Conversation
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
![propel-code-bot[bot]](https://avatars.githubusercontent.com/in/1179004?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
TBonnin
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
TBonnin
force-pushed
the
tbonnin/apr2/auto-approve-contributor
branch
from
ffc873e to
ca83c2f
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
TBonnin
force-pushed
the
tbonnin/apr2/auto-approve-contributor
branch
from
ca83c2f to
4212107
Compare
There was a problem hiding this comment.
Workflow trust checks are improved, but error handling may still cause avoidable failures.
Status: Changes Suggested | Risk: Medium
Issues Identified & Suggestions
- Handle all GitHub API permission errors as untrusted, not workflow-failing:
.github/workflows/auto-approve-docs.yml
Review Details
📁 1 files reviewed | 💬 1 comments
Instruction Files
└── .claude/
├── agents/
│ └── nango-docs-migrator.md
└── skills
👍 / 👎 individual comments to help improve reviews for you
| username: login, | ||
| }); | ||
| if (['write', 'admin'].includes(data.permission)) return true; | ||
| } catch (err) { if (err.status !== 404) throw err; } |
There was a problem hiding this comment.
[Reliability] Non-404 errors from getCollaboratorPermissionLevel are re-thrown, but a 403 (insufficient token permissions — the workflow only has contents: read and pull-requests: write, not members: read or repo admin scope) will propagate and fail the entire workflow. The same applies to the team membership call on line 44. When the GitHub App token lacks the members permission, every PR from a collaborator or engineer will cause a workflow error instead of a graceful false result.
Change the catch clauses to treat any API error as "not trusted" rather than re-throwing:
| } catch (err) { if (err.status !== 404) throw err; } | |
| } catch (_err) {} |
Context for Agents
Non-404 errors from `getCollaboratorPermissionLevel` are re-thrown, but a 403 (insufficient token permissions — the workflow only has `contents: read` and `pull-requests: write`, not `members: read` or repo admin scope) will propagate and fail the entire workflow. The same applies to the team membership call on line 44. When the GitHub App token lacks the `members` permission, every PR from a collaborator or engineer will cause a workflow error instead of a graceful `false` result.
Change the catch clauses to treat any API error as "not trusted" rather than re-throwing:
```suggestion
} catch (_err) {}
```
File: .github/workflows/auto-approve-docs.yml
Line: 342 participants
Harden docs auto-approval workflow with explicit trusted-author checks
This PR updates
.github/workflows/auto-approve-docs.ymlto replace the prior job-levelauthor_associationgate with an explicit trust evaluation step usingactions/github-script@v7. The workflow now considers a PR trusted only if the author ismintlify[bot], has collaborator permissionwriteoradmin, or is an active member of theengineersteam.The job now always starts, but all downstream steps (
Checkout, path filtering, app token generation, and auto-approval) are guarded bysteps.trust_check.outputs.result == 'true'. Docs-only enforcement viadorny/paths-filter@v4remains, andApprove PRnow requires both trust andsteps.filter.outputs.non_docs == 'false'.This summary was automatically generated by @propel-code-bot