MAJOR fixes:
- ci.yml: Add fork protection (github.event.pull_request.head.repo.full_name check)
to prevent secret exfiltration from malicious fork PRs. Added security comment
explaining the trust model for this private repo.
- ci.yml: Set GITHUB_SERVER_URL to explicit Gitea URL instead of github.server_url
since reviews are posted to Gitea, not GitHub.
- release.yml: Set GITEA_URL explicitly to https://gitea.weiker.me since releases
are created on Gitea.
- action.yml: Change gitea-url default from empty (fallback to github.server_url)
to explicit https://gitea.weiker.me. Update all internal uses to rely on this
default rather than falling back to server_url.
MINOR fixes:
- action.yml: Update header comment to reflect dual-platform (Gitea Actions +
GitHub Actions) support.
- action.yml: Fix repo input description to say it defaults to rodin/review-bot
for version lookup, matching the actual code behavior.
- pr-ready-gate.yml: Add comments explaining why Gitea URL is hardcoded (intentional:
we update Gitea PR from GitHub mirror) and noting the PR number matching assumption.
All findings from sonnet-review, gpt-review, and security-review addressed.
- Copy .gitea/ to .github/ for GitHub Actions compatibility
- Update .github/workflows to use GITHUB_SERVER_URL/GITHUB_REPOSITORY
- Update main.go to accept both GITEA_* and GITHUB_* env vars
Works on both Gitea and GitHub without code changes.
Rodin
Rodin