www/pages/index.md

Comment thread cmd/github.go Outdated
Comment thread cmd/github.go
- Pass the provider secret to `gh secret set` via stdin instead of the
  --body flag so the API key never appears in the process argument list
- Gate the generated workflow on author_association (OWNER, MEMBER,
  COLLABORATOR) so untrusted users cannot trigger privileged runs
- Match `/kit` only as a leading command token instead of an incidental
  substring anywhere in the comment body
- Thread cmd.Context() through to the gh invocation
- Update tests and docs to reflect the refined trigger conditions
@ezynda3 ezynda3 merged commit 7067c99 into master Jun 15, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant