space/gitea-codex
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix]. Log rejected non-allowlisted repos
All checks were successful
ci / test (push) Successful in 26s
Details
ci / publish (push) Successful in 1m22s
Details

Browse Source
This commit is contained in:
Space-Banane
2026-05-22 23:13:28 +02:00
parent b036a16d3c
commit 729ea4aae4
3 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
TODO.md
View File

@@ -12,6 +12,7 @@
- [ ] `TEST`: Add integration test proving the runner executes the exact PR head SHA in isolated mode and does not rely on host checkout.
### P1 (Important)
- [x] `BUG`: Log webhook events rejected because repo is not listed in `ALLOWED_REPOS`.
- [ ] `FEATURE`: Full control UI to update the bots settings. Password in env variable protected login page. No more env variables.
- [ ] `FEATURE`: Automatic Trigger on new PRs and or commits on PRs with context that its a change that needs review not the whole PR again. GITEA_ALLOW_PR_AUTO_REVIEW=true would be needed
- [ ] `BUG`: Container runner hardcodes `codex exec --json -m gpt-5`; use `OPENAI_REVIEW_MODEL` and `OPENAI_REASONING_EFFORT` consistently across runner paths.

7
src/gitea_codex_bot/main.py
View File

@@ -313,6 +313,13 @@ async def gitea_webhook(
)
if repo not in settings.allowed_repo_set:
logger.info(
"Webhook ignored: repo not in ALLOWED_REPOS repo=%s pr=%s comment_id=%s sender=%s",
repo,
pr_number,
comment_id,
sender_username,
)
return {"accepted": False, "reason": "repo not allowed"}
inserted = persist_webhook_event(

28
tests/test_webhook.py
View File

@@ -147,6 +147,34 @@ def test_webhook_logs_when_codex_command_is_not_review(monkeypatch) -> None:
assert any("Webhook without @codex review command" in item for item in messages)
def test_webhook_logs_when_repo_not_allowed(monkeypatch) -> None:
messages: list[str] = []
def _log_info(message: str, *args, **_kwargs) -> None:
messages.append(message % args if args else message)
monkeypatch.setattr("gitea_codex_bot.main.logger.info", _log_info)
client = TestClient(app)
payload_obj = _payload("@codex review", username="alice", comment_id=225)
payload_obj["repository"]["full_name"] = "acme/not-allowed"
raw = json.dumps(payload_obj).encode()
response = client.post(
"/webhook/gitea",
content=raw,
headers={
"X-Gitea-Event": "issue_comment",
"X-Gitea-Delivery": "d-6",
"X-Gitea-Signature": _sign(raw),
"Content-Type": "application/json",
},
)
assert response.status_code == 200
assert response.json()["reason"] == "repo not allowed"
assert any("Webhook ignored: repo not in ALLOWED_REPOS" in item for item in messages)
def test_webhook_rejects_review_when_repo_config_disabled(monkeypatch) -> None:
posted_comments: list[str] = []