Problem
The security committer identity check (run_security_committer_identity in webhook_server/libs/handlers/runner_handler.py) produces a false positive when a PR is rebased via the GitHub web UI.
When rebasing through the GitHub UI, GitHub re-creates commits with the committer set to web-flow (GitHub's internal bot account), while preserving the original author. The check compares last_commit.committer.login against pull_request.user.login, so it flags web-flow != krcmarik as a security mismatch.
Root Cause
webhook_server/libs/github_api.py:657:
self.last_committer = getattr(self.last_commit.committer, "login", "unknown")
webhook_server/libs/handlers/runner_handler.py:407:
elif last_committer != parent_committer:
The check uses commit.committer.login but web-flow is a legitimate GitHub system account that signs all web UI operations (rebase, merge, squash, file edits, "Update branch" button).
Same false positive triggers for
- GitHub UI "Update branch" button (merge or rebase)
- GitHub UI commit squash
- GitHub UI file edits
- Any GitHub web-based commit operation
Proposed Fix
Whitelist web-flow as a known GitHub system account. When last_committer is web-flow, the check should pass (or use commit.author.login as fallback).
Done
Problem
The security committer identity check (
run_security_committer_identityinwebhook_server/libs/handlers/runner_handler.py) produces a false positive when a PR is rebased via the GitHub web UI.When rebasing through the GitHub UI, GitHub re-creates commits with the committer set to
web-flow(GitHub's internal bot account), while preserving the original author. The check compareslast_commit.committer.loginagainstpull_request.user.login, so it flagsweb-flow != krcmarikas a security mismatch.Root Cause
webhook_server/libs/github_api.py:657:webhook_server/libs/handlers/runner_handler.py:407:The check uses
commit.committer.loginbutweb-flowis a legitimate GitHub system account that signs all web UI operations (rebase, merge, squash, file edits, "Update branch" button).Same false positive triggers for
Proposed Fix
Whitelist
web-flowas a known GitHub system account. Whenlast_committerisweb-flow, the check should pass (or usecommit.author.loginas fallback).Done
web-flowin the committer identity check