github-actions[bot] commented on code in PR #62302:
URL: https://github.com/apache/doris/pull/62302#discussion_r3059229609
##########
.github/workflows/opencode-review-comment.yml:
##########
@@ -0,0 +1,45 @@
+name: Code Review Comment Dispatch
+
+on:
+ issue_comment:
+ types: [created]
+
+permissions:
+ pull-requests: write
+ contents: read
+ issues: write
+
+jobs:
+ resolve-pr:
+ runs-on: ubuntu-latest
+ if: >-
+ github.event.issue.pull_request &&
Review Comment:
This dispatcher is callable by any user who can comment on a public PR.
Because `issue_comment` runs in the base-repo context and the called workflow
uses `secrets: inherit`, an outside commenter can trigger secret-backed review
runs and write-capable bot actions just by posting `/review`. Please gate this
on `github.event.comment.author_association` (for example `OWNER`, `MEMBER`, or
`COLLABORATOR`) before invoking the reusable workflow.
##########
.github/workflows/opencode-review.yml:
##########
@@ -13,31 +24,21 @@ jobs:
code-review:
runs-on: ubuntu-latest
timeout-minutes: 60
- if: >-
- github.event.issue.pull_request &&
- contains(github.event.comment.body, '/review')
steps:
- - name: Get PR info
- id: pr
- env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - name: Keep required check visible on pull requests
+ if: ${{ github.event_name == 'pull_request' }}
run: |
- PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{
github.event.issue.number }})
- HEAD_SHA=$(echo "$PR_JSON" | jq -r '.head.sha')
- BASE_SHA=$(echo "$PR_JSON" | jq -r '.base.sha')
- HEAD_REF=$(echo "$PR_JSON" | jq -r '.head.ref')
- BASE_REF=$(echo "$PR_JSON" | jq -r '.base.ref')
- echo "head_sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
- echo "base_sha=$BASE_SHA" >> "$GITHUB_OUTPUT"
- echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
- echo "base_ref=$BASE_REF" >> "$GITHUB_OUTPUT"
Review Comment:
This turns `Code Review` into a misleading green required check. On
`pull_request` events the job now succeeds after two `echo` statements, while
every real review step is guarded by `github.event_name == "workflow_call"`.
That means a PR can show the required `Code Review` status as passing even if
nobody ever comments `/review` and no automated review actually ran. Please
keep the required check tied to a real review result, or make the non-review
path fail/neutral instead of reporting success.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
