ci: enable advisory AI review #2

Merged
shree-mulay merged 1 commit from ci/ai-review-auto into main 2026-07-03 12:27:54 -05:00
Owner

Auto-rollout: adds the org-standard advisory AI review step (broker-based, OpenCode OAuth gpt-5.5 medium, grob fallback). failure: ignore — never merge-blocking. See forgejo-infra grob/README.md.

Auto-rollout: adds the org-standard advisory AI review step (broker-based, OpenCode OAuth gpt-5.5 medium, grob fallback). failure: ignore — never merge-blocking. See forgejo-infra grob/README.md.
ci: enable advisory AI review (auto-rollout)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/pr/woodpecker Pipeline was successful
face3b4985
Member

AI Review — openai/gpt-5.5 (medium, OAuth)

advisory; generated by review-broker; never merge-blocking

needs changes: The PR-review job posts a bearer secret during pull_request builds, which is only safe if Woodpecker guarantees secrets are unavailable to untrusted PR config.

Issues Found

  1. Blocker: PR pipeline may expose review_broker_key to untrusted pull requests
    .woodpecker.yml:67
    This job runs on event: pull_request while injecting REVIEW_BROKER_KEY. If external contributors can open PRs and Woodpecker evaluates PR-provided pipeline config with secrets, a malicious PR could exfiltrate the secret by changing the pipeline.
    Concrete fix: restrict this job to trusted branches/repos only, or move broker invocation to a trusted server-side hook that does not execute PR-supplied YAML. If Woodpecker already withholds secrets for fork PRs, document that assumption in the config or broker README and verify the job fails closed when the secret is absent.

  2. Medium: Host bridge endpoint has no transport protection or origin boundary
    .woodpecker.yml:71
    The job sends the bearer token over plain HTTP to 172.17.0.1:23459. This is probably intended for a host-local broker, but any container/network compromise on the runner could observe or target that service.
    Concrete fix: bind the broker only to the runner-local interface/firewall scope, require the bearer token as currently done, and preferably use a Unix socket or runner-internal network with explicit access controls. At minimum, document why 172.17.0.1 is acceptable and ensure the broker never logs the token.

Security / Data-Handling / HIPAA-Adjacent Concerns

  • No literal credential is present in the diff; review_broker_key is a secret reference, not the secret value.
  • The broker will receive repo and PR metadata and may fetch/review code. If this repo or future repos can contain PHI, credentials, logs, or patient-adjacent data, the broker must treat submitted diffs as sensitive: avoid retaining prompts unnecessarily, redact secrets, and ensure downstream AI providers are approved for the data class.
  • Because failure: ignore makes this advisory only, security failures in the broker will not block merges. That is fine operationally, but it should not be relied on for secret scanning or compliance enforcement.
<!-- tke-ai-review --> ### AI Review — `openai/gpt-5.5 (medium, OAuth)` _advisory; generated by review-broker; never merge-blocking_ needs changes: The PR-review job posts a bearer secret during `pull_request` builds, which is only safe if Woodpecker guarantees secrets are unavailable to untrusted PR config. **Issues Found** 1. **Blocker: PR pipeline may expose `review_broker_key` to untrusted pull requests** `.woodpecker.yml:67` This job runs on `event: pull_request` while injecting `REVIEW_BROKER_KEY`. If external contributors can open PRs and Woodpecker evaluates PR-provided pipeline config with secrets, a malicious PR could exfiltrate the secret by changing the pipeline. Concrete fix: restrict this job to trusted branches/repos only, or move broker invocation to a trusted server-side hook that does not execute PR-supplied YAML. If Woodpecker already withholds secrets for fork PRs, document that assumption in the config or broker README and verify the job fails closed when the secret is absent. 2. **Medium: Host bridge endpoint has no transport protection or origin boundary** `.woodpecker.yml:71` The job sends the bearer token over plain HTTP to `172.17.0.1:23459`. This is probably intended for a host-local broker, but any container/network compromise on the runner could observe or target that service. Concrete fix: bind the broker only to the runner-local interface/firewall scope, require the bearer token as currently done, and preferably use a Unix socket or runner-internal network with explicit access controls. At minimum, document why `172.17.0.1` is acceptable and ensure the broker never logs the token. **Security / Data-Handling / HIPAA-Adjacent Concerns** - No literal credential is present in the diff; `review_broker_key` is a secret reference, not the secret value. - The broker will receive repo and PR metadata and may fetch/review code. If this repo or future repos can contain PHI, credentials, logs, or patient-adjacent data, the broker must treat submitted diffs as sensitive: avoid retaining prompts unnecessarily, redact secrets, and ensure downstream AI providers are approved for the data class. - Because `failure: ignore` makes this advisory only, security failures in the broker will not block merges. That is fine operationally, but it should not be relied on for secret scanning or compliance enforcement.
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
thekidneyexperts/autoresearch-mcp!2
No description provided.