Provide a reusable GitHub Action for PR reviews

[acoliver]

Problem Statement

OpenCodeReview already has examples/github_actions/ocr-review.yml, which is very helpful. However, adopting OCR as a PR review bot still requires copying a long workflow and understanding several security and posting details.

Tools such as CodeRabbit make this setup feel turnkey. It would be great if OpenCodeReview had either a reusable packaged GitHub Action or an improved, hardened example that repositories can adopt with less custom glue.

This issue is not asking for OCR to replace its existing example; it is asking to make the GitHub Actions path easier and safer for normal repository maintainers.

Proposed Solution

Provide an official reusable Action, for example alibaba/open-code-review-action, or a shorter composite action wrapping:

• OCR installation.
• Review execution.
• JSON parsing.
• Inline PR review comments.
• Fallback issue comments.
• Stable summary posting.

If a reusable Action is too much scope, improve examples/github_actions with a hardened recommended configuration.

Important behavior

The recommended Action/config should:

• Support pull_request and/or safe pull_request_target patterns.
• Use per-PR concurrency with cancel-in-progress to avoid review cascades.
• Compute merge-base and review base-to-head, not only the last push.
• Configure OCR_LLM_URL, OCR_LLM_AUTH_TOKEN, OCR_LLM_MODEL, and provider flags through secrets/vars.
• Upload raw JSON and stderr artifacts.
• Post inline PR review comments when positions are resolvable.
• Post a stable sticky summary issue comment so reruns update rather than spam.
• Document fallback behavior when inline comments cannot be posted.
• Clearly warn not to execute untrusted PR code or load PR-supplied review rules when secrets are in scope.

Related existing issues

• Issue 58 already improved the example with concurrency.
• Issue 80 reported comment truncation/fallback behavior.
• Issue 91 asks for posting findings to the GitHub PR issue.
• Issue 110 discussed pull_request_target security risks.

This proposal tries to consolidate those lessons into an easier official integration path.

Acceptance criteria

• Repositories can add OCR PR review with a small workflow or reusable Action.
• The docs include required secrets/vars and minimal permissions.
• The recommended config avoids duplicate review spam.
• Inline comments and stable summary comments are documented.
• Security guidance for fork PRs and pull_request_target is explicit.

中文说明

问题陈述

OpenCodeReview 已经提供了 examples/github_actions/ocr-review.yml，这非常有帮助。不过，要把 OCR 接入为 PR 审查机器人，仍然需要复制一段较长的 workflow，并理解多个安全和评论发布细节。

CodeRabbit 这类工具在接入体验上更接近开箱即用。如果 OpenCodeReview 能提供一个可复用的打包 GitHub Action，或者一个改进过的、更安全的示例配置，让仓库能用更少的自定义胶水代码接入，那会非常有价值。

本 issue 不是要求 OCR 替换现有示例，而是希望让 GitHub Actions 接入路径对普通仓库维护者更简单、更安全。

建议方案

提供一个官方可复用 Action，例如 alibaba/open-code-review-action，或者一个更短的 composite action，用来封装：

• OCR 安装。
• 审查执行。
• JSON 解析。
• PR 内联审查评论。
• 回退的 issue 评论。
• 稳定摘要评论发布。

如果可复用 Action 的范围过大，也可以先改进 examples/github_actions，提供一个加固后的推荐配置。

关键行为

推荐的 Action/配置应该：

• 支持 pull_request 和/或安全的 pull_request_target 模式。
• 使用按 PR 分组的 concurrency，并设置 cancel-in-progress，避免审查级联刷屏。
• 计算 merge-base，审查 base 到 head 的完整差异，而不仅仅是最后一次 push。
• 通过 secrets/vars 配置 OCR_LLM_URL、OCR_LLM_AUTH_TOKEN、OCR_LLM_MODEL 以及 provider 相关标志。
• 上传原始 JSON 和 stderr artifacts。
• 当位置可解析时，在 PR 上发布内联审查评论。
• 发布稳定的粘性摘要 issue 评论，使重跑时更新原评论而不是重复刷屏。
• 文档说明内联评论无法发布时的回退行为。
• 明确提醒：当 secrets 在作用域内时，不要执行不可信 PR 代码，也不要加载 PR 提供的审查规则。

相关已有 issue

• Issue 58 已经改进了示例的 concurrency。
• Issue 80 报告了评论截断/回退行为。
• Issue 91 请求将审查发现发布到 GitHub PR issue。
• Issue 110 讨论了 pull_request_target 的安全风险。

本提案希望把这些经验整合成一条更易用的官方集成路径。

验收标准

• 仓库可以通过简短 workflow 或可复用 Action 接入 OCR PR 审查。
• 文档包含所需 secrets/vars 和最小权限说明。
• 推荐配置避免重复审查刷屏。
• 内联评论和稳定摘要评论都有文档说明。
• 针对 fork PR 和 pull_request_target 的安全指导明确清晰。