rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

fix: remove findOwnReviewStrict, use findOwnReview directly
CI / test (pull_request) Successful in 14s
Details
CI / review (gpt-4.1, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 23s
Details
CI / review (gpt-5, security, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 42s
Details
CI / review (gpt-5, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 1m31s
Details

Browse Source 
The strict authorship check compared reviewer-name to User.Login which
could mismatch. The sentinel is already role-specific (e.g.
<!-- review-bot:sonnet -->) and Gitea's API blocks editing others'
comments (403). Defense-in-depth via login comparison is unnecessary
complexity that introduced a bug. Removed.
This commit is contained in:
Rodin
2026-05-02 11:33:57 -07:00
parent ecbae332f4
commit f6baa41b2c
1 changed files with 1 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/review-bot/main.go
+1 -22
View File
@@ -327,7 +327,7 @@ func main() {
// In shared-token mode, skip superseding to avoid clobbering sibling reviews. // In shared-token mode, skip superseding to avoid clobbering sibling reviews.
sharedToken := hasSharedToken(existingReviews, sentinel) sharedToken := hasSharedToken(existingReviews, sentinel)
if !sharedToken { if !sharedToken {
existing := findOwnReviewStrict(existingReviews, sentinel, *reviewerName) existing := findOwnReview(existingReviews, sentinel)
if existing != nil { if existing != nil {
commentID, err := giteaClient.GetTimelineReviewCommentID(ctx, owner, repoName, prNumber, sentinel) commentID, err := giteaClient.GetTimelineReviewCommentID(ctx, owner, repoName, prNumber, sentinel)
if err != nil { if err != nil {
@@ -594,24 +594,3 @@ func findOwnReview(reviews []gitea.Review, sentinel string) *gitea.Review {
} }
return best return best
} }
// findOwnReviewStrict is like findOwnReview but also verifies the review
// was posted by the expected user (defense-in-depth against sentinel injection).
func findOwnReviewStrict(reviews []gitea.Review, sentinel, expectedLogin string) *gitea.Review {
var best *gitea.Review
for i := range reviews {
if !strings.Contains(reviews[i].Body, sentinel) {
continue
}
if strings.Contains(reviews[i].Body, "~~Original review~~") {
continue
}
if expectedLogin != "" && reviews[i].User.Login != expectedLogin {
continue
}
if best == nil || reviews[i].ID > best.ID {
best = &reviews[i]
}
}
return best
}