rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity
Files
29ab19c94d9349870560ef33996cc3aaf4ece10a
review-bot/.github/workflows/pr-ready-gate.yml
T
Rodin 29ab19c94d
PR Ready Gate / clear-labels (pull_request) Successful in 2s
Details
CI / test (pull_request) Successful in 18s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 39s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m32s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 3m18s
Details
fix: address PR #75 review findings 
MAJOR fixes:
- ci.yml: Add fork protection (github.event.pull_request.head.repo.full_name check)
  to prevent secret exfiltration from malicious fork PRs. Added security comment
  explaining the trust model for this private repo.
- ci.yml: Set GITHUB_SERVER_URL to explicit Gitea URL instead of github.server_url
  since reviews are posted to Gitea, not GitHub.
- release.yml: Set GITEA_URL explicitly to https://gitea.weiker.me since releases
  are created on Gitea.
- action.yml: Change gitea-url default from empty (fallback to github.server_url)
  to explicit https://gitea.weiker.me. Update all internal uses to rely on this
  default rather than falling back to server_url.

MINOR fixes:
- action.yml: Update header comment to reflect dual-platform (Gitea Actions +
  GitHub Actions) support.
- action.yml: Fix repo input description to say it defaults to rodin/review-bot
  for version lookup, matching the actual code behavior.
- pr-ready-gate.yml: Add comments explaining why Gitea URL is hardcoded (intentional:
  we update Gitea PR from GitHub mirror) and noting the PR number matching assumption.

All findings from sonnet-review, gpt-review, and security-review addressed.
2026-05-11 08:52:23 -07:00

44 lines
1.9 KiB
YAML
Raw Blame History

name: PR Ready Gate
on:
pull_request:
types: [synchronize]
jobs:
clear-labels:
runs-on: ubuntu-24.04
# Always run - curl commands are safe if labels don't exist
steps:
- name: Remove ready and self-reviewed labels, reassign to author
env:
GITEA_TOKEN: ${{ secrets.RODIN_TOKEN }}
run: |
# NOTE: This workflow runs on the GitHub mirror but updates the Gitea PR.
# PR numbers may differ between GitHub and Gitea mirrors in edge cases.
# For this repo, PRs are created on Gitea and mirrored, so numbers match.
PR_NUMBER=${{ github.event.pull_request.number }}
AUTHOR=${{ github.event.pull_request.user.login }}
READY_LABEL_ID=38
SELF_REVIEWED_LABEL_ID=37
# INTENTIONAL: Hardcoded Gitea URL because we always update the Gitea PR,
# not GitHub. The mirror relationship means we want changes on Gitea.
# Remove ready label if present
curl -sS -X DELETE \
-H "Authorization: token $GITEA_TOKEN" \
"https://gitea.weiker.me/api/v1/repos/${{ github.repository }}/issues/${PR_NUMBER}/labels/${READY_LABEL_ID}" || true
# Remove self-reviewed label if present
curl -sS -X DELETE \
-H "Authorization: token $GITEA_TOKEN" \
"https://gitea.weiker.me/api/v1/repos/${{ github.repository }}/issues/${PR_NUMBER}/labels/${SELF_REVIEWED_LABEL_ID}" || true
# Reassign to author
curl -sS -X PATCH \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"assignees\": [\"${AUTHOR}\"]}" \
"https://gitea.weiker.me/api/v1/repos/${{ github.repository }}/pulls/${PR_NUMBER}"
echo "Cleared ready/self-reviewed labels and reassigned PR #${PR_NUMBER} to ${AUTHOR}"
Reference in New Issue View Git Blame Copy Permalink