fix: address review findings (path restriction, login cross-check, README)
CI / test (pull_request) Successful in 13s
CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 24s
CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m5s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m40s
CI / test (pull_request) Successful in 13s
CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 24s
CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m5s
CI / review (gpt-5, security, SECURITY_REVIEW.md, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m40s
- system-prompt-file: reject absolute paths and paths containing ".." Prevents reading arbitrary files outside the workspace on shared runners. - Cleanup: cross-check r.User.Login == posted.User.Login before deletion Defense-in-depth: only attempt to delete reviews from same author. Flagged by both sonnet and security reviewers. - README: fix wording (cleanup happens after posting, not before) Issues filed for deferred work: - #24: Consistent url.PathEscape across all client endpoints - #25: Binary signature verification for supply-chain hardening
This commit is contained in:
Rodin
@@ -7,7 +7,7 @@ AI-powered code review bot for Gitea pull requests. Fetches diff + context, send
|
||||
- **Multi-provider**: OpenAI-compatible and Anthropic Messages API
|
||||
- **Context-aware**: Fetches full file content, conventions, language patterns, CI status
|
||||
- **Smart budget**: Automatically trims context to fit model token limits
|
||||
- **Idempotent reviews**: Deletes previous review before posting new one (one review per bot)
|
||||
- **Idempotent reviews**: Posts new review, then cleans up stale ones (one review per bot)
|
||||
- **Custom prompts**: Load additional instructions from a file (e.g. security-focused review)
|
||||
- **Zero dependencies**: Go stdlib only
|
||||
|
||||
|
||||
Reference in New Issue
Block a user