Allow docker-agent to request reviews on its own PRs

[derekmisler]

Summary

This PR adds a trust bypass in action.yml for the docker-agent[bot] GitHub App, allowing it to trigger review workflows without passing the standard author_association authorization check. This enables automated flows (e.g., auto-triage posting /review) to work end-to-end without being blocked by the comment-auth guard.

Changes

• action.yml: Exposes github.event.comment.user.login as COMMENT_USER_LOGIN and adds an early-exit check that grants authorized=bot status when the commenter is docker-agent[bot], bypassing the author_association enforcement that applies to human commenters.

How to Test

• Have docker-agent[bot] post a /review comment on a PR and confirm the workflow proceeds past the auth step (output shows authorized=bot and no auth failure).
• Confirm a non-bot user without an allowed author_association is still blocked by the existing auth logic.
• Confirm a human user with a valid author_association (e.g., MEMBER) is still authorized through the normal path.

[derekmisler]

/describe

[docker-agent]

✅ PR description has been generated and updated!

[docker-agent]

🔴 Review Summary: CRITICAL

Assessment

This PR introduces critical security vulnerabilities in the authentication bypass logic. The code allows the docker-agent[bot] user to skip authorization checks, but relies solely on username string matching without verifying the user is actually a legitimate GitHub App bot.

Key Issues

• 🔴 CRITICAL: Authentication bypass can be exploited by any user who creates a GitHub account named docker-agent[bot]
• 🟡 MEDIUM: Authorization status authorized=bot may be trusted downstream without proper verification

Findings

2 CONFIRMED issues in changed code:

• 1 HIGH severity
• 1 MEDIUM severity

Recommendation

Before merging, implement proper GitHub App verification:

1. Check github.event.comment.user.type === 'Bot'
2. Verify the app_id matches the expected GitHub App ID
3. Consider adding cryptographic verification for additional security

---

This is an automated review. The bot provides feedback only and does not block merging.

[derekmisler]

/review

[docker-agent]

Review Summary

Assessment: 🔴 CRITICAL

This PR introduces a security bypass to allow docker-agent[bot] to trigger review workflows. While the intent is legitimate, two critical security vulnerabilities were identified in the implementation:

1. Environment variable override vulnerability (HIGH): Workflow authors can inject COMMENT_USER_LOGIN and COMMENT_USER_TYPE to bypass all authorization checks
2. Authorization hierarchy flaw (HIGH): The bot bypass skips role validation that protects against unauthorized workflow triggers

Findings Summary

• 🔴 2 CRITICAL issues (high severity, confirmed)
• ⚠️ 1 NOTABLE issue (low severity, likely)

---

Details

The bot bypass implementation has significant security implications that should be addressed before merging.

[derekmisler]

/review

[docker-agent]

Review Summary

Assessment: 🔴 CRITICAL

CRITICAL security vulnerability found in the bot authorization bypass logic. The code allows empty app IDs to match, which could incorrectly grant bot-level authorization to non-app commenters.

Additional security concerns identified:

• Bot bypass skips all authorization checks without fallback verification
• Same app ID is used for both reviewer identity and authorization bypass

Findings

3 issues found (1 CRITICAL, 2 MEDIUM)

---

This is an automated review — Always use your judgment. The bot provides feedback only and never blocks or approves merges.

[docker-agent]

🔴 CRITICAL: Empty app ID comparison could incorrectly bypass authorization

The check at line 217 compares COMMENT_APP_ID to TRUSTED_BOT_APP_ID. However, both values use jq -r '... // empty' which returns an empty string when the field is missing or null.

If COMMENT_APP_ID is empty (comment not made via a GitHub App) AND TRUSTED_BOT_APP_ID is also empty (the default value), the bash comparison [ "" = "" ] succeeds and the bot bypass is incorrectly granted.

Impact: Non-app bot users could bypass authorization checks.

Fix: Add explicit non-empty checks:

if [ "$COMMENT_USER_TYPE" = "Bot" ] && \
   [ -n "$COMMENT_APP_ID" ] && \
   [ -n "$TRUSTED_BOT_APP_ID" ] && \
   [ "$COMMENT_APP_ID" = "$TRUSTED_BOT_APP_ID" ]; then

[docker-agent]

⚠️ MEDIUM: Bot bypass skips all authorization checks without fallback verification

When the bot bypass succeeds, the script immediately exits with authorized=bot, skipping the hardcoded ALLOWED_ROLES check that follows.

While this is by design, the lack of fallback verification creates risk if the app ID check is weak (e.g., Finding #1 shows it can succeed with empty IDs). If the app is compromised or misconfigured, this removes all authorization safeguards.

Recommendation: Add defense-in-depth:

• Log the bypass event more prominently for audit purposes
• Consider adding a secondary check that the bot has appropriate repository permissions
• Or at minimum, add explicit non-empty validation to prevent the empty ID bypass bug

[docker-agent]

⚠️ MEDIUM: Same app ID used for both reviewer identity and authorization bypass

The workflow passes secrets.CAGENT_REVIEWER_APP_ID as the trusted-bot-app-id input. This creates a circular trust model where:

• The app that posts reviews (reviewer identity)
• Is also trusted to bypass authorization checks when it comments /review

While this may be intentional for legitimate automation (e.g., a trusted triage bot triggering reviews), if the app's credentials are compromised or if someone exploits the app's webhook, this bypass would allow unauthorized reviews.

Recommendation: Consider using separate apps for triggering (automation) and posting (identity), or add additional verification that the app is being used in the expected context.

[derekmisler]

/review

[docker-agent]

🤖 Review Summary

Assessment: 🟢 APPROVE

This PR adds a trust bypass mechanism for docker-agent[bot] to trigger review workflows without standard author association checks. The implementation is secure:

✅ Bot identity verification — Checks both user.type='Bot' AND performed_via_github_app.id from GitHub's server-side event payload, which cannot be spoofed by attackers

✅ Defense in depth — The workflow-level condition allows the job to run, but the action-level auth check still enforces security

✅ Proper input validation — Uses jq to parse trusted GitHub event payload fields

The drafter raised concerns about insufficient validation of bot identity, but these were dismissed during verification because GitHub's webhook payload is authoritative and cannot be manipulated by attackers. The combination of checking user type and app ID from the event payload provides adequate security.

No blocking issues found. The changed code works correctly and securely enables the intended automated workflow.

---

Review completed by cagent • Mode: GitHub Actions

[docker-agent]

Review Summary

Assessment: 🟡 NEEDS ATTENTION

This PR adds a trust bypass mechanism for the docker-agent[bot] GitHub App to trigger review workflows without standard authorization checks. The security model is sound (using event payload data and app ID verification), but there are two confirmed issues that should be addressed:

1. Inconsistent output format: The bot bypass sets authorized=bot while standard auth uses authorized=true, creating interface inconsistency
2. Incomplete feature coverage: The bot bypass only applies to manual reviews, not auto-reviews, creating asymmetric behavior

Findings

• 2 MEDIUM severity issues requiring attention
• 1 LOW severity suggestion for defense-in-depth