From 646497de681c55e0523f2924efa6059bbfbc43fd Mon Sep 17 00:00:00 2001 From: claw Date: Wed, 13 May 2026 21:12:33 -0700 Subject: [PATCH] fix(action): address review feedback on VCS host detection and API URL - Use github.api_url context for VCS type detection instead of hostname grep (fixes brittle detection that could misclassify GHES instances) - Use github.api_url directly for GitHub API calls (correct for both github.com and GHES, fixes incorrect /api/v3/ assumption) - Add action-repo-token input with smart defaults (github.token on GitHub, reviewer-token on Gitea) for private repo support - Add curl --connect-timeout and --max-time to all HTTP requests - Add checksum verification caveat noting same-server limitation - Add newline validation on VERSION before writing to GITHUB_OUTPUT - Remove incorrect comment about github.com using /api/v3/ --- .gitea/actions/review/action.yml | 105 +++++++++++++++++++++++++++---- 1 file changed, 92 insertions(+), 13 deletions(-) diff --git a/.gitea/actions/review/action.yml b/.gitea/actions/review/action.yml index cd8144c..c7a3828 100644 --- a/.gitea/actions/review/action.yml +++ b/.gitea/actions/review/action.yml @@ -1,6 +1,7 @@ # This composite action supports both Gitea Actions and GitHub Actions runners. -# It detects the VCS host type (Gitea vs GitHub) from the server URL and uses -# the appropriate releases API format for version resolution and binary download. +# It detects the VCS host type using the github.api_url context (set only on +# GitHub/GHES runners) and uses the appropriate releases API for version +# resolution and binary download. # Requirements: python3, sha256sum, curl (all present on ubuntu-* runners). name: 'AI Code Review' description: 'Run AI-powered code review on a pull request using review-bot' @@ -18,6 +19,10 @@ inputs: description: 'Repository hosting review-bot releases (owner/name). Defaults to github.action_repository or rodin/review-bot.' required: false default: '' + action-repo-token: + description: 'Token for downloading release assets from action-repo (defaults to github.token on GitHub, reviewer-token on Gitea). Required for private repos.' + required: false + default: '' pr-number: description: 'Pull request number (defaults to current PR)' required: false @@ -131,25 +136,55 @@ runs: ACTION_REPO="rodin/review-bot" fi - # Detect VCS host type from server URL - # GitHub/GHES URLs contain "github" in the hostname - if echo "$SERVER_URL" | grep -qi "github"; then + # Detect VCS host type using github.api_url context. + # github.api_url is set on GitHub.com (https://api.github.com) and GHES + # (https:///api/v3). It is empty/unset on Gitea Actions runners. + GITHUB_API_URL="${{ github.api_url }}" + if [ -n "$GITHUB_API_URL" ]; then VCS_TYPE="github" else VCS_TYPE="gitea" fi + # Determine auth token for release API requests + ACTION_TOKEN="${{ inputs.action-repo-token }}" + if [ -z "$ACTION_TOKEN" ]; then + if [ "$VCS_TYPE" = "github" ]; then + ACTION_TOKEN="${{ github.token }}" + else + ACTION_TOKEN="${{ inputs.reviewer-token }}" + fi + fi + if [ "${{ inputs.version }}" = "latest" ]; then if [ "$VCS_TYPE" = "github" ]; then - # GitHub REST API (GHES uses /api/v3/, github.com uses /api/v3/ too) - API_URL="${SERVER_URL}/api/v3/repos/${ACTION_REPO}/releases?per_page=1" + # Use github.api_url which resolves correctly for both github.com + # (https://api.github.com) and GHES (https:///api/v3) + API_URL="${GITHUB_API_URL}/repos/${ACTION_REPO}/releases?per_page=1" else # Gitea API API_URL="${SERVER_URL}/api/v1/repos/${ACTION_REPO}/releases?limit=1" fi - VERSION=$(curl -sSf "$API_URL" \ - | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')") + # Build auth header if token is available + AUTH_HEADER="" + if [ -n "$ACTION_TOKEN" ]; then + if [ "$VCS_TYPE" = "github" ]; then + AUTH_HEADER="Authorization: Bearer ${ACTION_TOKEN}" + else + AUTH_HEADER="Authorization: token ${ACTION_TOKEN}" + fi + fi + + if [ -n "$AUTH_HEADER" ]; then + VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 \ + -H "$AUTH_HEADER" "$API_URL" \ + | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')") + else + VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 "$API_URL" \ + | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')") + fi + if [ -z "$VERSION" ]; then echo "Failed to determine latest version from ${API_URL}" >&2 exit 1 @@ -157,9 +192,18 @@ runs: else VERSION="${{ inputs.version }}" fi + + # Validate outputs don't contain newlines (defensive against injection) + if printf '%s' "$VERSION" | grep -q $'\n'; then + echo "Error: VERSION contains unexpected newline" >&2 + exit 1 + fi + echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "action_repo=${ACTION_REPO}" >> "$GITHUB_OUTPUT" echo "server_url=${SERVER_URL}" >> "$GITHUB_OUTPUT" + echo "vcs_type=${VCS_TYPE}" >> "$GITHUB_OUTPUT" + echo "action_token=${ACTION_TOKEN}" >> "$GITHUB_OUTPUT" - name: Cache review-bot binary id: cache @@ -175,16 +219,51 @@ runs: SERVER_URL="${{ steps.version.outputs.server_url }}" ACTION_REPO="${{ steps.version.outputs.action_repo }}" VERSION="${{ steps.version.outputs.version }}" + VCS_TYPE="${{ steps.version.outputs.vcs_type }}" + ACTION_TOKEN="${{ steps.version.outputs.action_token }}" BINARY="review-bot-linux-amd64" + # Build auth args if token is available (supports private repos) + AUTH_ARGS="" + if [ -n "$ACTION_TOKEN" ]; then + if [ "$VCS_TYPE" = "github" ]; then + AUTH_ARGS="-H \"Authorization: Bearer ${ACTION_TOKEN}\"" + else + AUTH_ARGS="-H \"Authorization: token ${ACTION_TOKEN}\"" + fi + fi + # Download URL format is the same on both Gitea and GitHub: # {server}/{owner}/{repo}/releases/download/{tag}/{asset} - curl -sSfL "${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}/${BINARY}" \ - -o "${{ runner.temp }}/review-bot" - curl -sSfL "${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}/checksums.txt" \ - -o "${{ runner.temp }}/checksums.txt" + DOWNLOAD_URL="${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}" + + if [ -n "$ACTION_TOKEN" ]; then + if [ "$VCS_TYPE" = "github" ]; then + curl -sSfL --connect-timeout 10 --max-time 120 \ + -H "Authorization: Bearer ${ACTION_TOKEN}" \ + "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot" + curl -sSfL --connect-timeout 10 --max-time 30 \ + -H "Authorization: Bearer ${ACTION_TOKEN}" \ + "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt" + else + curl -sSfL --connect-timeout 10 --max-time 120 \ + -H "Authorization: token ${ACTION_TOKEN}" \ + "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot" + curl -sSfL --connect-timeout 10 --max-time 30 \ + -H "Authorization: token ${ACTION_TOKEN}" \ + "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt" + fi + else + curl -sSfL --connect-timeout 10 --max-time 120 \ + "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot" + curl -sSfL --connect-timeout 10 --max-time 30 \ + "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt" + fi # Verify SHA-256 checksum + # NOTE: This verifies integrity (download wasn't corrupted) but not + # authenticity — both binary and checksums come from the same server. + # For stronger guarantees, consider GPG signature verification. cd "${{ runner.temp }}" EXPECTED=$(grep "${BINARY}" checksums.txt | awk '{print $1}') ACTUAL=$(sha256sum review-bot | awk '{print $1}')