Add Cortex Code GitHub Action + invocation source tracking

- Add actions/cortex-code/: GitHub Action for PR reviews and issue assistance
  via @Cortex-code mentions (TypeScript, Agent SDK, MCP)
- Security hardened: signal cleanup, expanded token sanitization, prompt
  injection defense, cost guardrails, rate limiting, review mode
- Add inline PR review comments via GitHub Reviews API
- Add unified diff context for better review quality
- Add CORTEX_CODE_ENTRYPOINT env var to plugin subprocess for telemetry
- Add workflow for @Cortex-code trigger on this repo

Author: iamontheinet

.github/workflows/cortex-code-action-test.yml

@@ -0,0 +1,27 @@
+name: Test Cortex Code Action
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  cortex-code:
+    if: contains(github.event.comment.body, '@cortex-code')
+    runs-on: ubuntu-latest
+    concurrency:
+      group: cortex-code-${{ github.event.issue.number }}
+      cancel-in-progress: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ./actions/cortex-code
+        with:
+          snowflake_account: ${{ secrets.SNOWFLAKE_ACCOUNT }}
+          snowflake_user: ${{ secrets.SNOWFLAKE_USER }}
+          snowflake_private_key: ${{ secrets.SNOWFLAKE_PRIVATE_KEY }}
+          max_turns: "5"
+          timeout_minutes: "3"

actions/cortex-code/.gitignore

@@ -0,0 +1,2 @@
+node_modules/
+bun.lock

actions/cortex-code/action.yml

@@ -0,0 +1,132 @@
+name: "Cortex Code Action"
+description: "GitHub Action that integrates Snowflake Cortex Code as an AI assistant for PRs and issues. Triggered by @cortex-code mentions."
+author: "Snowflake Cortex Code"
+
+branding:
+  icon: "code"
+  color: "blue"
+
+inputs:
+  trigger_phrase:
+    description: "Phrase that triggers the action in comments"
+    required: false
+    default: "@cortex-code"
+  snowflake_account:
+    description: "Snowflake account identifier (e.g., myorg-myaccount)"
+    required: true
+  snowflake_user:
+    description: "Snowflake username for authentication"
+    required: true
+  snowflake_private_key:
+    description: "Snowflake key-pair private key (PEM format). Mutually exclusive with snowflake_api_key."
+    required: false
+  snowflake_api_key:
+    description: "Snowflake API key or PAT. Mutually exclusive with snowflake_private_key."
+    required: false
+  github_token:
+    description: "GitHub token for API operations (PR comments, status checks)"
+    required: false
+    default: ${{ github.token }}
+  model:
+    description: "Model identifier for Cortex Code (e.g., auto, claude-sonnet-4-6, openai-gpt-5.2)"
+    required: false
+    default: "auto"
+  allowed_tools:
+    description: "Comma-separated additional tools to allow (e.g., SQL,WebSearch)"
+    required: false
+    default: ""
+  disallowed_tools:
+    description: "Comma-separated tools to deny"
+    required: false
+    default: ""
+  system_prompt:
+    description: "Additional system prompt text to append to the default"
+    required: false
+    default: ""
+  branch_prefix:
+    description: "Prefix for branches created by Cortex Code"
+    required: false
+    default: "cortex-code/"
+  bot_name:
+    description: "Display name for the bot in git operations"
+    required: false
+    default: "cortex-code[bot]"
+  bot_id:
+    description: "GitHub user ID for git operations"
+    required: false
+    default: "41898282"
+  max_turns:
+    description: "Maximum number of agentic turns before stopping"
+    required: false
+    default: "25"
+  timeout_minutes:
+    description: "Maximum execution time in minutes before the action is terminated"
+    required: false
+    default: "10"
+  base_branch:
+    description: "Base branch for new branches (defaults to repo default branch)"
+    required: false
+    default: ""
+  prompt:
+    description: "Direct prompt for agent mode. When provided, skips trigger detection and uses this as the instruction (e.g., for automated PR reviews)."
+    required: false
+    default: ""
+  review_mode:
+    description: "When true, restricts tools to read-only (no Bash, Write, Edit). Ideal for automated PR reviews."
+    required: false
+    default: ""
+
+outputs:
+  branch_name:
+    description: "The branch created or used by Cortex Code"
+    value: ${{ steps.run.outputs.branch_name }}
+  session_id:
+    description: "Cortex Code session ID for resuming"
+    value: ${{ steps.run.outputs.session_id }}
+  conclusion:
+    description: "Result status: success or failure"
+    value: ${{ steps.run.outputs.conclusion }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Bun
+      uses: oven-sh/setup-bun@v2
+      with:
+        bun-version: "1.3.6"
+
+    - name: Install dependencies
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: bun install --production --frozen-lockfile || bun install --production
+
+    - name: Install Cortex Code CLI
+      shell: bash
+      run: |
+        curl -LsS https://ai.snowflake.com/static/cc-scripts/install.sh | sh
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Run Cortex Code Action
+      id: run
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        SNOWFLAKE_ACCOUNT: ${{ inputs.snowflake_account }}
+        SNOWFLAKE_USER: ${{ inputs.snowflake_user }}
+        SNOWFLAKE_PRIVATE_KEY: ${{ inputs.snowflake_private_key }}
+        SNOWFLAKE_API_KEY: ${{ inputs.snowflake_api_key }}
+        INPUT_TRIGGER_PHRASE: ${{ inputs.trigger_phrase }}
+        INPUT_MODEL: ${{ inputs.model }}
+        INPUT_ALLOWED_TOOLS: ${{ inputs.allowed_tools }}
+        INPUT_DISALLOWED_TOOLS: ${{ inputs.disallowed_tools }}
+        INPUT_SYSTEM_PROMPT: ${{ inputs.system_prompt }}
+        INPUT_BRANCH_PREFIX: ${{ inputs.branch_prefix }}
+        INPUT_BOT_NAME: ${{ inputs.bot_name }}
+        INPUT_BOT_ID: ${{ inputs.bot_id }}
+        INPUT_MAX_TURNS: ${{ inputs.max_turns }}
+        INPUT_TIMEOUT_MINUTES: ${{ inputs.timeout_minutes }}
+        INPUT_BASE_BRANCH: ${{ inputs.base_branch }}
+        INPUT_PROMPT: ${{ inputs.prompt }}
+        INPUT_REVIEW_MODE: ${{ inputs.review_mode }}
+      run: bun run src/entrypoints/run.ts

actions/cortex-code/assets/logo.png

@@ -0,0 +1,28 @@
+{
+  "name": "@snowflake-labs/cortex-code-action",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "repository": "https://github.com/Snowflake-Labs/snowflake-ai-kit",
+  "scripts": {
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "test": "bun test",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@actions/core": "^1.10.1",
+    "@actions/github": "^6.0.1",
+    "cortex-code-agent-sdk": "latest",
+    "@modelcontextprotocol/sdk": "^1.11.0",
+    "@octokit/rest": "^21.1.1",
+    "@octokit/graphql": "^8.2.2",
+    "zod": "^3.24.4"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "@types/node": "^20.0.0",
+    "prettier": "^3.5.3",
+    "typescript": "^5.8.3"
+  }
+}

actions/cortex-code/package.json

@@ -0,0 +1,79 @@
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+export interface ConnectionConfig {
+  account: string;
+  user: string;
+  privateKey?: string;
+  apiKey?: string;
+}
+
+let cleanupRegistered = false;
+
+function registerCleanupHandlers(): void {
+  if (cleanupRegistered) return;
+  cleanupRegistered = true;
+
+  const emergencyCleanup = () => {
+    cleanupConnection();
+    process.exit(1);
+  };
+
+  process.on("SIGTERM", emergencyCleanup);
+  process.on("SIGINT", emergencyCleanup);
+}
+
+export function setupSnowflakeConnection(config: ConnectionConfig): string {
+  const connectionName = "cortex-code-action";
+  const connectionsDir = path.join(os.homedir(), ".snowflake");
+  const connectionsFile = path.join(connectionsDir, "connections.toml");
+
+  fs.mkdirSync(connectionsDir, { recursive: true });
+
+  let tomlContent: string;
+
+  if (config.privateKey) {
+    const keyPath = path.join(connectionsDir, "action_key.p8");
+    fs.writeFileSync(keyPath, config.privateKey, { mode: 0o600 });
+
+    tomlContent = `[${connectionName}]
+account = "${config.account}"
+user = "${config.user}"
+authenticator = "SNOWFLAKE_JWT"
+private_key_path = "${keyPath}"
+`;
+  } else if (config.apiKey) {
+    tomlContent = `[${connectionName}]
+account = "${config.account}"
+user = "${config.user}"
+token = "${config.apiKey}"
+authenticator = "oauth"
+`;
+  } else {
+    throw new Error(
+      "Either snowflake_private_key or snowflake_api_key must be provided.",
+    );
+  }
+
+  tomlContent += `\n[default]\ndefault_connection_name = "${connectionName}"\n`;
+
+  fs.writeFileSync(connectionsFile, tomlContent, { mode: 0o600 });
+
+  registerCleanupHandlers();
+
+  return connectionName;
+}
+
+export function cleanupConnection(): void {
+  const connectionsDir = path.join(os.homedir(), ".snowflake");
+  const connectionsFile = path.join(connectionsDir, "connections.toml");
+  const keyPath = path.join(connectionsDir, "action_key.p8");
+
+  try {
+    if (fs.existsSync(keyPath)) fs.unlinkSync(keyPath);
+    if (fs.existsSync(connectionsFile)) fs.unlinkSync(connectionsFile);
+  } catch {
+    // Best effort cleanup
+  }
+}

actions/cortex-code/src/cortex/connection.ts

@@ -0,0 +1,6 @@
+export { setupSnowflakeConnection, cleanupConnection } from "./connection";
+export type { ConnectionConfig } from "./connection";
+export { installCortexCLI } from "./install";
+export { runCortexCode } from "./run";
+export type { RunCortexOptions, RunResult } from "./run";
+export type { McpServerConfig } from "./types";

actions/cortex-code/src/cortex/index.ts

@@ -0,0 +1,27 @@
+import * as core from "@actions/core";
+
+export async function installCortexCLI(): Promise<string> {
+  // The CLI is installed in the composite action step via the install script.
+  // This function verifies it's accessible and returns the path.
+  const cliPath = process.env.CORTEX_CODE_CLI_PATH ?? "cortex";
+
+  try {
+    const proc = Bun.spawn([cliPath, "--version"], {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const exitCode = await proc.exited;
+    if (exitCode !== 0) {
+      throw new Error(`cortex --version exited with code ${exitCode}`);
+    }
+    const version = await new Response(proc.stdout).text();
+    core.info(`Cortex Code CLI version: ${version.trim()}`);
+    return cliPath;
+  } catch (error) {
+    throw new Error(
+      `Cortex Code CLI not found or not functional. ` +
+        `Ensure it's installed: curl -LsS https://ai.snowflake.com/static/cc-scripts/install.sh | sh\n` +
+        `Error: ${error}`,
+    );
+  }
+}