fix: fetch diff via Gitea/GitHub API instead of git

Git operations inside the Docker container have no auth credentials
(actions/checkout@v5 stores them in $RUNNER_TEMP, not mounted).

Instead of fighting git auth, fetch the diff directly from the
Gitea API: GET /repos/{owner}/{repo}/pulls/{index}.diff

This uses the same token already passed for posting comments.
No pre-fetch workflow step needed. No git required in the container.

Also filters excluded patterns (lockfiles, etc.) from the API diff.

scripts/review.sh

@@ -70,94 +70,134 @@ chmod 600 "$AUTH_FILE"
 echo "Configured provider: ${PI_PROVIDER}"
 echo "::endgroup::"
 
-# ─── Phase 2: Generate diff ───────────────────────────────────────────────────
+# ─── Phase 2: Fetch diff via API ───────────────────────────────────────────────
-echo "::group::Generate diff"
+echo "Generate diff"
 
-# Configure git auth using the provided token, so we can fetch inside Docker.
+# Git operations inside the Docker container have no auth credentials
-# actions/checkout@v5 stores credentials in $RUNNER_TEMP which isn't mounted
+# (actions/checkout@v5 stores them in $RUNNER_TEMP, which isn't mounted).
-# into the container, so we re-authenticate using the token input.
+# Instead, we get the diff directly from the Gitea/GitHub API using the token
-if [ -n "${PI_TOKEN}" ]; then
+# we already have for posting comments.
-  REMOTE_URL=$(git remote get-url origin 2>/dev/null || echo "")
+
-  if echo "$REMOTE_URL" | grep -q '://'; then
+# Detect platform and resolve PR info
-    # HTTP(S) remote: inject token into URL
+if [ -n "${GITEA_SERVER_URL:-}" ]; then
-    # e.g. https://git.example.com/owner/repo.git → https://token:xxx@git.example.com/owner/repo.git
+  API_BASE="${GITEA_SERVER_URL}/api/v1"
-    PROTOCOL=$(echo "$REMOTE_URL" | sed -E 's|^(https?://).*|\1|')
+  PR_NUMBER="${GITEA_EVENT_PULL_REQUEST_NUMBER:-}"
-    HOST_PATH=$(echo "$REMOTE_URL" | sed -E 's|^https?://||')
+  REPO="${GITEA_REPOSITORY:-}"
-    git remote set-url origin "${PROTOCOL}token:${PI_TOKEN}@${HOST_PATH}"
+  echo "Platform: Gitea (${GITEA_SERVER_URL})"
-    echo "Git auth configured via remote URL"
+else
-  fi
+  API_BASE="${GITHUB_API_URL:-https://api.github.com}"
+  PR_NUMBER="${GITHUB_EVENT_PULL_REQUEST_NUMBER:-}"
+  REPO="${GITHUB_REPOSITORY:-}"
+  echo "Platform: GitHub"
 fi
 
-# Now find the base branch. With auth configured, fetch should work.
+echo "Repo: ${REPO}, PR: ${PR_NUMBER}"
-BASE=""
 
-# 1. Check if remote tracking refs already exist (from a pre-step)
+if [ -z "$PR_NUMBER" ]; then
-for candidate in origin/main origin/master; do
+  echo "Not a pull request event. Skipping review."
-  if git rev-parse --verify "$candidate" >/dev/null 2>&1; then
+  exit 0
-    BASE="$candidate"
-    echo "Found existing ref: ${BASE}"
-    break
-  fi
-done
-
-# 2. Try Gitea/GitHub event context for target branch name
-if [ -z "$BASE" ]; then
-  TARGET_BRANCH="${GITEA_BASE_REF:-${GITHUB_BASE_REF:-}}"
-  if [ -n "${TARGET_BRANCH}" ] && git rev-parse --verify "origin/${TARGET_BRANCH}" >/dev/null 2>&1; then
-    BASE="origin/${TARGET_BRANCH}"
-    echo "Found target branch from event: ${BASE}"
-  fi
 fi
 
-# 3. Fetch the base branch (now works with auth)
+# Fetch diff via API — works regardless of git auth inside the container.
-if [ -z "$BASE" ]; then
+# Gitea: GET /repos/{owner}/{repo}/pulls/{index}.diff
-  echo "No base ref found locally. Fetching..."
+# GitHub: GET /repos/{owner}/{repo}/pulls/{index} (Accept: application/diff)
-  git fetch --unshallow origin 2>/dev/null || true
+node -e "
-  for branch in main master; do
+const http = require('http');
-    if git fetch origin "+refs/heads/${branch}:refs/remotes/origin/${branch}" 2>/dev/null; then
+const https = require('https');
-      BASE="origin/${branch}"
-      echo "Fetched: ${BASE}"
-      break
-    fi
-  done
-  # Also try the target branch from event context
-  if [ -z "$BASE" ] && [ -n "${TARGET_BRANCH}" ]; then
-    if git fetch origin "+refs/heads/${TARGET_BRANCH}:refs/remotes/origin/${TARGET_BRANCH}" 2>/dev/null; then
-      BASE="origin/${TARGET_BRANCH}"
-      echo "Fetched target: ${BASE}"
-    fi
-  fi
-fi
 
-if [ -z "$BASE" ]; then
+const apiBase = '${API_BASE}';
-  echo "::error::Could not determine base branch. Ensure 'token' input has repo read access."
+const repo = '${REPO}';
-  exit 1
+const prNumber = '${PR_NUMBER}';
-fi
+const token = '${PI_TOKEN}';
+const maxBytes = ${PI_MAX_DIFF:-80000};
 
-echo "Base ref: ${BASE} -> $(git rev-parse --short "${BASE}" 2>/dev/null || echo 'NOT FOUND')"
+function fetchDiff() {
-echo "HEAD:     $(git rev-parse --short HEAD)"
+  return new Promise((resolve, reject) => {
-echo "Files changed:"
+    // Try Gitea diff endpoint first
-git diff --stat "${BASE}...HEAD" 2>/dev/null | tail -3 || echo "(could not stat diff)"
+    const giteaPath = '/repos/' + repo + '/pulls/' + prNumber + '.diff';
+    const githubPath = '/repos/' + repo + '/pulls/' + prNumber;
 
-# Build exclude pathspecs
+    const url = new URL(apiBase + giteaPath);
-EXCLUDE_ARGS=""
+    const transport = url.protocol === 'http:' ? http : https;
-for pattern in $PI_EXCLUDE; do
-  EXCLUDE_ARGS="$EXCLUDE_ARGS ':!$pattern'"
-done
 
-eval "git diff ${BASE}...HEAD ${EXCLUDE_ARGS}" > /tmp/pi-diff.txt 2>/dev/null || true
+    const options = {
+      hostname: url.hostname,
+      port: url.port || (url.protocol === 'http:' ? 80 : 443),
+      path: url.pathname,
+      method: 'GET',
+      headers: {
+        'Authorization': 'token ' + token,
+        'Accept': 'text/plain',
+      },
+    };
 
-# Truncate if needed
+    const req = transport.request(options, (res) => {
-if [ "${PI_MAX_DIFF}" -gt 0 ]; then
+      if (res.statusCode === 404 && apiBase.indexOf('github.com') !== -1) {
-  head -c "${PI_MAX_DIFF}" /tmp/pi-diff.txt > /tmp/pi-diff-trunc.txt
+        // Fallback to GitHub diff format
-  mv /tmp/pi-diff-trunc.txt /tmp/pi-diff.txt
+        reject(new Error('GitHub fallback not implemented'));
-fi
+        return;
+      }
+      if (res.statusCode < 200 || res.statusCode >= 300) {
+        let body = '';
+        res.on('data', (c) => { body += c; });
+        res.on('end', () => { reject(new Error('API ' + res.statusCode + ': ' + body.slice(0, 200))); });
+        return;
+      }
 
-DIFF_SIZE=$(wc -c < /tmp/pi-diff.txt || echo 0)
+      let data = '';
-echo "Diff size: ${DIFF_SIZE} bytes"
+      let bytes = 0;
-echo "::endgroup::"
+      res.on('data', (chunk) => {
+        bytes += chunk.length;
+        if (maxBytes > 0 && bytes <= maxBytes) {
+          data += chunk;
+        }
+      });
+      res.on('end', () => {
+        if (maxBytes > 0 && data.length >= maxBytes) {
+          data = data.slice(0, maxBytes) + '\\n... (truncated at ' + maxBytes + ' bytes)';
+        }
+        resolve(data);
+      });
+    });
+    req.on('error', (e) => { reject(e); });
+    req.end();
+  });
+}
 
-if [ "${DIFF_SIZE}" -eq 0 ]; then
+fetchDiff().then((diff) => {
+  const fs = require('fs');
+
+  // Filter out excluded patterns (lockfiles, generated code, etc.)
+  const excludePatterns = '${PI_EXCLUDE}'.split(' ').filter(Boolean);
+  if (excludePatterns.length > 0) {
+    const lines = diff.split('\\n');
+    const filtered = [];
+    let skipFile = false;
+    for (const line of lines) {
+      if (line.startsWith('diff --git')) {
+        skipFile = excludePatterns.some(p => {
+          const glob = p.replace(/\\./g, '\\\\.').replace(/\\*/g, '.*');
+          return new RegExp(glob).test(line);
+        });
+      }
+      if (!skipFile) filtered.push(line);
+    }
+    diff = filtered.join('\\n');
+  }
+
+  if (maxBytes > 0 && diff.length > maxBytes) {
+    diff = diff.slice(0, maxBytes) + '\\n... (truncated at ' + maxBytes + ' bytes)';
+  }
+
+  fs.writeFileSync('/tmp/pi-diff.txt', diff);
+  console.log('Diff fetched: ' + diff.length + ' bytes');
+}).catch((e) => {
+  console.error('Failed to fetch diff: ' + e.message);
+  process.exit(1);
+});
+"
+
+if [ ! -s /tmp/pi-diff.txt ]; then
   echo "No changes to review. Skipping."
   exit 0
 fi