security: add job-level if-guard to example stubs (gate comment trigger by actor)
Build & push image / build-and-push (push) Successful in 5s
Build & push image / build-and-push (push) Successful in 5s
Per a Gadfly self-review finding (kimi-k2.7-code): an issue_comment can start a secret-bearing run before the in-container allowed-users check. Add a workflow if: that only lets trusted actors trigger via comment (PR/dispatch already trusted); keep GADFLY_ALLOWED_USERS as the belt-and-suspenders layer. README documents it + the default-branch caveat for comment triggers. (Docs/examples only — paths-ignored, no image rebuild.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> EOF
This commit is contained in:
@@ -181,6 +181,17 @@ A model's provider is the spec's first segment (`m1pro/…` → `m1pro`), or `GA
|
||||
(Pushing new commits does *not* auto-re-review — comment `@gadfly review` after pushing
|
||||
fixes. This keeps usage down.)
|
||||
|
||||
> **Comment trigger needs the workflow on your default branch.** Gitea runs `issue_comment`
|
||||
> workflows from the **default branch**, so `@gadfly review` only works once this stub is
|
||||
> merged to `main` (the `pull_request` auto-trigger works from the PR branch immediately).
|
||||
>
|
||||
> **Security:** the example stubs gate the comment trigger with a job-level
|
||||
> `if: github.event_name != 'issue_comment' || github.actor == '<you>'` so an untrusted
|
||||
> commenter can't start a secret-bearing run — edit it to your maintainers and keep it in
|
||||
> sync with `GADFLY_ALLOWED_USERS` (the in-container check). `@gadfly review` is plain-text
|
||||
> matched (configurable via `GADFLY_TRIGGER_PHRASE`), so no bot account is required; comments
|
||||
> post as `gitea-actions`.
|
||||
|
||||
## How it's packaged
|
||||
|
||||
```
|
||||
|
||||
@@ -33,6 +33,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
@@ -32,6 +32,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
@@ -28,6 +28,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
@@ -30,6 +30,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
Reference in New Issue
Block a user