fix: address PR #75 review findings

MAJOR fixes: - ci.yml: Add fork protection (github.event.pull_request.head.repo.full_name check) to prevent secret exfiltration from malicious fork PRs. Added security comment explaining the trust model for this private repo. - ci.yml: Set GITHUB_SERVER_URL to explicit Gitea URL instead of github.server_url since reviews are posted to Gitea, not GitHub. - release.yml: Set GITEA_URL explicitly to https://gitea.weiker.me since releases are created on Gitea. - action.yml: Change gitea-url default from empty (fallback to github.server_url) to explicit https://gitea.weiker.me. Update all internal uses to rely on this default rather than falling back to server_url. MINOR fixes: - action.yml: Update header comment to reflect dual-platform (Gitea Actions + GitHub Actions) support. - action.yml: Fix repo input description to say it defaults to rodin/review-bot for version lookup, matching the actual code behavior. - pr-ready-gate.yml: Add comments explaining why Gitea URL is hardcoded (intentional: we update Gitea PR from GitHub mirror) and noting the PR number matching assumption. All findings from sonnet-review, gpt-review, and security-review addressed.
2026-05-11 08:52:23 -07:00
parent dd003c66d5
commit 29ab19c94d
4 changed files with 28 additions and 14 deletions
@@ -1,17 +1,17 @@
-# This composite action is designed for Gitea Actions runners.
-# Gitea Actions supports GitHub Actions syntax including $GITHUB_OUTPUT,
-# actions/cache, and actions/checkout.
+# Composite action for Gitea Actions and GitHub Actions runners.
+# Supports dual-platform deployment: reviews can be triggered from GitHub (mirrored repo)
+# or Gitea, but always post results to the Gitea PR.
 # Requirements: python3, sha256sum, curl (all present on ubuntu-* runners).
 name: 'AI Code Review'
 description: 'Run AI-powered code review on a pull request using review-bot'

 inputs:
  gitea-url:
-    description: 'Gitea instance URL (defaults to server_url)'
+    description: 'Gitea instance URL for API calls and releases (defaults to https://gitea.weiker.me)'
    required: false
-    default: ''
+    default: 'https://gitea.weiker.me'
  repo:
-    description: 'Repository (owner/name, defaults to current)'
+    description: 'Repository (owner/name, defaults to rodin/review-bot for version lookup)'
    required: false
    default: ''
  pr-number:
@@ -112,7 +112,8 @@ runs:
      id: version
      shell: bash
      run: |
-        GITEA_URL="${{ inputs.gitea-url || github.server_url }}"
+        # Use explicit gitea-url input, falling back to default (https://gitea.weiker.me)
+        GITEA_URL="${{ inputs.gitea-url }}"
        REPO="${{ inputs.repo || 'rodin/review-bot' }}"
        if [ "${{ inputs.version }}" = "latest" ]; then
          VERSION=$(curl -sSf "${GITEA_URL}/api/v1/repos/${REPO}/releases?limit=1" \
@@ -137,7 +138,8 @@ runs:
      if: steps.cache.outputs.cache-hit != 'true'
      shell: bash
      run: |
-        GITEA_URL="${{ inputs.gitea-url || github.server_url }}"
+        # Use explicit gitea-url input for release downloads
+        GITEA_URL="${{ inputs.gitea-url }}"
        REPO="${{ inputs.repo || 'rodin/review-bot' }}"
        VERSION="${{ steps.version.outputs.version }}"
        BINARY="review-bot-linux-amd64"
@@ -169,7 +171,8 @@ runs:
    - name: Run review
      shell: bash
      env:
-        GITHUB_SERVER_URL: ${{ inputs.gitea-url || github.server_url }}
+        # Always use Gitea API - reviews are posted to Gitea regardless of where workflow runs
+        GITHUB_SERVER_URL: ${{ inputs.gitea-url }}
        GITHUB_REPOSITORY: ${{ inputs.repo || github.repository }}
        PR_NUMBER: ${{ inputs.pr-number || github.event.pull_request.number }}
        REVIEWER_TOKEN: ${{ inputs.reviewer-token }}