From e592347b044bced26366b73ebdcbd867a2bf32b7 Mon Sep 17 00:00:00 2001 From: hnyls2002 Date: Wed, 1 Apr 2026 18:04:53 -0700 Subject: [PATCH 1/2] allow rerun-test to checkout fork PR branch for trusted users --- .github/workflows/slash-command-handler.yml | 23 ++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/slash-command-handler.yml b/.github/workflows/slash-command-handler.yml index ea91c75f7920..1df6ab7c2701 100644 --- a/.github/workflows/slash-command-handler.yml +++ b/.github/workflows/slash-command-handler.yml @@ -49,14 +49,31 @@ jobs: fi echo "is_fork=$IS_FORK" >> $GITHUB_OUTPUT echo "ref=$(echo "$PR_DATA" | jq -r '.headRefName')" >> $GITHUB_OUTPUT + echo "pr_ref=refs/pull/${{ github.event.issue.number }}/head" >> $GITHUB_OUTPUT echo "PR owner: $HEAD_OWNER, Repo owner: $REPO_OWNER, Is fork: $IS_FORK" + - name: Check commenter permission for fork PRs + id: perm + if: steps.pr.outputs.is_fork == 'true' + shell: bash + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERM=$(gh api repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission --jq '.permission') || PERM="none" + if [[ "$PERM" == "admin" || "$PERM" == "maintain" || "$PERM" == "write" ]]; then + echo "safe_to_checkout_pr=true" >> $GITHUB_OUTPUT + else + echo "safe_to_checkout_pr=false" >> $GITHUB_OUTPUT + fi + echo "Commenter ${{ github.event.comment.user.login }} permission: $PERM" + - name: Checkout code uses: actions/checkout@v4 with: - # For non-fork PRs, checkout PR branch to allow testing handler changes - # For fork PRs, stay on main for security (don't run untrusted code with elevated permissions) - ref: ${{ steps.pr.outputs.is_fork == 'false' && steps.pr.outputs.ref || '' }} + # For non-fork PRs: checkout PR branch by name + # For fork PRs with trusted commenter: checkout via refs/pull/N/head + # For fork PRs with untrusted commenter: stay on main for security + ref: ${{ steps.pr.outputs.is_fork == 'false' && steps.pr.outputs.ref || (steps.perm.outputs.safe_to_checkout_pr == 'true' && steps.pr.outputs.pr_ref || '') }} - name: Set up Python uses: actions/setup-python@v5 From 3bf0a128450bfd7913a578ea0786820ac06d77b6 Mon Sep 17 00:00:00 2001 From: hnyls2002 Date: Wed, 1 Apr 2026 18:16:50 -0700 Subject: [PATCH 2/2] add warning log when permission check fails --- .github/workflows/slash-command-handler.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slash-command-handler.yml b/.github/workflows/slash-command-handler.yml index 1df6ab7c2701..53a552a46081 100644 --- a/.github/workflows/slash-command-handler.yml +++ b/.github/workflows/slash-command-handler.yml @@ -59,7 +59,10 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - PERM=$(gh api repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission --jq '.permission') || PERM="none" + PERM=$(gh api repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission --jq '.permission') || { + PERM="none" + echo "::warning::Failed to check commenter permission, defaulting to none" + } if [[ "$PERM" == "admin" || "$PERM" == "maintain" || "$PERM" == "write" ]]; then echo "safe_to_checkout_pr=true" >> $GITHUB_OUTPUT else