diff --git a/.github/workflows/comment-pr.yml b/.github/workflows/comment-pr.yml
new file mode 100644
index 0000000000..4aac84804a
--- /dev/null
+++ b/.github/workflows/comment-pr.yml
@@ -0,0 +1,56 @@
+# Description: This workflow is triggered when the `receive-pr` workflow completes to post suggestions on the PR.
+# Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code.
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+---
+name: comment-pr
+
+on:
+ workflow_run:
+ workflows: ["receive-pr"]
+ types:
+ - completed
+
+jobs:
+ post-suggestions:
+ # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
+ if: ${{ github.event.workflow_run.conclusion == 'success' }}
+ runs-on: ubuntu-latest
+ env:
+ # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
+ ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ timeout-minutes: 10
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{github.event.workflow_run.head_branch}}
+ repository: ${{github.event.workflow_run.head_repository.full_name}}
+
+ # Download the patch
+ - uses: actions/download-artifact@v4
+ with:
+ name: patch
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ run-id: ${{ github.event.workflow_run.id }}
+ - name: Apply patch
+ run: |
+ git apply git-diff.patch --allow-empty
+ rm git-diff.patch
+
+ # Download the PR number
+ - uses: actions/download-artifact@v4
+ with:
+ name: pr_number
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ run-id: ${{ github.event.workflow_run.id }}
+ - name: Read pr_number.txt
+ run: |
+ PR_NUMBER=$(cat pr_number.txt)
+ echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+ rm pr_number.txt
+
+ # Post suggestions as a comment on the PR
+ - uses: googleapis/code-suggester@v4
+ with:
+ command: review
+ pull_number: ${{ env.PR_NUMBER }}
+ git_dir: '.'
diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml
new file mode 100644
index 0000000000..3821d89332
--- /dev/null
+++ b/.github/workflows/receive-pr.yml
@@ -0,0 +1,55 @@
+# Description: This workflow runs OpenRewrite recipes against opened pull request and upload the patch.
+# Since this pull request receives untrusted code, we should **NOT** have any secrets in the environment.
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+---
+name: receive-pr
+
+on:
+ pull_request:
+ types: [opened, synchronize]
+ branches:
+ - master
+ - 2.[0-9]+
+ - 3.[0-9]+
+concurrency:
+ group: '${{ github.workflow }} @ ${{ github.ref }}'
+ cancel-in-progress: true
+
+jobs:
+ upload-patch:
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ ref: ${{github.event.pull_request.head.ref}}
+ repository: ${{github.event.pull_request.head.repo.full_name}}
+ - uses: actions/setup-java@v4
+ with:
+ java-version: '21'
+ distribution: 'temurin'
+ cache: 'maven'
+
+ # Capture the PR number
+ # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow
+ - name: Create pr_number.txt
+ run: echo "${{ github.event.number }}" > pr_number.txt
+ - uses: actions/upload-artifact@v4
+ with:
+ name: pr_number
+ path: pr_number.txt
+ - name: Remove pr_number.txt
+ run: rm -f pr_number.txt
+
+ # Execute recipes
+ - name: Apply OpenRewrite recipes
+ run: mvn --activate-profiles openrewrite org.openrewrite.maven:rewrite-maven-plugin:run
+
+ # Capture the diff
+ - name: Create patch
+ run: |
+ git diff | tee git-diff.patch
+ - uses: actions/upload-artifact@v4
+ with:
+ name: patch
+ path: git-diff.patch
diff --git a/pom.xml b/pom.xml
index 5bc6ac8f2a..7451c482dd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -298,4 +298,37 @@ tools.jackson.core.*;version=${project.version}
test
+
+
+
+ openrewrite
+
+
+
+
+ org.openrewrite.maven
+ rewrite-maven-plugin
+ 5.41.0
+
+
+ org.openrewrite.java.OrderImports
+
+
+
+
+ true
+
+
+
+ io.github.timo-a
+ rewrite-recipe-starter
+ 0.4.0
+
+
+
+
+
+
+
+