review-bot

rodin/review-bot

Fork 0

Files

T

History

claw e709956d0b

PR Ready Gate / clear-labels (pull_request) Successful in 1s

Details

CI / test (pull_request) Successful in 18s

Details

CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 34s

Details

CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m21s

Details

CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m42s

Details

fix(action): use REST API for GitHub asset downloads, enforce trusted GITEA_URL

Addresses gpt-review-bot findings on PR #121:

MAJOR #1: The 'Run review' step set GITEA_URL from inputs.gitea-url which
could exfiltrate the reviewer token to an attacker-controlled host on
GitHub/GHES. Now uses steps.version.outputs.server_url which enforces
VCS-type-aware trust (github.server_url on GitHub, validated input on Gitea).

MAJOR #2: Private release asset downloads on GitHub/GHES used web URLs
({server}/.../releases/download/{tag}/{asset}) which redirect to S3 and
don't support Authorization headers for private repos. Now uses the GitHub
REST API: fetches release metadata by tag, extracts asset IDs, and downloads
via /repos/{owner}/{repo}/releases/assets/{id} with Accept: octet-stream.
Gitea path retains direct URL downloads (which work correctly there).

2026-05-13 21:38:49 -07:00

actions/review

fix(action): use REST API for GitHub asset downloads, enforce trusted GITEA_URL

2026-05-13 21:38:49 -07:00

workflows

ci: use rodin/security-patterns with '.' path for security reviewer

2026-05-11 07:12:25 -07:00