refactor(code-review): replace Python implementation with OpenCode + skills

[Pertempto]

Summary

This replaces the custom Python code review bot with OpenCode, a mature AI coding agent. Instead of implementing our own agent loop and tools, we now provide skills that guide OpenCode to use the gh/glab CLIs directly.

Changes

• Remove Python implementation (llm library, PyGitHub, python-gitlab)
• Add OpenCode as the AI agent runtime
• Create separate skills for GitHub and GitLab code review
• Simplify entrypoint scripts to just invoke OpenCode
• Update Dockerfile to use node:22-slim base image
• Default model: google/gemini-3-flash-preview via OpenRouter
• Support legacy OPENROUTER_KEY env var for backwards compatibility

Benefits

• Simpler architecture - no custom agent loop to maintain
• Battle-tested agent with auto-retry, compaction, session management
• Skills are just markdown - easy to read and modify
• Direct CLI usage - more transparent and debuggable
• -678 lines of code removed

Files

File	Purpose
skills/github-code-review/SKILL.md	Instructions for reviewing GitHub PRs
skills/gitlab-code-review/SKILL.md	Instructions for reviewing GitLab MRs
opencode.json	OpenCode configuration
Dockerfile	Now based on Node.js with OpenCode installed

Testing

The existing workflows are unchanged - they should work with the new implementation. The Docker image needs to be built and tested in CI.

Note

This PR does not modify the GitHub Actions workflows (would require workflow scope). The existing workflows use OPENROUTER_KEY which is mapped to OPENROUTER_API_KEY in the scripts for backwards compatibility.

Closes #67

[github-actions]

code-review-bot/github_code_review.sh — potential runtime failure with set -u

• Problem: you use set -euo pipefail and then do export OPENROUTER_API_KEY="${OPENROUTER_API_KEY:-$OPENROUTER_KEY}". If OPENROUTER_KEY is not set, that expansion will trigger an unbound-variable error under -u and the script will exit.

• Fix: use a safe fallback that won't expand an undefined var, e.g.: export OPENROUTER_API_KEY="${OPENROUTER_API_KEY:-${OPENROUTER_KEY:-}}" and then validate with the : check. Also add the same safe fallback for the GitHub token (accept GITHUB_TOKEN as fallback): export GH_TOKEN="${GH_TOKEN:-${GITHUB_TOKEN:-}}".

Please update the script to avoid unbound-var expansions so it runs reliably in CI.

[github-actions]

code-review-bot/Dockerfile �93 missing --no-install-recommends for dpkg install

• Problem: you download and install a specific glab deb via dpkg -i /tmp/glab.deb. If that pulls additional dependencies, dpkg won't resolve them and the build may fail. Also the earlier apt-get install calls use --no-install-recommends in some places but not when installing gh (you did, good). Using apt-get install -f after dpkg helps, or better: use the official distribution packages or install via apt repo.

• Fix: run apt-get update && apt-get install -y -f after dpkg -i to ensure dependencies are installed, or install glab via apt if available. Example change:

  RUN dpkg -i /tmp/glab.deb || apt-get update && apt-get install -y -f && rm -rf /var/lib/apt/lists/*

Please update the Dockerfile to handle dpkg dependency resolution to avoid brittle builds.

[github-actions]

code-review-bot/skills/github-code-review/SKILL.md and skills/gitlab-code-review/SKILL.md �: missing explicit checks to avoid posting duplicate overall review comment

• Problem: the skill's workflow includes commands to post a review (e.g., gh pr review ... --body "Your review here") but doesn't instruct the agent to check for an existing overall review comment and update it instead of creating a duplicate. The repo previously had logic to find/update the overall review comment (in github_tools.post_review). Without guidance, the agent may create repeated top-level review comments on re-runs.

• Fix: add explicit steps in the skill to fetch existing issue comments and, if a bot-authored review matching the # Review prefix exists, use gh issue comment edit or gh pr review --body appropriately to update that comment instead of creating a new one. For GitLab, instruct to check glab mr view ... --comments and glab api to update an existing note.

Please update the skill docs to instruct the agent to avoid duplicate overall review comments.

[github-actions]

Changes Requested

Please address the high-impact items below before merging:

• Add OpenCode runtime config or ensure skills are discoverable at runtime (add opencode.json or set OPENCODE_SKILLS_DIR in the image and copy config)
• Authenticate gh in code-review-bot/github_code_review.sh before running opencode run (e.g. echo "$GH_TOKEN" | gh auth login --with-token) and keep the safe env fallbacks
• Make skills idempotent for the overall review comment: update skills/*/SKILL.md with explicit steps to detect and EDIT an existing bot-authored overall review (use gh api repos/$GITHUB_REPOSITORY/issues/comments/$ID --method PATCH -f body=... or glab api), do not always create a new top-level comment
• Confirm removal of the Python implementation/tests is intentional and update CI/workflows/README (or restore tests / add tests for the OpenCode-based flow)

Summary of Changes

• Replaces Python-based code-review bot with OpenCode skills and shell entrypoints.
• Switches Docker base image to node:22-slim, installs gh, glab, and opencode-ai, and copies skills into /root/.config/opencode/skills.
• Removes Python runtime, tools and tests; adds SKILL.md for GitHub and GitLab.
• Adds CHANGELOG.md entry for the refactor.

Overall Feedback

• Negative: There are a few runtime gaps that will break CI/runtime (skills discovery config, gh authentication, idempotent overall-review posting, and removal of Python tests without CI updates). These must be fixed before merging.

• Positive: Moving to OpenCode + CLI-based skills is a good simplification — skills are readable, the image is leaner, and using gh/glab makes behavior transparent. The refactor will reduce maintenance cost and is a strong direction.

@Pertempto — make the requested updates and I will re-review.

[github-actions]

code-review-bot/opencode.json is referenced in the PR summary but I can't find the file in the branch. OpenCode typically needs an opencode.json (or explicit runtime config) so the agent knows skill metadata, defaults and where to find skills.

Please either:

• Add code-review-bot/opencode.json (or a repo-level opencode.json) and copy it into the image (example Dockerfile line: COPY opencode.json /root/.config/opencode/opencode.json), or
• Document and implement how skills are discovered at runtime (e.g. set OPENCODE_SKILLS_DIR or ensure the CI user can read /root/.config/opencode/skills).

Actionable: include a minimal opencode.json (name/provider/defaults) or update the Dockerfile to install/copy your config so opencode run will reliably find the skills.

[github-actions]

I noticed the PR removes the entire Python implementation and tests (e.g., code-review-bot/__tests__/test_utils.py, code-review-bot/*.py, and code-review-bot/requirements.txt).

Please confirm this is intentional and:

• If removing tests is intentional, update CI workflows and README to reflect there are no Python tests anymore.
• If not intentional, restore the relevant test files or add replacement tests covering the new OpenCode skills (CI should still run some checks).

This is a high-impact change (removing tests) and needs explicit confirmation or follow-up in the PR.

[github-actions]

code-review-bot/Dockerfile currently installs glab via dpkg -i /tmp/glab.deb but doesn't ensure dependencies are satisfied. github-actions[bot] suggested running apt-get install -f or using apt repo to avoid brittle builds. Actionable suggestions:

• Replace dpkg -i /tmp/glab.deb with dpkg -i /tmp/glab.deb || apt-get update && apt-get install -y -f to auto-fix dependencies.
• Alternatively, install glab via a supported apt repository or use the static binary from releases.
• Add --no-install-recommends to apt-get install calls where appropriate and ensure rm -rf /var/lib/apt/lists/* is run after installs to keep image small.

Please update code-review-bot/Dockerfile to make the glab install robust and re-run the build in CI.

[github-actions]

code-review-bot/skills/github-code-review/SKILL.md — actionable fixes for updating an existing overall review comment:

• The GraphQL updateIssueComment mutation requires the GraphQL node ID, not the REST numeric id. The current jq expression returns the REST id and will make the mutation fail.
• Suggestion: use the REST endpoint to edit by numeric id for simplicity, e.g.:
  gh api repos/$GITHUB_REPOSITORY/issues/comments/$EXISTING_COMMENT_ID --method PATCH -f body="$REVIEW_BODY"
• Also expand the author check to include "github-actions[bot]" (the bot account name) and any other configured bot usernames so the skill reliably finds the bot's prior comment.
• Make the flow explicit so the agent does NOT run all three gh pr review commands; pick exactly one action (approve/request-changes/comment) based on analysis and only execute that single command.

[github-actions]

@Pertempto Quick clarification: did you intend for OpenCode to discover skills implicitly from /root/.config/opencode/skills without an opencode.json? If yes, please document that in the Dockerfile (e.g. ENV OPENCODE_SKILLS_DIR=/root/.config/opencode/skills) or add a minimal opencode.json and COPY it into /root/.config/opencode/opencode.json.

This will prevent runtime failures where opencode run can't find any skills. Thanks.

[github-actions]

@Pertempto Please authenticate gh in code-review-bot/github_code_review.sh before running OpenCode so the skill's gh commands will work in CI. Add, after env validation and before opencode run:

# Authenticate gh CLI
echo "$GH_TOKEN" | gh auth login --with-token

(or use gh auth login --with-token reading stdin). This ensures gh has credentials available to the skills and avoids silent failures in CI.