ci: add repo guard workflow#17
Merged
Merged
Conversation
Enable AI-powered review for PRs targeting master, new issues, and @repo-guard / /review comment triggers. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
代码评审报告: ci: add repo guard workflow
风险等级: 高
处理建议: 请求修改
决策摘要: 工作流配置基本正确,但存在严重的供应链安全风险,不能立即合并。必须将 action 引用固定到具体的 commit SHA 以防止供应链攻击。
级联分析
- 变更符号:
.github/workflows/repo-guard.yml(新增文件) - 受影响流程: CI/CD 管道、PR 评审流程、Issue 评审流程
- 变更集外调用方: 无
- 置信度: medium
问题发现
-
[致命] Action 引用不安全,存在供应链攻击风险
- 证据:
[.github/workflows/repo-guard.yml:23]中使用ceilf6/repo-guard@main。@main指向分支的最新提交,如果该分支被恶意篡改,将直接影响本仓库的所有触发事件。 - 受影响调用方/流程: 所有触发此工作流的 PR、Issue 和评论事件。
- 最小可行修复: 将
@main替换为具体的 commit SHA 或受保护的 tag(如ceilf6/repo-guard@v1.0.0)。可以先通过@main获取当前使用的 commit SHA,然后替换并测试。
- 证据:
-
[中] PR 触发事件类型可能不完整
- 证据:
[.github/workflows/repo-guard.yml:6]中的types列表为[opened, synchronize, reopened, ready_for_review]。若用户希望通过添加特定标签(如needs-review)来手动触发评审,此配置将无法支持。 - 受影响调用方/流程: 需要通过标签手动触发 AI 评审的场景。
- 最小可行修复: 评估是否需要支持
labeled事件类型。如果需要,在types列表中添加labeled。
- 证据:
行级发现
- [.github/workflows/repo-guard.yml:23]
uses: ceilf6/repo-guard@main:必须替换为ceilf6/repo-guard@<commit-sha>以固定版本,消除供应链风险。
Karpathy 评审
- 假设: 工作流假设
LLM_PROVIDER、LLM_MODEL、LLM_API_KEY、LLM_BASE_URL等 secrets 和 variables 已在仓库设置中正确配置。这是外部依赖,属于预期行为。 - 简洁性: 工作流定义简洁明了,没有不必要的复杂性。
- 变更范围: 作为新增文件,范围清晰,仅限于添加 CI 集成。
- 验证: 主要问题是 action 引用的安全性。除此之外,配置覆盖了 PR、Issue 和评论触发,并跳过了 Dependabot,符合描述。
缺失覆盖
- 将
ceilf6/repo-guard@main修复为安全的版本引用。 - (可选)评估是否需要支持通过标签触发 PR 评审。
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: ceilf6/repo-guard@main | ||
| with: |
Contributor
There was a problem hiding this comment.
中使用ceilf6/repo-guard@main。@main` 指向分支的最新提交,如果该分支被恶意篡改,将直接影响本仓库的所有触发事件。
| on: | ||
| pull_request: | ||
| branches: [master] | ||
| types: [opened, synchronize, reopened, ready_for_review] |
Contributor
There was a problem hiding this comment.
中的types列表为[opened, synchronize, reopened, ready_for_review]。若用户希望通过添加特定标签(如 needs-review`)来手动触发评审,此配置将无法支持。
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: ceilf6/repo-guard@main | ||
| with: |
Contributor
There was a problem hiding this comment.
uses: ceilf6/repo-guard@main:必须替换为 ceilf6/repo-guard@<commit-sha> 以固定版本,消除供应链风险。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Enable Repo Guard AI review on ceilf6/Auto_courseGrabber.
master@repo-guard//reviewcomment triggersGitHub Settings
LLM_API_KEYconfiguredLLM_PROVIDER,LLM_BASE_URL,LLM_MODELconfigured