imbajin commented on code in PR #412: URL: https://github.com/apache/incubator-hugegraph-doc/pull/412#discussion_r2444637225
########## .github/workflows/auto-pr-review.yml: ########## @@ -0,0 +1,35 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: "Auto PR Commenter" Review Comment: **建议修改**:workflow名称与实际行为不一致。 当前名称为 `Auto PR Commenter`,但实际上是调用 codecov-ai-reviewer 进行代码审查,不是简单的评论添加。 建议修改为更准确的名称,例如: ```yaml name: "Auto PR Code Review" ``` 或 ```yaml name: "Auto PR AI Review" ``` ########## .github/workflows/auto-pr-review.yml: ########## @@ -0,0 +1,35 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: "Auto PR Commenter" + +on: + pull_request_target: Review Comment: **潜在安全风险**: 使用 `pull_request_target` 触发器存在安全隐患。 `pull_request_target` 会在目标仓库的上下文中运行,可能给予外部PR过多权限。虽然当前workflow只是添加评论,但如果未来扩展功能,可能造成安全问题。 **建议**: 1. 如果不需要访问secrets或写权限,考虑使用 `pull_request` 触发器 2. 如果确实需要 `pull_request_target`,应添加安全检查或限制条件 3. 参考: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
