mcp: add readonly guard to config add/remove handlers#3708
Conversation
|
Hi @Elvand-Lie. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3708 +/- ##
==========================================
+ Coverage 54.00% 54.05% +0.04%
==========================================
Files 200 200
Lines 23687 23711 +24
==========================================
+ Hits 12792 12816 +24
Misses 9660 9660
Partials 1235 1235
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
/ok-to-test |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Elvand-Lie, gauron99 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold for @lkingland input |
|
/retest |
|
/unhold Patch matches the existing deploy/delete inline-check convention, addresses a real readonly bypass, and shouldn't wait on hypothetical refactors. If #3771 reshapes this code later, the readonly logic will move with it. Let's land. Please rebase and we can land it. |
762cc09 to
c67cc97
Compare
|
New changes are detected. LGTM label has been removed. |
c67cc97 to
50ae1d6
Compare
|
@gauron99 Just noticed this PR recently and I think I've rebased it if you have the time please take a look. Thanks. |
The deploy and delete handlers check s.readonly and refuse to act in readonly mode. However, the six config mutation handlers (envs add/remove, labels add/remove, volumes add/remove) execute unconditionally, allowing an AI agent to modify func.yaml even in readonly mode. Add the same readonly guard to all six config mutation handlers. Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com>
Signed-off-by: elvandlie@gmail.com <elvandlie@gmail.com>
50ae1d6 to
8bee273
Compare
The
deployanddeletehandlers checks.readonlyand refuse to act in readonly mode. However, the six config mutation handlers (configEnvsAdd,configEnvsRemove,configLabelsAdd,configLabelsRemove,configVolumesAdd,configVolumesRemove) execute unconditionally, allowing an AI agent to modifyfunc.yamleven when readonly mode is active.Add the same readonly guard to all six config mutation handlers, consistent with deploy and delete.
Changes
s.readonlyguard toconfigEnvsAddHandlerandconfigEnvsRemoveHandlers.readonlyguard toconfigLabelsAddHandlerandconfigLabelsRemoveHandlers.readonlyguard toconfigVolumesAddHandlerandconfigVolumesRemoveHandlerFixes #3704
Release Note
Docs