Skip to content

fix: security committer identity check false positive on GitHub UI rebase (web-flow) #1119

Description

@myakove

Problem

The security committer identity check (run_security_committer_identity in webhook_server/libs/handlers/runner_handler.py) produces a false positive when a PR is rebased via the GitHub web UI.

When rebasing through the GitHub UI, GitHub re-creates commits with the committer set to web-flow (GitHub's internal bot account), while preserving the original author. The check compares last_commit.committer.login against pull_request.user.login, so it flags web-flow != krcmarik as a security mismatch.

Root Cause

webhook_server/libs/github_api.py:657:

self.last_committer = getattr(self.last_commit.committer, "login", "unknown")

webhook_server/libs/handlers/runner_handler.py:407:

elif last_committer != parent_committer:

The check uses commit.committer.login but web-flow is a legitimate GitHub system account that signs all web UI operations (rebase, merge, squash, file edits, "Update branch" button).

Same false positive triggers for

  • GitHub UI "Update branch" button (merge or rebase)
  • GitHub UI commit squash
  • GitHub UI file edits
  • Any GitHub web-based commit operation

Proposed Fix

Whitelist web-flow as a known GitHub system account. When last_committer is web-flow, the check should pass (or use commit.author.login as fallback).

Done

  • Whitelist web-flow in the committer identity check
  • Add debug logging when web-flow is detected
  • Add tests for web-flow scenario
  • Update existing tests if needed

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions