Allow docker-agent to request reviews on its own PRs
#72
+29
−2
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -78,6 +78,10 @@ inputs: | |
| description: "Additional arguments to pass to cagent run" | ||
| required: false | ||
| default: "" | ||
| trusted-bot-app-id: | ||
| description: "GitHub App ID of a trusted bot that can bypass comment-based auth checks (e.g., for self-review triggers)" | ||
| required: false | ||
| default: "" | ||
| add-prompt-files: | ||
| description: "Comma-separated list of files to append to the prompt (e.g., 'AGENTS.md,CLAUDE.md')" | ||
| required: false | ||
|
|
@@ -190,10 +194,12 @@ runs: | |
| shell: bash | ||
| env: | ||
| ACTION_PATH: ${{ github.action_path }} | ||
| TRUSTED_BOT_APP_ID: ${{ inputs.trusted-bot-app-id }} | ||
| DEBUG: ${{ inputs.debug }} | ||
| run: | | ||
| # Read comment fields directly from the event payload (cannot be overridden by workflow env vars) | ||
| COMMENT_ASSOCIATION=$(jq -r '.comment.author_association // empty' "$GITHUB_EVENT_PATH") | ||
|
|
||
| # Only enforce auth for comment-triggered events | ||
| # This prevents abuse via /commands while allowing PR-triggered workflows to run | ||
| if [ -z "$COMMENT_ASSOCIATION" ]; then | ||
|
|
@@ -202,6 +208,20 @@ runs: | |
| exit 0 | ||
| fi | ||
|
|
||
| # Allow a trusted GitHub App bot to bypass auth (e.g., auto-triage posts /review). | ||
| # Verified via user type + app ID from the event payload to prevent spoofing. | ||
| if [ -n "$TRUSTED_BOT_APP_ID" ]; then | ||
| COMMENT_USER_TYPE=$(jq -r '.comment.user.type // empty' "$GITHUB_EVENT_PATH") | ||
| COMMENT_APP_ID=$(jq -r '.comment.performed_via_github_app.id // empty' "$GITHUB_EVENT_PATH") | ||
|
|
||
| if [ "$COMMENT_USER_TYPE" = "Bot" ] && [ -n "$COMMENT_APP_ID" ] && [ "$COMMENT_APP_ID" = "$TRUSTED_BOT_APP_ID" ]; then | ||
derekmisler marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| COMMENT_USER_LOGIN=$(jq -r '.comment.user.login // empty' "$GITHUB_EVENT_PATH") | ||
| echo "ℹ️ Skipping auth check (trusted bot: $COMMENT_USER_LOGIN, app_id: $COMMENT_APP_ID)" | ||
| echo "authorized=bot" >> $GITHUB_OUTPUT | ||
|
There was a problem hiding this comment. When the bot bypass succeeds, the script immediately exits with While this is by design, the lack of fallback verification creates risk if the app ID check is weak (e.g., Finding #1 shows it can succeed with empty IDs). If the app is compromised or misconfigured, this removes all authorization safeguards. Recommendation: Add defense-in-depth:
derekmisler marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| exit 0 | ||
| fi | ||
| fi | ||
|
|
||
| echo "Using comment author_association: $COMMENT_ASSOCIATION" | ||
|
|
||
| # Allowed roles (hardcoded for security - cannot be overridden) | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow passes
secrets.CAGENT_REVIEWER_APP_IDas thetrusted-bot-app-idinput. This creates a circular trust model where:/reviewWhile this may be intentional for legitimate automation (e.g., a trusted triage bot triggering reviews), if the app's credentials are compromised or if someone exploits the app's webhook, this bypass would allow unauthorized reviews.
Recommendation: Consider using separate apps for triggering (automation) and posting (identity), or add additional verification that the app is being used in the expected context.