fix(action): address review feedback on VCS host detection and API URL

- Use github.api_url context for VCS type detection instead of hostname grep (fixes brittle detection that could misclassify GHES instances) - Use github.api_url directly for GitHub API calls (correct for both github.com and GHES, fixes incorrect /api/v3/ assumption) - Add action-repo-token input with smart defaults (github.token on GitHub, reviewer-token on Gitea) for private repo support - Add curl --connect-timeout and --max-time to all HTTP requests - Add checksum verification caveat noting same-server limitation - Add newline validation on VERSION before writing to GITHUB_OUTPUT - Remove incorrect comment about github.com using /api/v3/
2026-05-13 21:12:33 -07:00
parent d4d34aa029
commit 646497de68
1 changed files with 92 additions and 13 deletions
@@ -1,6 +1,7 @@
 # This composite action supports both Gitea Actions and GitHub Actions runners.
-# It detects the VCS host type (Gitea vs GitHub) from the server URL and uses
+# It detects the VCS host type using the github.api_url context (set only on
-# the appropriate releases API format for version resolution and binary download.
+# GitHub/GHES runners) and uses the appropriate releases API for version
 # resolution and binary download.
 # Requirements: python3, sha256sum, curl (all present on ubuntu-* runners).
 name: 'AI Code Review'
 description: 'Run AI-powered code review on a pull request using review-bot'
@@ -18,6 +19,10 @@ inputs:
    description: 'Repository hosting review-bot releases (owner/name). Defaults to github.action_repository or rodin/review-bot.'
    required: false
    default: ''
  action-repo-token:
    description: 'Token for downloading release assets from action-repo (defaults to github.token on GitHub, reviewer-token on Gitea). Required for private repos.'
    required: false
    default: ''
  pr-number:
    description: 'Pull request number (defaults to current PR)'
    required: false
@@ -131,25 +136,55 @@ runs:
          ACTION_REPO="rodin/review-bot"
        fi
-        # Detect VCS host type from server URL
+        # Detect VCS host type using github.api_url context.
-        # GitHub/GHES URLs contain "github" in the hostname
+        # github.api_url is set on GitHub.com (https://api.github.com) and GHES
-        if echo "$SERVER_URL" | grep -qi "github"; then
+        # (https://<host>/api/v3). It is empty/unset on Gitea Actions runners.
        GITHUB_API_URL="${{ github.api_url }}"
        if [ -n "$GITHUB_API_URL" ]; then
          VCS_TYPE="github"
        else
          VCS_TYPE="gitea"
        fi
        # Determine auth token for release API requests
        ACTION_TOKEN="${{ inputs.action-repo-token }}"
        if [ -z "$ACTION_TOKEN" ]; then
          if [ "$VCS_TYPE" = "github" ]; then
            ACTION_TOKEN="${{ github.token }}"
          else
            ACTION_TOKEN="${{ inputs.reviewer-token }}"
          fi
        fi
        if [ "${{ inputs.version }}" = "latest" ]; then
          if [ "$VCS_TYPE" = "github" ]; then
-            # GitHub REST API (GHES uses /api/v3/, github.com uses /api/v3/ too)
+            # Use github.api_url which resolves correctly for both github.com
-            API_URL="${SERVER_URL}/api/v3/repos/${ACTION_REPO}/releases?per_page=1"
+            # (https://api.github.com) and GHES (https://<host>/api/v3)
            API_URL="${GITHUB_API_URL}/repos/${ACTION_REPO}/releases?per_page=1"
          else
            # Gitea API
            API_URL="${SERVER_URL}/api/v1/repos/${ACTION_REPO}/releases?limit=1"
          fi
-          VERSION=$(curl -sSf "$API_URL" \
+          # Build auth header if token is available
          AUTH_HEADER=""
          if [ -n "$ACTION_TOKEN" ]; then
            if [ "$VCS_TYPE" = "github" ]; then
              AUTH_HEADER="Authorization: Bearer ${ACTION_TOKEN}"
            else
              AUTH_HEADER="Authorization: token ${ACTION_TOKEN}"
            fi
          fi
          if [ -n "$AUTH_HEADER" ]; then
            VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 \
              -H "$AUTH_HEADER" "$API_URL" \
              | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
          else
            VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 "$API_URL" \
              | python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
          fi
          if [ -z "$VERSION" ]; then
            echo "Failed to determine latest version from ${API_URL}" >&2
            exit 1
@@ -157,9 +192,18 @@ runs:
        else
          VERSION="${{ inputs.version }}"
        fi
        # Validate outputs don't contain newlines (defensive against injection)
        if printf '%s' "$VERSION" | grep -q $'\n'; then
          echo "Error: VERSION contains unexpected newline" >&2
          exit 1
        fi
        echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
        echo "action_repo=${ACTION_REPO}" >> "$GITHUB_OUTPUT"
        echo "server_url=${SERVER_URL}" >> "$GITHUB_OUTPUT"
        echo "vcs_type=${VCS_TYPE}" >> "$GITHUB_OUTPUT"
        echo "action_token=${ACTION_TOKEN}" >> "$GITHUB_OUTPUT"
    - name: Cache review-bot binary
      id: cache
@@ -175,16 +219,51 @@ runs:
        SERVER_URL="${{ steps.version.outputs.server_url }}"
        ACTION_REPO="${{ steps.version.outputs.action_repo }}"
        VERSION="${{ steps.version.outputs.version }}"
        VCS_TYPE="${{ steps.version.outputs.vcs_type }}"
        ACTION_TOKEN="${{ steps.version.outputs.action_token }}"
        BINARY="review-bot-linux-amd64"
        # Build auth args if token is available (supports private repos)
        AUTH_ARGS=""
        if [ -n "$ACTION_TOKEN" ]; then
          if [ "$VCS_TYPE" = "github" ]; then
            AUTH_ARGS="-H \"Authorization: Bearer ${ACTION_TOKEN}\""
          else
            AUTH_ARGS="-H \"Authorization: token ${ACTION_TOKEN}\""
          fi
        fi
        # Download URL format is the same on both Gitea and GitHub:
        # {server}/{owner}/{repo}/releases/download/{tag}/{asset}
-        curl -sSfL "${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}/${BINARY}" \
+        DOWNLOAD_URL="${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}"
-          -o "${{ runner.temp }}/review-bot"
+
-        curl -sSfL "${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}/checksums.txt" \
+        if [ -n "$ACTION_TOKEN" ]; then
-          -o "${{ runner.temp }}/checksums.txt"
+          if [ "$VCS_TYPE" = "github" ]; then
            curl -sSfL --connect-timeout 10 --max-time 120 \
              -H "Authorization: Bearer ${ACTION_TOKEN}" \
              "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
            curl -sSfL --connect-timeout 10 --max-time 30 \
              -H "Authorization: Bearer ${ACTION_TOKEN}" \
              "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
          else
            curl -sSfL --connect-timeout 10 --max-time 120 \
              -H "Authorization: token ${ACTION_TOKEN}" \
              "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
            curl -sSfL --connect-timeout 10 --max-time 30 \
              -H "Authorization: token ${ACTION_TOKEN}" \
              "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
          fi
        else
          curl -sSfL --connect-timeout 10 --max-time 120 \
            "${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
          curl -sSfL --connect-timeout 10 --max-time 30 \
            "${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
        fi
        # Verify SHA-256 checksum
        # NOTE: This verifies integrity (download wasn't corrupted) but not
        # authenticity — both binary and checksums come from the same server.
        # For stronger guarantees, consider GPG signature verification.
        cd "${{ runner.temp }}"
        EXPECTED=$(grep "${BINARY}" checksums.txt | awk '{print $1}')
        ACTUAL=$(sha256sum review-bot | awk '{print $1}')