Add cursor command files for PR workflow automation #30
Conversation
Add cursor command files adapted from chrome-remote-devtools to executeJS repository: - commit.md: commit message format and rules with executeJS-specific scopes - copilot-review.md: apply GitHub Copilot review feedback - init-pr.md: PR setup guide for ohah account - pr.md: create/update PR workflow - review-apply.md: apply PR review suggestions locally - review.md: AI-powered PR review posting All files updated with executeJS-specific references and scopes Co-authored-by: ohah <16170776+ohah@users.noreply.github.com>
- Update agent.md reference in commit.md (was AGENTS.md) - Update example paths in review.md to match actual repository structure (apps/executeJS/src/widgets/code-editor/code-editor.tsx) Co-authored-by: ohah <16170776+ohah@users.noreply.github.com>
ohah
requested review from
Bori-github,
Enjoywater and
ming-Jo
as code owners
There was a problem hiding this comment.
Pull request overview
This PR adds Cursor command definitions to automate the executeJS PR workflow, standardizing how commits, PRs, and reviews are created and applied using the ohah account and executeJS-specific paths.
Changes:
- Define commit message and pre-/post-commit conventions aligned with
agent.mdand executeJS tooling. - Add PR creation/update and account/SSH handling flows specialized for
ohah/executeJS, includingbranch-summary.mdusage. - Introduce AI/GitHub-review-related workflows (
review,review-apply,copilot-review,init-pr) to fetch, apply, and track review feedback consistently.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.cursor/commands/commit.md |
Documents executeJS-specific commit message format and required pre-/post-commit steps to keep commits consistent with agent.md. |
.cursor/commands/pr.md |
Defines how to create/update PRs for the current branch using ohah auth and the git@github.com-private:ohah/executeJS.git remote, including base-branch handling and label assignment. |
.cursor/commands/review.md |
Specifies the AI-powered PR review flow for ohah/executeJS, including how to construct a combined summary + inline-review payload and post it via gh api. |
.cursor/commands/review-apply.md |
Describes how to fetch PR review comments with ```suggestion blocks from ohah/executeJS and safely apply them locally with user confirmation on conflicts. |
.cursor/commands/copilot-review.md |
Outlines how to locate GitHub Copilot review feedback for a PR, apply the resulting code changes locally, and update branch-summary.md/PR descriptions accordingly. |
.cursor/commands/init-pr.md |
Provides a Korean-language quickstart for configuring SSH and gh auth for the ohah/executeJS repo before running /pr. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| gh pr view --json number,title,body,url,additions,deletions,changedFiles | ||
| ``` | ||
|
|
||
| - If that fails (no PR): `gh pr list --head $(git branch --show-current)` to confirm. |
There was a problem hiding this comment.
The command gh pr list --head $(git branch --show-current) interpolates the current branch name into the shell without quoting, which can lead to command injection if a branch name contains shell metacharacters like ; or |. An attacker who can get a maintainer to check out a branch with a maliciously crafted name and then run this automation could execute arbitrary commands on the developer machine. Pass the branch name as a single, safely quoted argument or use mechanisms that avoid embedding it directly into the shell command line.
| - If that fails (no PR): `gh pr list --head $(git branch --show-current)` to confirm. | |
| - If that fails (no PR): `gh pr list --head "$(git branch --show-current)"` to confirm. |
| gh pr view --json number,headRefOid | ||
| ``` | ||
|
|
||
| - If that fails: `gh pr list --head $(git branch --show-current)` to confirm. |
There was a problem hiding this comment.
The command gh pr list --head $(git branch --show-current) uses unquoted command substitution for the current branch name, which can be abused for shell command injection if a branch name includes characters like ; or |. A malicious contributor who controls a branch name and convinces a maintainer to run this workflow could trigger arbitrary command execution on the maintainer's machine. Ensure the branch name is handled as a single, safely quoted argument or obtained via APIs that avoid inlining it into the shell command string.
| - If that fails: `gh pr list --head $(git branch --show-current)` to confirm. | |
| - If that fails: `gh pr list --head "$(git branch --show-current)"` to confirm. |
| ```bash | ||
| gh pr view --json number,url # from repo root; fails if no PR for current branch | ||
| # or | ||
| gh pr list --head $(git branch --show-current) --state open --json number,url |
There was a problem hiding this comment.
The example gh pr list --head $(git branch --show-current) --state open --json number,url embeds the current branch name into a shell command without quoting, enabling potential command injection if a branch name contains shell metacharacters. In a workflow where contributors can influence branch names, this could allow an attacker to execute arbitrary commands on a developer's machine when they run this helper. Use a safer pattern that passes the branch name as a single quoted argument or relies on tooling to infer the current branch without shell interpolation.
Ports
.cursor/commands/workflow automation from chrome-remote-devtools to executeJS repository, matching hwpjs PR #3 pattern.Changes
.cursor/commands/commit.md: Commit message format with executeJS-specific scopes (app,frontend,backend,tauri,crates,docs,scripts,config).cursor/commands/pr.md: PR creation/update workflow with ohah account setup and executeJS API endpoints.cursor/commands/review.md: AI-powered PR review posting with executeJS repository references.cursor/commands/review-apply.md: Local application of GitHub PR review suggestions.cursor/commands/copilot-review.md: GitHub Copilot review feedback application workflow.cursor/commands/init-pr.md: Korean language PR setup guide for ohah account configurationAll files updated with executeJS-specific repository paths (
ohah/executeJS,apps/executeJS/src/widgets/) and agent.md reference.Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.