From 729ea4aae4f84ceb4b5256b59e5535fe89740f5d Mon Sep 17 00:00:00 2001 From: Space-Banane Date: Fri, 22 May 2026 23:13:28 +0200 Subject: [PATCH] [fix]. Log rejected non-allowlisted repos --- TODO.md | 1 + src/gitea_codex_bot/main.py | 7 +++++++ tests/test_webhook.py | 28 ++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/TODO.md b/TODO.md index 298b641..71b0d97 100644 --- a/TODO.md +++ b/TODO.md @@ -12,6 +12,7 @@ - [ ] `TEST`: Add integration test proving the runner executes the exact PR head SHA in isolated mode and does not rely on host checkout. ### P1 (Important) +- [x] `BUG`: Log webhook events rejected because repo is not listed in `ALLOWED_REPOS`. - [ ] `FEATURE`: Full control UI to update the bots settings. Password in env variable protected login page. No more env variables. - [ ] `FEATURE`: Automatic Trigger on new PRs and or commits on PRs with context that its a change that needs review not the whole PR again. GITEA_ALLOW_PR_AUTO_REVIEW=true would be needed - [ ] `BUG`: Container runner hardcodes `codex exec --json -m gpt-5`; use `OPENAI_REVIEW_MODEL` and `OPENAI_REASONING_EFFORT` consistently across runner paths. diff --git a/src/gitea_codex_bot/main.py b/src/gitea_codex_bot/main.py index 751d1e1..486e0a3 100644 --- a/src/gitea_codex_bot/main.py +++ b/src/gitea_codex_bot/main.py @@ -313,6 +313,13 @@ async def gitea_webhook( ) if repo not in settings.allowed_repo_set: + logger.info( + "Webhook ignored: repo not in ALLOWED_REPOS repo=%s pr=%s comment_id=%s sender=%s", + repo, + pr_number, + comment_id, + sender_username, + ) return {"accepted": False, "reason": "repo not allowed"} inserted = persist_webhook_event( diff --git a/tests/test_webhook.py b/tests/test_webhook.py index d6c9940..fd79739 100644 --- a/tests/test_webhook.py +++ b/tests/test_webhook.py @@ -147,6 +147,34 @@ def test_webhook_logs_when_codex_command_is_not_review(monkeypatch) -> None: assert any("Webhook without @codex review command" in item for item in messages) +def test_webhook_logs_when_repo_not_allowed(monkeypatch) -> None: + messages: list[str] = [] + + def _log_info(message: str, *args, **_kwargs) -> None: + messages.append(message % args if args else message) + + monkeypatch.setattr("gitea_codex_bot.main.logger.info", _log_info) + client = TestClient(app) + payload_obj = _payload("@codex review", username="alice", comment_id=225) + payload_obj["repository"]["full_name"] = "acme/not-allowed" + raw = json.dumps(payload_obj).encode() + + response = client.post( + "/webhook/gitea", + content=raw, + headers={ + "X-Gitea-Event": "issue_comment", + "X-Gitea-Delivery": "d-6", + "X-Gitea-Signature": _sign(raw), + "Content-Type": "application/json", + }, + ) + + assert response.status_code == 200 + assert response.json()["reason"] == "repo not allowed" + assert any("Webhook ignored: repo not in ALLOWED_REPOS" in item for item in messages) + + def test_webhook_rejects_review_when_repo_config_disabled(monkeypatch) -> None: posted_comments: list[str] = []