fix: address PR #75 review findings

MAJOR fixes: - ci.yml: Add fork protection (github.event.pull_request.head.repo.full_name check) to prevent secret exfiltration from malicious fork PRs. Added security comment explaining the trust model for this private repo. - ci.yml: Set GITHUB_SERVER_URL to explicit Gitea URL instead of github.server_url since reviews are posted to Gitea, not GitHub. - release.yml: Set GITEA_URL explicitly to https://gitea.weiker.me since releases are created on Gitea. - action.yml: Change gitea-url default from empty (fallback to github.server_url) to explicit https://gitea.weiker.me. Update all internal uses to rely on this default rather than falling back to server_url. MINOR fixes: - action.yml: Update header comment to reflect dual-platform (Gitea Actions + GitHub Actions) support. - action.yml: Fix repo input description to say it defaults to rodin/review-bot for version lookup, matching the actual code behavior. - pr-ready-gate.yml: Add comments explaining why Gitea URL is hardcoded (intentional: we update Gitea PR from GitHub mirror) and noting the PR number matching assumption. All findings from sonnet-review, gpt-review, and security-review addressed.
2026-05-11 08:52:23 -07:00
parent dd003c66d5
commit 29ab19c94d
4 changed files with 28 additions and 14 deletions
@@ -37,8 +37,9 @@ jobs:
          GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          VERSION=${GITHUB_REF_NAME}
-          GITEA_URL="${{ github.server_url }}"
-          REPO="${{ github.repository }}"
+          # Releases are created on Gitea, not GitHub - use explicit Gitea URL
+          GITEA_URL="https://gitea.weiker.me"
+          REPO="rodin/review-bot"

          # Create release (or find existing one for this tag)
          HTTP_CODE=$(curl -s -o /tmp/release_response.json -w "%{http_code}" -X POST \