rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

fix: address PR #75 review findings
PR Ready Gate / clear-labels (pull_request) Successful in 2s
Details
CI / test (pull_request) Successful in 18s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 39s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m32s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 3m18s
Details

Browse Source 
MAJOR fixes:
- ci.yml: Add fork protection (github.event.pull_request.head.repo.full_name check)
  to prevent secret exfiltration from malicious fork PRs. Added security comment
  explaining the trust model for this private repo.
- ci.yml: Set GITHUB_SERVER_URL to explicit Gitea URL instead of github.server_url
  since reviews are posted to Gitea, not GitHub.
- release.yml: Set GITEA_URL explicitly to https://gitea.weiker.me since releases
  are created on Gitea.
- action.yml: Change gitea-url default from empty (fallback to github.server_url)
  to explicit https://gitea.weiker.me. Update all internal uses to rely on this
  default rather than falling back to server_url.

MINOR fixes:
- action.yml: Update header comment to reflect dual-platform (Gitea Actions +
  GitHub Actions) support.
- action.yml: Fix repo input description to say it defaults to rodin/review-bot
  for version lookup, matching the actual code behavior.
- pr-ready-gate.yml: Add comments explaining why Gitea URL is hardcoded (intentional:
  we update Gitea PR from GitHub mirror) and noting the PR number matching assumption.

All findings from sonnet-review, gpt-review, and security-review addressed.
This commit is contained in:
Rodin
2026-05-11 08:52:23 -07:00
parent dd003c66d5
commit 29ab19c94d
4 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+8 -3
View File
@@ -22,9 +22,13 @@ jobs:
# Models must match SAP AI Core deployments
# Available models: gpt-5, anthropic--claude-4.6-sonnet, anthropic--claude-4.6-opus
# Removed gpt-4.1, gpt-5-mini, gpt-4.1-mini - not deployed on AI Core
#
# SECURITY: This job runs on pull_request and has access to secrets.
# We restrict to same-repo PRs only (no forks) since this is a private repo
# where PRs only come from trusted actors (rodin/aweiker).
review:
runs-on: ubuntu-24.04
if: github.event_name == 'pull_request'
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
needs: test
strategy:
matrix:
@@ -49,8 +53,9 @@ jobs:
- run: go build -o review-bot ./cmd/review-bot
- name: Run ${{ matrix.name }} review
env:
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_REPOSITORY: ${{ github.repository }}
# Use Gitea API - reviews are posted to Gitea, not GitHub
GITHUB_SERVER_URL: https://gitea.weiker.me
GITHUB_REPOSITORY: rodin/review-bot
PR_NUMBER: ${{ github.event.pull_request.number }}
REVIEWER_TOKEN: ${{ secrets[matrix.token_secret] }}
REVIEWER_NAME: ${{ matrix.name }}