Thêm webhook Gemini review PR

Author: TUPM96

.github/workflows/deploy.yml

@@ -160,12 +160,16 @@ jobs:
           MERGEOS_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.MERGEOS_GITHUB_OAUTH_CLIENT_SECRET }}
           MERGEOS_GOOGLE_CLIENT_ID: ${{ secrets.MERGEOS_GOOGLE_CLIENT_ID }}
           MERGEOS_GOOGLE_CLIENT_SECRET: ${{ secrets.MERGEOS_GOOGLE_CLIENT_SECRET }}
+          GEMINI_API_KEYS: ${{ secrets.GEMINI_API_KEYS }}
+          GEMINI_REVIEW_MODEL: ${{ secrets.GEMINI_REVIEW_MODEL }}
+          GEMINI_REVIEW_WEBHOOK_SECRET: ${{ secrets.GEMINI_REVIEW_WEBHOOK_SECRET }}
+          GEMINI_REVIEW_MAX_PATCH_BYTES: ${{ secrets.GEMINI_REVIEW_MAX_PATCH_BYTES }}
         with:
           host: ${{ secrets.DEPLOY_HOST }}
           username: ${{ secrets.DEPLOY_USER }}
           password: ${{ secrets.DEPLOY_PASSWORD }}
           port: ${{ secrets.DEPLOY_PORT }}
-          envs: DEPLOY_PATH,ADMIN_EMAIL,ADMIN_PASSWORD,DEV_PAYMENT_ENABLED,DEV_PAYMENT_CODE,MERGEOS_GITHUB_TOKEN,GITHUB_OWNER,GITHUB_OWNER_TYPE,MERGEOS_GITHUB_APP_ID,MERGEOS_GITHUB_APP_CLIENT_ID,MERGEOS_GITHUB_APP_CLIENT_SECRET,MERGEOS_GITHUB_OAUTH_CLIENT_ID,MERGEOS_GITHUB_OAUTH_CLIENT_SECRET,MERGEOS_GOOGLE_CLIENT_ID,MERGEOS_GOOGLE_CLIENT_SECRET
+          envs: DEPLOY_PATH,ADMIN_EMAIL,ADMIN_PASSWORD,DEV_PAYMENT_ENABLED,DEV_PAYMENT_CODE,MERGEOS_GITHUB_TOKEN,GITHUB_OWNER,GITHUB_OWNER_TYPE,MERGEOS_GITHUB_APP_ID,MERGEOS_GITHUB_APP_CLIENT_ID,MERGEOS_GITHUB_APP_CLIENT_SECRET,MERGEOS_GITHUB_OAUTH_CLIENT_ID,MERGEOS_GITHUB_OAUTH_CLIENT_SECRET,MERGEOS_GOOGLE_CLIENT_ID,MERGEOS_GOOGLE_CLIENT_SECRET,GEMINI_API_KEYS,GEMINI_REVIEW_MODEL,GEMINI_REVIEW_WEBHOOK_SECRET,GEMINI_REVIEW_MAX_PATCH_BYTES
           script: |
             set -e
             APP_DIR="${DEPLOY_PATH:-$HOME/mergeos}"
@@ -263,6 +267,10 @@ jobs:
             Environment=GITHUB_OAUTH_CLIENT_SECRET=$MERGEOS_GITHUB_OAUTH_CLIENT_SECRET
             Environment=GOOGLE_CLIENT_ID=$MERGEOS_GOOGLE_CLIENT_ID
             Environment=GOOGLE_CLIENT_SECRET=$MERGEOS_GOOGLE_CLIENT_SECRET
+            Environment=GEMINI_API_KEYS=$GEMINI_API_KEYS
+            Environment=GEMINI_REVIEW_MODEL=$GEMINI_REVIEW_MODEL
+            Environment=GEMINI_REVIEW_WEBHOOK_SECRET=$GEMINI_REVIEW_WEBHOOK_SECRET
+            Environment=GEMINI_REVIEW_MAX_PATCH_BYTES=$GEMINI_REVIEW_MAX_PATCH_BYTES
             ExecStart=$APP_DIR/mergeos
             Restart=always
             RestartSec=5
@@ -276,7 +284,7 @@ jobs:
               systemctl --user is-active --quiet mergeos.service
             else
               pkill -f "$APP_DIR/mergeos" || true
-              MERGEOS_ENV=production PORT=8080 DATABASE_URL="$DATABASE_URL_VALUE" ADMIN_EMAIL="$ADMIN_EMAIL" ADMIN_PASSWORD="$ADMIN_PASSWORD" DEV_PAYMENT_ENABLED="$DEV_PAYMENT_ENABLED" DEV_PAYMENT_CODE="$DEV_PAYMENT_CODE" GITHUB_TOKEN="$MERGEOS_GITHUB_TOKEN" GITHUB_OWNER="$GITHUB_OWNER" GITHUB_OWNER_TYPE="$GITHUB_OWNER_TYPE" GITHUB_APP_ID="$MERGEOS_GITHUB_APP_ID" GITHUB_APP_CLIENT_ID="$MERGEOS_GITHUB_APP_CLIENT_ID" GITHUB_APP_CLIENT_SECRET="$MERGEOS_GITHUB_APP_CLIENT_SECRET" GITHUB_OAUTH_CLIENT_ID="$MERGEOS_GITHUB_OAUTH_CLIENT_ID" GITHUB_OAUTH_CLIENT_SECRET="$MERGEOS_GITHUB_OAUTH_CLIENT_SECRET" GOOGLE_CLIENT_ID="$MERGEOS_GOOGLE_CLIENT_ID" GOOGLE_CLIENT_SECRET="$MERGEOS_GOOGLE_CLIENT_SECRET" nohup "$APP_DIR/mergeos" > "$APP_DIR/mergeos.log" 2> "$APP_DIR/mergeos.err.log" &
+              MERGEOS_ENV=production PORT=8080 DATABASE_URL="$DATABASE_URL_VALUE" ADMIN_EMAIL="$ADMIN_EMAIL" ADMIN_PASSWORD="$ADMIN_PASSWORD" DEV_PAYMENT_ENABLED="$DEV_PAYMENT_ENABLED" DEV_PAYMENT_CODE="$DEV_PAYMENT_CODE" GITHUB_TOKEN="$MERGEOS_GITHUB_TOKEN" GITHUB_OWNER="$GITHUB_OWNER" GITHUB_OWNER_TYPE="$GITHUB_OWNER_TYPE" GITHUB_APP_ID="$MERGEOS_GITHUB_APP_ID" GITHUB_APP_CLIENT_ID="$MERGEOS_GITHUB_APP_CLIENT_ID" GITHUB_APP_CLIENT_SECRET="$MERGEOS_GITHUB_APP_CLIENT_SECRET" GITHUB_OAUTH_CLIENT_ID="$MERGEOS_GITHUB_OAUTH_CLIENT_ID" GITHUB_OAUTH_CLIENT_SECRET="$MERGEOS_GITHUB_OAUTH_CLIENT_SECRET" GOOGLE_CLIENT_ID="$MERGEOS_GOOGLE_CLIENT_ID" GOOGLE_CLIENT_SECRET="$MERGEOS_GOOGLE_CLIENT_SECRET" GEMINI_API_KEYS="$GEMINI_API_KEYS" GEMINI_REVIEW_MODEL="$GEMINI_REVIEW_MODEL" GEMINI_REVIEW_WEBHOOK_SECRET="$GEMINI_REVIEW_WEBHOOK_SECRET" GEMINI_REVIEW_MAX_PATCH_BYTES="$GEMINI_REVIEW_MAX_PATCH_BYTES" nohup "$APP_DIR/mergeos" > "$APP_DIR/mergeos.log" 2> "$APP_DIR/mergeos.err.log" &
             fi
             if command -v sudo >/dev/null 2>&1; then
               NODE_MAJOR=22

BOUNTY-POLICY.md

@@ -45,7 +45,7 @@ Every bounty PR must include:
 - Test commands and results.
 - Notes for migrations, environment variables, risk, or deployment changes.
 
-Maintainers use these labels while reviewing bounty PRs. GitHub Copilot code review should flag missing readiness items and suggest the relevant labels in its review summary, but maintainers apply the labels manually:
+Maintainers use these labels while reviewing bounty PRs. The `Gemini PR review` webhook sends new and updated PRs to the MergeOS reviewer service. That service checks repository star status, evidence, tests, bounty context, and code risk, then comments on the PR with the readiness summary:
 
 - `evidence: missing`
 - `evidence: provided`
@@ -54,6 +54,8 @@ Maintainers use these labels while reviewing bounty PRs. GitHub Copilot code rev
 - `bounty: bug`
 - `bounty: feature`
 
+GitHub Copilot code review can still flag code-quality and readiness issues when quota is available, but bounty readiness must not depend on Copilot being available.
+
 ## Payout Rule
 
 MRG token rewards are only eligible after:

README.md

@@ -274,6 +274,10 @@ Important backend variables:
 - `CRYPTO_RPC_URL`, `CRYPTO_RECEIVER`, `CRYPTO_ASSET`, `CRYPTO_TOKEN_CONTRACT`: crypto verifier
 - `GITHUB_TOKEN`, `GITHUB_OWNER`, `GITHUB_OWNER_TYPE`: backend runtime values for GitHub bounty repo creation and admin PR merge actions
 - `MERGEOS_GITHUB_TOKEN`: Docker Compose and GitHub Actions secret name that maps into backend `GITHUB_TOKEN`; use a personal access token with repo write access, not the automatic GitHub Actions token
+- `GEMINI_API_KEYS`: comma-separated Gemini API key pool for automated PR review round-robin
+- `GEMINI_REVIEW_MODEL`: Gemini reviewer model, default `gemini-2.5-flash`
+- `GEMINI_REVIEW_WEBHOOK_SECRET`: GitHub webhook secret used to verify `X-Hub-Signature-256`
+- `GEMINI_REVIEW_MAX_PATCH_BYTES`: max patch context sent to Gemini, default `70000`
 - `GITHUB_APP_ID`, `GITHUB_APP_CLIENT_ID`, `GITHUB_APP_CLIENT_SECRET`: backend runtime values for GitHub App user authorization, login, and MRG wallet linking
 - `MERGEOS_GITHUB_APP_ID`, `MERGEOS_GITHUB_APP_CLIENT_ID`, `MERGEOS_GITHUB_APP_CLIENT_SECRET`: Docker Compose and GitHub Actions secret names that map into the backend runtime values
 - `GITHUB_OAUTH_CLIENT_ID`, `GITHUB_OAUTH_CLIENT_SECRET`: legacy backend aliases still accepted for older OAuth configuration
@@ -292,6 +296,7 @@ Public:
 - `GET /api/public/ledger`
 - `GET /api/public/marketplace`
 - `POST /api/public/repo/issues`
+- `POST /api/integrations/github/pr-review` GitHub webhook receiver for Gemini PR review. Configure GitHub Webhooks with Payload URL `https://uta.mergeos.shop/api/integrations/github/pr-review`, Content type `application/json`, the same secret as `GEMINI_REVIEW_WEBHOOK_SECRET`, and events `Pull requests` plus `Issue comments`.
 
 Auth:
 

backend/.env.local.example

@@ -38,6 +38,10 @@ CRYPTO_MIN_CONFIRMATIONS=1
 GITHUB_TOKEN=
 GITHUB_OWNER=mergeos-bounties
 GITHUB_OWNER_TYPE=org
+GEMINI_API_KEYS=
+GEMINI_REVIEW_MODEL=gemini-2.5-flash
+GEMINI_REVIEW_WEBHOOK_SECRET=
+GEMINI_REVIEW_MAX_PATCH_BYTES=70000
 GITHUB_APP_ID=
 GITHUB_APP_CLIENT_ID=
 GITHUB_APP_CLIENT_SECRET=

backend/.env.production.example

@@ -38,6 +38,10 @@ CRYPTO_MIN_CONFIRMATIONS=3
 GITHUB_TOKEN=
 GITHUB_OWNER=mergeos-bounties
 GITHUB_OWNER_TYPE=org
+GEMINI_API_KEYS=
+GEMINI_REVIEW_MODEL=gemini-2.5-flash
+GEMINI_REVIEW_WEBHOOK_SECRET=
+GEMINI_REVIEW_MAX_PATCH_BYTES=70000
 GITHUB_APP_ID=
 GITHUB_APP_CLIENT_ID=
 GITHUB_APP_CLIENT_SECRET=

backend/internal/core/config.go

@@ -55,6 +55,11 @@ type Config struct {
 	GitHubOwner     string
 	GitHubOwnerType string
 
+	GeminiAPIKeys             []string
+	GeminiReviewModel         string
+	GeminiReviewWebhookSecret string
+	GeminiReviewMaxPatchBytes int64
+
 	GitHubAppID             string
 	GitHubOAuthClientID     string
 	GitHubOAuthClientSecret string
@@ -146,10 +151,20 @@ func LoadConfig() Config {
 		CryptoWeiPerUSDCent:    os.Getenv("CRYPTO_WEI_PER_USD_CENT"),
 		CryptoMinConfirmations: getenvInt64("CRYPTO_MIN_CONFIRMATIONS", 1),
 
-		GitHubToken:     os.Getenv("GITHUB_TOKEN"),
+		GitHubToken:     firstEnv("GITHUB_TOKEN", "MERGEOS_GITHUB_TOKEN"),
 		GitHubOwner:     getenv("GITHUB_OWNER", defaultGitHubOwner),
 		GitHubOwnerType: strings.ToLower(getenv("GITHUB_OWNER_TYPE", "org")),
 
+		GeminiAPIKeys: splitEnvList(firstEnv(
+			"GEMINI_API_KEYS",
+			"MERGEOS_GEMINI_API_KEYS",
+			"GEMINI_API_KEY",
+			"MERGEOS_GEMINI_API_KEY",
+		)),
+		GeminiReviewModel:         getenv("GEMINI_REVIEW_MODEL", "gemini-2.5-flash"),
+		GeminiReviewWebhookSecret: firstEnv("GEMINI_REVIEW_WEBHOOK_SECRET", "MERGEOS_GEMINI_REVIEW_WEBHOOK_SECRET"),
+		GeminiReviewMaxPatchBytes: getenvInt64("GEMINI_REVIEW_MAX_PATCH_BYTES", 70000),
+
 		GitHubAppID:             firstEnv("GITHUB_APP_ID", "MERGEOS_GITHUB_APP_ID"),
 		GitHubOAuthClientID:     githubOAuthClientID,
 		GitHubOAuthClientSecret: githubOAuthClientSecret,
@@ -236,6 +251,10 @@ func (c Config) GitHubReady() bool {
 	return c.GitHubToken != "" && c.GitHubOwner != ""
 }
 
+func (c Config) GeminiReviewReady() bool {
+	return len(c.GeminiAPIKeys) > 0 && c.GitHubToken != "" && c.GeminiReviewWebhookSecret != ""
+}
+
 func (c Config) GitHubOAuthReady() bool {
 	return c.GitHubOAuthClientID != "" && c.GitHubOAuthClientSecret != ""
 }
@@ -262,6 +281,20 @@ func firstEnv(keys ...string) string {
 	return ""
 }
 
+func splitEnvList(value string) []string {
+	parts := strings.FieldsFunc(value, func(r rune) bool {
+		return r == ',' || r == ';' || r == '\n' || r == '\r'
+	})
+	result := []string{}
+	for _, part := range parts {
+		part = strings.TrimSpace(part)
+		if part != "" {
+			result = append(result, part)
+		}
+	}
+	return result
+}
+
 func getenvBool(key string, fallback bool) bool {
 	value := strings.TrimSpace(os.Getenv(key))
 	if value == "" {