ci: enable advisory AI review #2
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "ci/ai-review-auto"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Auto-rollout: adds the org-standard advisory AI review step (broker-based, OpenCode OAuth gpt-5.5 medium, grob fallback). failure: ignore — never merge-blocking. See forgejo-infra grob/README.md.
AI Review —
openai/gpt-5.5 (medium, OAuth)advisory; generated by review-broker; never merge-blocking
needs changes: The PR-review job posts a bearer secret during
pull_requestbuilds, which is only safe if Woodpecker guarantees secrets are unavailable to untrusted PR config.Issues Found
Blocker: PR pipeline may expose
review_broker_keyto untrusted pull requests.woodpecker.yml:67This job runs on
event: pull_requestwhile injectingREVIEW_BROKER_KEY. If external contributors can open PRs and Woodpecker evaluates PR-provided pipeline config with secrets, a malicious PR could exfiltrate the secret by changing the pipeline.Concrete fix: restrict this job to trusted branches/repos only, or move broker invocation to a trusted server-side hook that does not execute PR-supplied YAML. If Woodpecker already withholds secrets for fork PRs, document that assumption in the config or broker README and verify the job fails closed when the secret is absent.
Medium: Host bridge endpoint has no transport protection or origin boundary
.woodpecker.yml:71The job sends the bearer token over plain HTTP to
172.17.0.1:23459. This is probably intended for a host-local broker, but any container/network compromise on the runner could observe or target that service.Concrete fix: bind the broker only to the runner-local interface/firewall scope, require the bearer token as currently done, and preferably use a Unix socket or runner-internal network with explicit access controls. At minimum, document why
172.17.0.1is acceptable and ensure the broker never logs the token.Security / Data-Handling / HIPAA-Adjacent Concerns
review_broker_keyis a secret reference, not the secret value.failure: ignoremakes this advisory only, security failures in the broker will not block merges. That is fine operationally, but it should not be relied on for secret scanning or compliance enforcement.