Fix bug in mention workflow where it was cloning main instead of the PR.#56
Fix bug in mention workflow where it was cloning main instead of the PR.#56MicahZoltu merged 1 commit intomainfrom
Conversation
🛡️ Defender Against the Dark Arts✅ No issues found. Great job! |
🏛️ Architect1 issue found Global implicit trigger bypasses agent-specific configurations📍 .github/scripts/handle_mentions.py:281 The added condition in main() overrides the agent-specific trigger mechanism by setting triggered_agents to all agent_configs when a review request is detected without any mention triggers. This causes all agents to be executed regardless of their individual trigger configurations, increasing coupling and potentially invoking agents in contexts where they are not intended to run. This violates the principle of encapsulation and explicit dependencies, introducing an implicit trigger that is inconsistent with the explicit @mention-based triggering design. |
🧠 Wise Man✅ No issues found. Great job! |
🔒 Security Reviewer1 issue found Conditional Trusted File Restoration in Workflow📍 .github/workflows/gito-mentions.yml:33 The workflow conditionally restores trusted .github files only when the PR is from a fork. For internal PRs (non-fork), the workflow executes the PR's own .github/scripts/handle_mentions.py, which runs with GITHUB_TOKEN write permissions and access to the LLM_API_KEY secret. A malicious collaborator could create a branch with a malicious script to steal secrets or make unauthorized changes, as the condition does not enforce trusted execution for internal PRs. |
🔧 Expensive Linter✅ No issues found. Great job! |
🐛 Bug Hunter4 issues found Agent trigger pattern matches email addresses causing false triggers📍 .github/scripts/handle_mentions.py:126 The pattern used to detect agent triggers (line 126) is constructed as r'@' + re.escape(trigger) + r'\b'. This matches any '@' followed by the trigger, which also matches email addresses (e.g., 'user@example.com' matches trigger 'example'). The pattern should ensure that '@' is not preceded by a word character to avoid email false positives. Fix request check prevents review requests from being processed when 'fix' is mentioned📍 .github/scripts/handle_mentions.py:252 In process_agent, the check for FIX_REQUEST_PATTERN is performed before the check for is_review_request. If the comment contains the word 'fix', the function returns early, skipping both review and question processing. This means a comment that is a review request but also contains 'fix' (e.g., 'review this and fix the typo') will not trigger a review, which is incorrect. The conditions should be reordered so that review requests are processed even if the comment contains 'fix'. GitHub CLI not installed before use📍 .github/workflows/gito-mentions.yml:25 The step 'Determine if PR is from fork' uses the 'gh' command to call the GitHub API, but GitHub CLI is not installed in the Ubuntu runner environment. This will cause the step to fail with 'gh: command not found', preventing the workflow from proceeding. Checkout fails for forked pull requests due to token permissions📍 .github/workflows/gito-mentions.yml:20 The checkout step uses 'ref: refs/pull/${{ github.event.issue.number }}/head' to fetch the PR head. For pull requests from forked repositories, the default GITHUB_TOKEN lacks permission to access the forked repository, as per GitHub's security model. This causes the checkout to fail with a permission error for any fork PRs, breaking the workflow for such cases. |
2 participants
Also adds support for
/reviewwhich will trigger all personas.