Skip to content

feat: add trusted-committers allowlist for security-committer-identity check #1116

Description

@rnetser

Problem

The security-committer-identity check fails on legitimate committer mismatches with no way to allowlist known-safe patterns. Common scenarios:

Scenario PR Author Last Committer Result
Bot cherry-pick my-app[bot] org identity ❌ Mismatch
Pre-commit CI auto-fix human user pre-commit-ci[bot] ❌ Mismatch

Both are expected behavior in automated workflows, but the check flags them as security concerns.

Proposed Solution

Add a trusted-committers list under security-checks. Any committer in this list passes the identity check regardless of PR author:

security-checks:
  trusted-committers:
    - "pre-commit-ci[bot]"
    - "MyOrg"
    - "my-app[bot]"

When last_committer is in trusted-committers, the check passes with a message like:

✅ Committer pre-commit-ci[bot] is in the trusted-committers allowlist.

When last_committer is NOT in the list, the existing mismatch logic applies unchanged.

Affected Code

  • webhook_server/libs/handlers/runner_handler.pyrun_security_committer_identity()
  • webhook_server/config/schema.yaml — new trusted-committers property under security-checks

Done

  • Add trusted-committers to schema under security-checks (array of strings)
  • Update run_security_committer_identity() to check allowlist before failing on mismatch
  • Support at both global and per-repo level
  • Add tests
  • Update docs

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions