fix: verify web-flow by immutable user ID instead of author match#1121
Conversation
The previous web-flow check compared commit author to PR author, which broke when a maintainer rebased a bot's PR via GitHub UI. Now we verify web-flow by its permanent GitHub user ID (19864447) — unforgeable and works regardless of who triggered the web operation. - Add GITHUB_WEB_FLOW_USER_ID constant (ID 19864447) - Verify committer.id matches when login is web-flow - Detect impersonation when login is web-flow but ID differs - Add last_committer_id attribute with github_api_call wrapping - Add debug logging for commit identity details - Update tests for ID-based verification Closes #1119
Code Review by Qodo
Context used 1. last_committer_id uses 0 default
|
|
Report bugs in Issues Welcome! 🎉This pull request will be automatically processed with the following features: 🔄 Automatic Actions
📋 Available CommandsPR Status Management
Review & Approval
Testing & Validation
Container Operations
Cherry-pick Operations
Branch Management
Label Management
✅ Merge RequirementsThis PR will be automatically approved when the following conditions are met:
📊 Review ProcessApprovers and ReviewersApprovers:
Reviewers:
Available Labels
AI Features
Security Checks
💡 Tips
For more information, please refer to the project documentation or contact the maintainers. |
PR Summary by Qodofix: verify web-flow by immutable user ID instead of author match Description
Diagram
High-Level Assessment
Files changed (4)
|
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
The committer identity check no longer uses last_author (switched to ID-based verification). Remove the unnecessary github_api_call() fetch to avoid extra API work on every PR processing.
|
Code review by qodo was updated up to the latest commit 80415f2 |
|
@qodo-code-review[bot] The following review comments were reviewed and a decision was made:
|
|
New container for ghcr.io/myk-org/github-webhook-server:latest published |
Problem
PR #1120 introduced web-flow whitelisting with author verification, but this broke when a maintainer rebases a bot's PR via GitHub UI — the commit author is the maintainer, not the PR author (bot), causing a false positive security failure.
Example: https://github.com/RedHatQE/mtv-api-tests/pull/549/checks?check_run_id=81627239510
pre-commit-ci[bot]web-flow(GitHub UI rebase)myakove(maintainer who clicked rebase)Fix
Instead of verifying commit author matches PR author, verify
web-flowby its immutable GitHub user ID (19864447). This is unforgeable — GitHub resolves user IDs server-side, and system account IDs are permanent.Logic
committer.login == "web-flow"ANDcommitter.id == 19864447→ ✅ passcommitter.login == "web-flow"ANDcommitter.id != 19864447→ ❌ fail (possible impersonation)Changes
GITHUB_WEB_FLOW_USER_IDconstant (19864447)committer.idwhen login isweb-flowlast_committer_idattribute withgithub_api_call()wrappingCloses #1119