Skip to content

Allow /rerun-test to checkout fork PR branch for trusted users #21890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hnyls2002 merged 2 commits into from
Apr 2, 2026
+23 −3
Merged

Allow /rerun-test to checkout fork PR branch for trusted users #21890

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e592347
allow rerun-test to checkout fork PR branch for trusted users
hnyls2002 Apr 2, 2026
3bf0a12
add warning log when permission check fails
hnyls2002 Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 23 additions & 3 deletions .github/workflows/slash-command-handler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,14 +49,34 @@ jobs:
fi
echo "is_fork=$IS_FORK" >> $GITHUB_OUTPUT
echo "ref=$(echo "$PR_DATA" | jq -r '.headRefName')" >> $GITHUB_OUTPUT
echo "pr_ref=refs/pull/${{ github.event.issue.number }}/head" >> $GITHUB_OUTPUT
echo "PR owner: $HEAD_OWNER, Repo owner: $REPO_OWNER, Is fork: $IS_FORK"

- name: Check commenter permission for fork PRs
id: perm
if: steps.pr.outputs.is_fork == 'true'
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PERM=$(gh api repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission --jq '.permission') || {
PERM="none"
echo "::warning::Failed to check commenter permission, defaulting to none"
}
if [[ "$PERM" == "admin" || "$PERM" == "maintain" || "$PERM" == "write" ]]; then
echo "safe_to_checkout_pr=true" >> $GITHUB_OUTPUT
else
echo "safe_to_checkout_pr=false" >> $GITHUB_OUTPUT
fi
echo "Commenter ${{ github.event.comment.user.login }} permission: $PERM"

- name: Checkout code
uses: actions/checkout@v4
with:
# For non-fork PRs, checkout PR branch to allow testing handler changes
# For fork PRs, stay on main for security (don't run untrusted code with elevated permissions)
ref: ${{ steps.pr.outputs.is_fork == 'false' && steps.pr.outputs.ref || '' }}
# For non-fork PRs: checkout PR branch by name
# For fork PRs with trusted commenter: checkout via refs/pull/N/head
# For fork PRs with untrusted commenter: stay on main for security
ref: ${{ steps.pr.outputs.is_fork == 'false' && steps.pr.outputs.ref || (steps.perm.outputs.safe_to_checkout_pr == 'true' && steps.pr.outputs.pr_ref || '') }}

- name: Set up Python
uses: actions/setup-python@v5
Expand Down
Loading