feat(cmd): add kit github install command (#60)#61
Conversation
- Add `kit github` parent command and `kit github install` subcommand that scaffolds .github/workflows/kit.yml to run Kit as a GitHub Actions collaborator/reviewer triggered by `/kit` comments - Generate a least-privilege workflow with persist-credentials: false, resolve the provider secret env var from the model registry, and refuse to clobber an existing file unless --force - Offer to set the provider secret via the gh CLI when available; flags: --model, --force, --no-secret - Add unit tests for secret resolution, workflow rendering, and write - Document the command in README and the docs site (cli/commands, index) Fixes #60
|
Connected to Huly®: KIT-62 |
📝 WalkthroughWalkthroughAdds a Changeskit github install command
Sequence DiagramsequenceDiagram
participant User
participant runGitHubInstall as kit github install
participant resolveGitHubModel
participant writeGitHubWorkflow
participant maybeSetProviderSecret
participant ghCLI as gh CLI
User->>runGitHubInstall: kit github install [--model M] [--force] [--no-secret]
runGitHubInstall->>resolveGitHubModel: resolve model
resolveGitHubModel-->>runGitHubInstall: model string (flag / prompt / default)
runGitHubInstall->>writeGitHubWorkflow: render + write .github/workflows/kit.yml
writeGitHubWorkflow-->>runGitHubInstall: written (or error if exists and not --force)
runGitHubInstall->>maybeSetProviderSecret: conditionally set secret
maybeSetProviderSecret->>ghCLI: gh secret set PROVIDER_API_KEY
ghCLI-->>maybeSetProviderSecret: exit code
maybeSetProviderSecret-->>runGitHubInstall: done
runGitHubInstall->>User: print next steps (commit, set secret, comment /kit)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
cmd/github.go (1)
3-14: ⚡ Quick winSeparate the local Kit import from third-party imports.
github.com/mark3labs/kit/pkg/kitis a local import and should be in its own group after third-party imports.As per coding guidelines, “Organize imports in order: stdlib → third-party → local, with blank lines between groups.”
Proposed import grouping
import ( "fmt" "os" "os/exec" "path/filepath" "strings" "charm.land/huh/v2" "github.com/charmbracelet/log" - kit "github.com/mark3labs/kit/pkg/kit" "github.com/spf13/cobra" + + kit "github.com/mark3labs/kit/pkg/kit" )🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/github.go` around lines 3 - 14, The imports in cmd/github.go are not properly organized according to the coding guidelines. Reorganize the import block to follow the standard order: standard library imports (fmt, os, os/exec, path/filepath, strings), then third-party imports (charm.land/huh/v2, github.com/charmbracelet/log, github.com/spf13/cobra), and finally local imports (kit "github.com/mark3labs/kit/pkg/kit"). Add blank lines between each group to separate the import categories.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/github.go`:
- Around line 84-102: Fix the API key exposure in the gh secret set command by
preventing the value from being passed as a command-line argument. Add the
"context" import at the top of the file, modify the runGitHubInstall function
signature to use the cmd *cobra.Command parameter instead of ignoring it with
underscore, and pass cmd.Context() to the maybeSetProviderSecret function.
Update the maybeSetProviderSecret function to accept context.Context as its
first parameter, then use exec.CommandContext with that context instead of
exec.Command, remove the --body flag argument, and feed the secret value through
standard input (stdin) instead of as a command-line argument to prevent the API
key from appearing in the process argument list.
- Around line 160-168: The workflow condition in the `if` statement grants write
permissions and access to secrets but allows any commenter to trigger it.
Additionally, the `contains(github.event.comment.body, ' /kit')` pattern
incorrectly matches incidental mentions of /kit anywhere in the comment body,
not just as a command invocation. Add an author-association gate to the
condition to restrict execution only to repository owners, members, and
collaborators by checking github.event.comment.author_association against a list
of trusted roles. Also refine the command matching pattern to ensure `/kit` is
recognized as a leading command token rather than matching it as an incidental
substring within text.
---
Nitpick comments:
In `@cmd/github.go`:
- Around line 3-14: The imports in cmd/github.go are not properly organized
according to the coding guidelines. Reorganize the import block to follow the
standard order: standard library imports (fmt, os, os/exec, path/filepath,
strings), then third-party imports (charm.land/huh/v2,
github.com/charmbracelet/log, github.com/spf13/cobra), and finally local imports
(kit "github.com/mark3labs/kit/pkg/kit"). Add blank lines between each group to
separate the import categories.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a1d6b85f-1919-4774-802f-587c7bffe84c
📒 Files selected for processing (5)
README.mdcmd/github.gocmd/github_test.gowww/pages/cli/commands.mdwww/pages/index.md
- Pass the provider secret to `gh secret set` via stdin instead of the --body flag so the API key never appears in the process argument list - Gate the generated workflow on author_association (OWNER, MEMBER, COLLABORATOR) so untrusted users cannot trigger privileged runs - Match `/kit` only as a leading command token instead of an incidental substring anywhere in the comment body - Thread cmd.Context() through to the gh invocation - Update tests and docs to reflect the refined trigger conditions
Description
Adds a turnkey
kit github installcommand that scaffolds a GitHub Actions workflow so Kit can run as an automated collaborator/reviewer in a repository. The generated.github/workflows/kit.ymltriggers when someone comments/kit ...on an issue or pull request review, runs the agent non-interactively inside the runner, and lets it respond.This is the Phase 1 slice of the GitHub integration designed in #60 — the setup/scaffolding path only. The generated workflow mirrors established security practice: least-privilege
permissions,persist-credentials: false, and authentication via the built-insecrets.GITHUB_TOKENplus a provider repository secret (e.g.ANTHROPIC_API_KEY). The GitHub handler logic and the external composite action are intentionally deferred to follow-up PRs.The command prompts for the model interactively (pre-filled with a sensible default) or accepts
--modelto skip the prompt. The provider's secret env var is resolved from the model registry, falling back to<PROVIDER>_API_KEYfor unknown providers. When theghCLI is detected onPATHand the key is present in the environment, it offers to set the repository secret automatically. It refuses to clobber an existing workflow unless--force.kit github install # interactive kit github install --model anthropic/claude-sonnet-4-5-20250929 kit github install --force --no-secretPart of #60 (this is the Phase 1 slice; the issue stays open to track the remaining phases).
Type of Change
Checklist
go test ./cmd/ -race)go vet ./cmd/...passesAdditional Information
Added:
cmd/github.go—kit githubparent command andkit github installsubcommand (flags:--model,--force,--no-secret)cmd/github_test.go— unit tests for provider secret resolution, workflow rendering, and the write/no-clobber/--forcepathsModified (docs):
README.md— Features bullet, CLI Reference entry, and a dedicated GitHub Integration sectionwww/pages/cli/commands.md— GitHub integration command referencewww/pages/index.md— homepage feature bulletBackward compatibility: Purely additive — introduces a new command and documentation only; no existing behavior changes.
Scope note: This PR is intentionally limited to the
installscaffolding command. The generated workflow referencesmark3labs/kit-action@v1, which is planned as a separate follow-up PR (the action repo), as is the GitHub handler extension. See the design discussion on #60.Summary by CodeRabbit
kit github installcommand to scaffold a GitHub Actions workflow that runs Kit when/kitis posted as a comment on issues or pull request review threads.--model,--force,--no-secret), and workflow behavior/permissions.