adding a workflow for reviewing code changes using stepsecurity code reviewer

[ashishkurmi]

No description provided.

[github-actions]

Please find ChatGPT generated code comments below
.github/workflows/code-review.yml:- Add a description to the trigger on block in the workflow file to clarify what triggers this workflow.

• Specify specific commit SHA instead of branching off of main or int as a branch can be updated and cause issues in workflow runs.
• Provide a detailed name for the job that identifies what the job does instead of a generic name like code-review.
• Make permissions as restrictive as possible by only granting the required permissions instead of all permissions.
• Validate the docker image source to ensure that it is from a trusted source.
• Specify an expiry date for the PAT (Personal access token) if possible to enforce security best practices.

[codecov-commenter]

Codecov Report

Patch coverage has no change and project coverage change: -0.48 ⚠️

Comparison is base (19b0d5a) 68.86% compared to head (7d96f6d) 68.38%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #388      +/-   ##
==========================================
- Coverage   68.86%   68.38%   -0.48%     
==========================================
  Files          15       15              
  Lines        1670     1670              
==========================================
- Hits         1150     1142       -8     
- Misses        399      409      +10     
+ Partials      121      119       -2     

see 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[github-actions]

Please find ChatGPT generated code comments below
.github/workflows/code-review.yml:- It is always a good practice to specify an explicit version of Docker image instead of using the latest tag. It ensures that the same image is used for every build, preventing any issues that may be caused by different versions.

• The docker image being used is not known and its trustworthiness cannot be assured. It is better to use images from official repositories or trusted organizations.

• Instead of using a personal access token (PAT), it is recommended to use machine-users for automatic reviews. This way, any access or changes made by the machine-user are clearly identifiable.

• It is not necessary to specify contents: read in the jobs since the read access is already granted for the repository in permissions.

Here's the improved code:

name: Code Review
on:
  pull_request:
    branches:
      - main
      - int
permissions:
  pull-requests: write

jobs:
  code-review:
    name: Code Review
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v2.3.1
        with:
          egress-policy: audit

      - name: Code Review
        uses: docker://organization/code-reviewer:v1.0.0
        secrets:
          MACHINE_USER_TOKEN: ${{ secrets.MACHINE_USER_TOKEN }}

Note: Replace organization, v1.0.0 and MACHINE_USER_TOKEN with relevant values.

[varunsh-coder]

Made minor changes