Skip to content

Commit f9a3c7f

Browse files
committed
updates
1 parent 0b5be1a commit f9a3c7f

6 files changed

Lines changed: 48 additions & 9 deletions

File tree

.github/scripts/pr-triage/authorize.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@
77
command name as a job output so the downstream worker job can gate on it.
88
"""
99

10+
# Tokens visible to this script: GITHUB_TOKEN (read + pull-requests:write).
11+
# NOT visible: COPILOT_GITHUB_TOKEN, OTELBOT_*.
12+
1013
from __future__ import annotations
1114

1215
import json

.github/scripts/pr-triage/poster.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,11 @@
99
otelbot token.
1010
"""
1111

12+
# Tokens visible to this script: otelbot installation token (write
13+
# access to this repo via the GitHub App).
14+
# NOT visible: COPILOT_GITHUB_TOKEN. Do not execute anything from the
15+
# PR working tree here; this script must remain trusted-code-only.
16+
1217
from __future__ import annotations
1318

1419
import argparse

.github/scripts/pr-triage/triage_helpers.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,14 @@ def parsed_command() -> tuple[str, str]:
5151
comment = payload.get("comment") or {}
5252
body = str(comment.get("body") or "").strip()
5353
first_line = body.splitlines()[0].strip() if body else ""
54-
requested = first_line.split(maxsplit=1)[0].lower() if first_line else ""
54+
# Hard cap on length to avoid echoing pathological input back into a
55+
# PR comment if a later step formats `requested` into Markdown.
56+
raw = first_line.split(maxsplit=1)[0] if first_line else ""
57+
if len(raw) > 32 or not raw.startswith("/"):
58+
return "", ""
59+
requested = raw.lower()
60+
if requested != "/help" and requested not in COMMANDS:
61+
return requested, ""
5562
command = COMMANDS.get(requested, "")
5663
return requested, command
5764

.github/scripts/pr-triage/worker_copilot.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,12 @@
1313
runs Copilot only.
1414
"""
1515

16+
# Tokens visible to this script: GITHUB_TOKEN (read-only, used by
17+
# Copilot CLI's gh subprocesses) and COPILOT_GITHUB_TOKEN (used by
18+
# Copilot CLI itself; scrubbed from its child processes by Copilot).
19+
# NOT visible: OTELBOT_*. Do not invoke ./gradlew or any other
20+
# PR-controlled build tooling here.
21+
1622
from __future__ import annotations
1723

1824
import argparse

.github/scripts/pr-triage/worker_gradle.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@
1414
`copilot-worker` job and signals `needs-copilot=true`.
1515
"""
1616

17+
# Tokens visible to this script: GITHUB_TOKEN (read-only, also visible to
18+
# any PR-controlled Gradle plugins that this job runs).
19+
# NOT visible: COPILOT_GITHUB_TOKEN, OTELBOT_*. Do not add them to this
20+
# job: any malicious build script could exfiltrate them.
21+
1722
from __future__ import annotations
1823

1924
import argparse

.github/workflows/pr-triage-comments.yml

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -142,20 +142,33 @@ jobs:
142142
name: pr-triage-work-gradle
143143
path: ${{ runner.temp }}/gradle-in
144144

145-
- name: Run copilot-phase worker
145+
- name: Run copilot-phase worker (review)
146+
if: needs.authorize-command.outputs.command == 'review'
146147
env:
148+
# GITHUB_TOKEN is also set so Copilot CLI's `gh` subprocesses use the
149+
# read-only job token rather than falling back to the privileged
150+
# COPILOT_GITHUB_TOKEN. Copilot CLI scrubs both names from the
151+
# environment of the children it spawns.
147152
GH_TOKEN: ${{ github.token }}
148153
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
149154
PR_TRIAGE_REPO_ROOT: ${{ github.workspace }}
150155
run: |
151156
mkdir -p "$RUNNER_TEMP/work"
152157
touch "$RUNNER_TEMP/work/.placeholder"
153-
IN_DIR_ARG=""
154-
if [[ "${{ needs.authorize-command.outputs.command }}" == "fix" ]]; then
155-
IN_DIR_ARG="--in-dir $RUNNER_TEMP/gradle-in"
156-
fi
157-
# shellcheck disable=SC2086
158-
python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" --out-dir "$RUNNER_TEMP/work" $IN_DIR_ARG
158+
python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" --out-dir "$RUNNER_TEMP/work"
159+
160+
- name: Run copilot-phase worker (fix)
161+
if: needs.authorize-command.outputs.command == 'fix'
162+
env:
163+
GH_TOKEN: ${{ github.token }}
164+
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
165+
PR_TRIAGE_REPO_ROOT: ${{ github.workspace }}
166+
run: |
167+
mkdir -p "$RUNNER_TEMP/work"
168+
touch "$RUNNER_TEMP/work/.placeholder"
169+
python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" \
170+
--out-dir "$RUNNER_TEMP/work" \
171+
--in-dir "$RUNNER_TEMP/gradle-in"
159172
160173
- name: Upload copilot work bundle
161174
if: always()
@@ -180,6 +193,7 @@ jobs:
180193
permissions:
181194
contents: read
182195
pull-requests: write
196+
actions: write
183197
env:
184198
PR_NUMBER: ${{ github.event.issue.number }}
185199
steps:
@@ -220,4 +234,3 @@ jobs:
220234
GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
221235
PR_TRIAGE_REPO_ROOT: ${{ github.workspace }}
222236
run: python3 "$RUNNER_TEMP/pr-triage-trusted/poster.py" --in-dir "$RUNNER_TEMP/work"
223-

0 commit comments

Comments
 (0)