Skip to content

ci: add repo guard workflow#17

Merged
ceilf6 merged 1 commit into
masterfrom
add-repo-guard-workflow
May 21, 2026
Merged

ci: add repo guard workflow#17
ceilf6 merged 1 commit into
masterfrom
add-repo-guard-workflow

Conversation

@ceilf6

@ceilf6 ceilf6 commented May 21, 2026

Copy link
Copy Markdown
Owner

Summary

Enable Repo Guard AI review on ceilf6/Auto_courseGrabber.

  • PR review for pull requests targeting master
  • Issue review for newly opened issues
  • Manual @repo-guard / /review comment triggers
  • Skip Dependabot PRs

GitHub Settings

  • Secret LLM_API_KEY configured
  • Variables LLM_PROVIDER, LLM_BASE_URL, LLM_MODEL configured

Enable AI-powered review for PRs targeting master, new issues,
and @repo-guard / /review comment triggers.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 21, 2026 03:44
@ceilf6 ceilf6 merged commit 794fd52 into master May 21, 2026
2 checks passed
@ceilf6 ceilf6 deleted the add-repo-guard-workflow branch May 21, 2026 03:44

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛡️ ceilf6/repo-guard

代码评审报告: ci: add repo guard workflow

风险等级:
处理建议: 请求修改
决策摘要: 工作流配置基本正确,但存在严重的供应链安全风险,不能立即合并。必须将 action 引用固定到具体的 commit SHA 以防止供应链攻击。

级联分析

  • 变更符号: .github/workflows/repo-guard.yml (新增文件)
  • 受影响流程: CI/CD 管道、PR 评审流程、Issue 评审流程
  • 变更集外调用方: 无
  • 置信度: medium

问题发现

  1. [致命] Action 引用不安全,存在供应链攻击风险

    • 证据: [.github/workflows/repo-guard.yml:23] 中使用 ceilf6/repo-guard@main@main 指向分支的最新提交,如果该分支被恶意篡改,将直接影响本仓库的所有触发事件。
    • 受影响调用方/流程: 所有触发此工作流的 PR、Issue 和评论事件。
    • 最小可行修复: 将 @main 替换为具体的 commit SHA 或受保护的 tag(如 ceilf6/repo-guard@v1.0.0)。可以先通过 @main 获取当前使用的 commit SHA,然后替换并测试。
  2. [中] PR 触发事件类型可能不完整

    • 证据: [.github/workflows/repo-guard.yml:6] 中的 types 列表为 [opened, synchronize, reopened, ready_for_review]。若用户希望通过添加特定标签(如 needs-review)来手动触发评审,此配置将无法支持。
    • 受影响调用方/流程: 需要通过标签手动触发 AI 评审的场景。
    • 最小可行修复: 评估是否需要支持 labeled 事件类型。如果需要,在 types 列表中添加 labeled

行级发现

  • [.github/workflows/repo-guard.yml:23] uses: ceilf6/repo-guard@main:必须替换为 ceilf6/repo-guard@<commit-sha> 以固定版本,消除供应链风险。

Karpathy 评审

  • 假设: 工作流假设 LLM_PROVIDERLLM_MODELLLM_API_KEYLLM_BASE_URL 等 secrets 和 variables 已在仓库设置中正确配置。这是外部依赖,属于预期行为。
  • 简洁性: 工作流定义简洁明了,没有不必要的复杂性。
  • 变更范围: 作为新增文件,范围清晰,仅限于添加 CI 集成。
  • 验证: 主要问题是 action 引用的安全性。除此之外,配置覆盖了 PR、Issue 和评论触发,并跳过了 Dependabot,符合描述。

缺失覆盖

  • ceilf6/repo-guard@main 修复为安全的版本引用。
  • (可选)评估是否需要支持通过标签触发 PR 评审。

runs-on: ubuntu-latest
steps:
- uses: ceilf6/repo-guard@main
with:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

中使用ceilf6/repo-guard@main@main` 指向分支的最新提交,如果该分支被恶意篡改,将直接影响本仓库的所有触发事件。

on:
pull_request:
branches: [master]
types: [opened, synchronize, reopened, ready_for_review]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

中的types列表为[opened, synchronize, reopened, ready_for_review]。若用户希望通过添加特定标签(如 needs-review`)来手动触发评审,此配置将无法支持。

runs-on: ubuntu-latest
steps:
- uses: ceilf6/repo-guard@main
with:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uses: ceilf6/repo-guard@main:必须替换为 ceilf6/repo-guard@<commit-sha> 以固定版本,消除供应链风险。

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants