fix: whitelist GitHub web-flow in committer identity check#1120
Conversation
When a PR is rebased via GitHub web UI, the commit committer is set to web-flow (GitHub's internal bot account). The security committer identity check was incorrectly flagging this as a mismatch. - Add GITHUB_WEB_FLOW_LOGIN constant for web-flow account - Pass committer identity check when last committer is web-flow - Add test for web-flow committer scenario Closes #1119
Code Review by Qodo
Context used 1.
|
|
Report bugs in Issues Welcome! 🎉This pull request will be automatically processed with the following features: 🔄 Automatic Actions
📋 Available CommandsPR Status Management
Review & Approval
Testing & Validation
Container Operations
Cherry-pick Operations
Branch Management
Label Management
✅ Merge RequirementsThis PR will be automatically approved when the following conditions are met:
📊 Review ProcessApprovers and ReviewersApprovers:
Reviewers:
Available Labels
AI Features
Security Checks
💡 Tips
For more information, please refer to the project documentation or contact the maintainers. |
PR Summary by QodoFix committer identity check false positives for GitHub web-flow commits Description
Diagram
High-Level Assessment
Files changed (3)
|
Address Qodo review findings: - Change logger.info to logger.debug for web-flow detection path - When committer is web-flow, verify commit author matches PR author - Author match: pass, author unknown: fail, author mismatch: fail - Add last_author attribute from commit.author.login - Add tests for web-flow author mismatch and unknown author scenarios
|
Code review by qodo was updated up to the latest commit 4b5258d |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
… __init__ Address Qodo review findings: - Wrap last_committer and last_author PyGithub property access with github_api_call() for retry/backoff and non-blocking IO - Initialize last_committer and last_author in __init__ to prevent AttributeError if accessed before process() runs
|
Code review by qodo was updated up to the latest commit 4e15090 |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
Change __init__ defaults from empty string to "unknown" to match the sentinel value used in the committer identity security check. Prevents false "verified" results if handler runs before process() populates the fields.
|
Code review by qodo was updated up to the latest commit 8f2e5da |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
New container for ghcr.io/myk-org/github-webhook-server:latest published |
) ## Problem PR #1120 introduced web-flow whitelisting with author verification, but this broke when a maintainer rebases a bot's PR via GitHub UI — the commit author is the maintainer, not the PR author (bot), causing a false positive security failure. Example: https://github.com/RedHatQE/mtv-api-tests/pull/549/checks?check_run_id=81627239510 - PR author: `pre-commit-ci[bot]` - Committer: `web-flow` (GitHub UI rebase) - Author: `myakove` (maintainer who clicked rebase) - Result: ❌ false positive mismatch ## Fix Instead of verifying commit author matches PR author, verify `web-flow` by its **immutable GitHub user ID** (`19864447`). This is unforgeable — GitHub resolves user IDs server-side, and system account IDs are permanent. ### Logic - `committer.login == "web-flow"` AND `committer.id == 19864447` → ✅ pass - `committer.login == "web-flow"` AND `committer.id != 19864447` → ❌ fail (possible impersonation) ### Changes - Add `GITHUB_WEB_FLOW_USER_ID` constant (19864447) - Verify `committer.id` when login is `web-flow` - Detect impersonation when login matches but ID doesn't - Add `last_committer_id` attribute with `github_api_call()` wrapping - Add debug logging for commit identity details - Update tests for ID-based verification Closes #1119
Problem
The security committer identity check (
run_security_committer_identity) produces false positives when a PR is rebased via the GitHub web UI. GitHub sets the commit committer toweb-flow(its internal bot account, user ID 19864447), while preserving the original author.The check compares
last_commit.committer.loginagainstpull_request.user.login, so it flagsweb-flow != <pr-author>as a security mismatch.Same false positive triggers for:
Fix
GITHUB_WEB_FLOW_LOGINconstant for theweb-flowsystem accountweb-flow, pass the identity check with an informational messageCloses #1119