Add AI-powered PR review workflow via docker/cagent-action

[glours]

What I did
Introduce a GitHub Actions workflow that triggers an AI-powered code
review on pull requests using docker/cagent-action's reusable workflow.

• Restrict comment-triggered runs to OWNER/MEMBER/COLLABORATOR
• Gate on github.repository to prevent execution on forks
• Filter out draft PRs and bot actors
• Only trigger on PR comments, not plain issue comments
• Serialize reviews per PR via concurrency group

Related issue
N/A

(not mandatory) A picture of a cute animal, if possible in relation to what you did

#BackInTheGame 🐙

[Copilot]

Pull request overview

Adds an automated “AI PR review” GitHub Actions workflow that runs a reusable workflow from docker/cagent-action to post review feedback on PR open / ready-for-review events and on certain PR-related comments.

Changes:

• Introduces .github/workflows/pr-review.yml to run docker/cagent-action’s review-pr.yml reusable workflow.
• Adds gating logic intended to restrict comment-triggered runs (association allowlist), skip drafts/bots, and serialize reviews via a concurrency group.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The collaborator-gating clause only handles issue_comment payloads (github.event.issue.pull_request). For pull_request_review_comment events this property isn't present, so the job will be skipped (or the expression may evaluate unexpectedly) and review-comment triggers won't work. Consider branching the if by github.event_name and applying the same author_association allowlist to both issue_comment and pull_request_review_comment payload shapes.

Suggested change

	(github.event.issue.pull_request &&
	(github.event_name == 'issue_comment' &&
	github.event.issue.pull_request &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
	(github.event_name == 'pull_request_review_comment' &&

[Copilot]

PR description says draft PRs are filtered out, but the draft check is only applied for pull_request_target. The comment-triggered paths (issue_comment / pull_request_review_comment) can still run on draft PRs. If drafts should be excluded consistently, add a draft gate for comment events (likely requiring fetching PR details via the API/reusable workflow) or adjust the triggers accordingly.

[Copilot]

The fork-protection check github.repository == 'docker/compose' does not actually prevent runs on PRs opened from forks (for pull_request_target, github.repository is always the base repo). Since this workflow passes secrets to a reusable workflow, it should also gate on the PR head repo (e.g., ensure github.event.pull_request.head.repo.full_name == github.repository / head.repo.fork == false) to avoid exposing secrets to untrusted fork PRs.

Suggested change

	github.repository == 'docker/compose' &&
	github.repository == 'docker/compose' &&
	(github.event_name != 'pull_request_target' || github.event.pull_request.head.repo.full_name == github.repository) &&

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.