rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

fix(action): address review feedback on VCS host detection and API URL
PR Ready Gate / clear-labels (pull_request) Successful in 2s
Details
CI / test (pull_request) Successful in 17s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 31s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m20s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m23s
Details

Browse Source 
- Use github.api_url context for VCS type detection instead of hostname
  grep (fixes brittle detection that could misclassify GHES instances)
- Use github.api_url directly for GitHub API calls (correct for both
  github.com and GHES, fixes incorrect /api/v3/ assumption)
- Add action-repo-token input with smart defaults (github.token on
  GitHub, reviewer-token on Gitea) for private repo support
- Add curl --connect-timeout and --max-time to all HTTP requests
- Add checksum verification caveat noting same-server limitation
- Add newline validation on VERSION before writing to GITHUB_OUTPUT
- Remove incorrect comment about github.com using /api/v3/
This commit is contained in:
claw
2026-05-13 21:12:33 -07:00
parent d4d34aa029
commit 646497de68
1 changed files with 92 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/actions/review/action.yml
+91 -12
View File
@@ -1,6 +1,7 @@
# This composite action supports both Gitea Actions and GitHub Actions runners.
# It detects the VCS host type (Gitea vs GitHub) from the server URL and uses
# the appropriate releases API format for version resolution and binary download.
# It detects the VCS host type using the github.api_url context (set only on
# GitHub/GHES runners) and uses the appropriate releases API for version
# resolution and binary download.
# Requirements: python3, sha256sum, curl (all present on ubuntu-* runners).
name: 'AI Code Review'
description: 'Run AI-powered code review on a pull request using review-bot'
@@ -18,6 +19,10 @@ inputs:
description: 'Repository hosting review-bot releases (owner/name). Defaults to github.action_repository or rodin/review-bot.'
required: false
default: ''
action-repo-token:
description: 'Token for downloading release assets from action-repo (defaults to github.token on GitHub, reviewer-token on Gitea). Required for private repos.'
required: false
default: ''
pr-number:
description: 'Pull request number (defaults to current PR)'
required: false
@@ -131,25 +136,55 @@ runs:
ACTION_REPO="rodin/review-bot"
fi
# Detect VCS host type from server URL
# GitHub/GHES URLs contain "github" in the hostname
if echo "$SERVER_URL" | grep -qi "github"; then
# Detect VCS host type using github.api_url context.
# github.api_url is set on GitHub.com (https://api.github.com) and GHES
# (https://<host>/api/v3). It is empty/unset on Gitea Actions runners.
GITHUB_API_URL="${{ github.api_url }}"
if [ -n "$GITHUB_API_URL" ]; then
VCS_TYPE="github"
else
VCS_TYPE="gitea"
fi
# Determine auth token for release API requests
ACTION_TOKEN="${{ inputs.action-repo-token }}"
if [ -z "$ACTION_TOKEN" ]; then
if [ "$VCS_TYPE" = "github" ]; then
ACTION_TOKEN="${{ github.token }}"
else
ACTION_TOKEN="${{ inputs.reviewer-token }}"
fi
fi
if [ "${{ inputs.version }}" = "latest" ]; then
if [ "$VCS_TYPE" = "github" ]; then
# GitHub REST API (GHES uses /api/v3/, github.com uses /api/v3/ too)
API_URL="${SERVER_URL}/api/v3/repos/${ACTION_REPO}/releases?per_page=1"
# Use github.api_url which resolves correctly for both github.com
# (https://api.github.com) and GHES (https://<host>/api/v3)
API_URL="${GITHUB_API_URL}/repos/${ACTION_REPO}/releases?per_page=1"
else
# Gitea API
API_URL="${SERVER_URL}/api/v1/repos/${ACTION_REPO}/releases?limit=1"
fi
VERSION=$(curl -sSf "$API_URL" \
# Build auth header if token is available
AUTH_HEADER=""
if [ -n "$ACTION_TOKEN" ]; then
if [ "$VCS_TYPE" = "github" ]; then
AUTH_HEADER="Authorization: Bearer ${ACTION_TOKEN}"
else
AUTH_HEADER="Authorization: token ${ACTION_TOKEN}"
fi
fi
if [ -n "$AUTH_HEADER" ]; then
VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 \
-H "$AUTH_HEADER" "$API_URL" \
| python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
else
VERSION=$(curl -sSf --connect-timeout 10 --max-time 30 "$API_URL" \
| python3 -c "import sys, json; releases = json.load(sys.stdin); print(releases[0]['tag_name'] if releases else '')")
fi
if [ -z "$VERSION" ]; then
echo "Failed to determine latest version from ${API_URL}" >&2
exit 1
@@ -157,9 +192,18 @@ runs:
else
VERSION="${{ inputs.version }}"
fi
# Validate outputs don't contain newlines (defensive against injection)
if printf '%s' "$VERSION" | grep -q $'\n'; then
echo "Error: VERSION contains unexpected newline" >&2
exit 1
fi
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "action_repo=${ACTION_REPO}" >> "$GITHUB_OUTPUT"
echo "server_url=${SERVER_URL}" >> "$GITHUB_OUTPUT"
echo "vcs_type=${VCS_TYPE}" >> "$GITHUB_OUTPUT"
echo "action_token=${ACTION_TOKEN}" >> "$GITHUB_OUTPUT"
- name: Cache review-bot binary
id: cache
@@ -175,16 +219,51 @@ runs:
SERVER_URL="${{ steps.version.outputs.server_url }}"
ACTION_REPO="${{ steps.version.outputs.action_repo }}"
VERSION="${{ steps.version.outputs.version }}"
VCS_TYPE="${{ steps.version.outputs.vcs_type }}"
ACTION_TOKEN="${{ steps.version.outputs.action_token }}"
BINARY="review-bot-linux-amd64"
# Build auth args if token is available (supports private repos)
AUTH_ARGS=""
if [ -n "$ACTION_TOKEN" ]; then
if [ "$VCS_TYPE" = "github" ]; then
AUTH_ARGS="-H \"Authorization: Bearer ${ACTION_TOKEN}\""
else
AUTH_ARGS="-H \"Authorization: token ${ACTION_TOKEN}\""
fi
fi
# Download URL format is the same on both Gitea and GitHub:
# {server}/{owner}/{repo}/releases/download/{tag}/{asset}
curl -sSfL "${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}/${BINARY}" \
-o "${{ runner.temp }}/review-bot"
curl -sSfL "${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}/checksums.txt" \
-o "${{ runner.temp }}/checksums.txt"
DOWNLOAD_URL="${SERVER_URL}/${ACTION_REPO}/releases/download/${VERSION}"
if [ -n "$ACTION_TOKEN" ]; then
if [ "$VCS_TYPE" = "github" ]; then
curl -sSfL --connect-timeout 10 --max-time 120 \
-H "Authorization: Bearer ${ACTION_TOKEN}" \
"${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
curl -sSfL --connect-timeout 10 --max-time 30 \
-H "Authorization: Bearer ${ACTION_TOKEN}" \
"${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
else
curl -sSfL --connect-timeout 10 --max-time 120 \
-H "Authorization: token ${ACTION_TOKEN}" \
"${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
curl -sSfL --connect-timeout 10 --max-time 30 \
-H "Authorization: token ${ACTION_TOKEN}" \
"${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
fi
else
curl -sSfL --connect-timeout 10 --max-time 120 \
"${DOWNLOAD_URL}/${BINARY}" -o "${{ runner.temp }}/review-bot"
curl -sSfL --connect-timeout 10 --max-time 30 \
"${DOWNLOAD_URL}/checksums.txt" -o "${{ runner.temp }}/checksums.txt"
fi
# Verify SHA-256 checksum
# NOTE: This verifies integrity (download wasn't corrupted) but not
# authenticity — both binary and checksums come from the same server.
# For stronger guarantees, consider GPG signature verification.
cd "${{ runner.temp }}"
EXPECTED=$(grep "${BINARY}" checksums.txt | awk '{print $1}')
ACTUAL=$(sha256sum review-bot | awk '{print $1}')