molecule-ai/molecule-core
52
0
Fork 2
Code Issues 184 Pull Requests 14 Actions Packages Projects Releases Wiki Activity

fix(gate): remove unreliable review.state guard from qa/security auto-trigger (#2159) #2161

Closed
core-be wants to merge 1 commits from fix/2159-qa-security-auto-trigger-review-state-guard into main
pull from: fix/2159-qa-security-auto-trigger-review-state-guard
merge into: molecule-ai:main
Conversation 1 Commits 1 Files Changed 3
+36 -18
3 changed files with 36 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/scripts/tests/test_gate_review_auto_fire.py
+16 -10
View File
@@ -50,14 +50,17 @@ class TestQaReviewDirectTrigger:
"pull_request_review must include 'submitted' type"
)
def test_job_guard_requires_approved_state(self):
def test_job_guard_fires_on_pull_request_review(self):
wf = load_workflow("qa-review.yml")
guard = _job_guard_string(wf)
assert "github.event.review.state == 'APPROVED'" in guard, (
"job guard must check review.state for 'APPROVED'"
assert "github.event_name == 'pull_request_review'" in guard, (
"job guard must fire on pull_request_review events"
)
assert "github.event.review.state == 'approved'" in guard, (
"job guard must check review.state for 'approved' (case fallback per #2135)"
# #2159: state guard removed because Gitea 1.22.6 does not reliably
# expose review.state in the pull_request_review payload. The
# evaluator (review-check.sh) validates APPROVED via API anyway.
assert "github.event.review.state" not in guard, (
"job guard must NOT check review.state (unreliable in Gitea payload)"
)
def test_post_step_uses_status_post_token(self):
@@ -91,14 +94,17 @@ class TestSecurityReviewDirectTrigger:
"pull_request_review must include 'submitted' type"
)
def test_job_guard_requires_approved_state(self):
def test_job_guard_fires_on_pull_request_review(self):
wf = load_workflow("security-review.yml")
guard = _job_guard_string(wf)
assert "github.event.review.state == 'APPROVED'" in guard, (
"job guard must check review.state for 'APPROVED'"
assert "github.event_name == 'pull_request_review'" in guard, (
"job guard must fire on pull_request_review events"
)
assert "github.event.review.state == 'approved'" in guard, (
"job guard must check review.state for 'approved' (case fallback per #2135)"
# #2159: state guard removed because Gitea 1.22.6 does not reliably
# expose review.state in the pull_request_review payload. The
# evaluator (review-check.sh) validates APPROVED via API anyway.
assert "github.event.review.state" not in guard, (
"job guard must NOT check review.state (unreliable in Gitea payload)"
)
def test_post_step_uses_status_post_token(self):
.gitea/workflows/qa-review.yml
+10 -4
View File
@@ -110,13 +110,19 @@ jobs:
approved:
# Gate the job:
# - On pull_request_target events: always run.
# - On pull_request_review_approved events: run so the gate flips
# immediately when a team member submits an APPROVE review.
# - On pull_request_review events: always run. We do NOT guard on
# review.state here because Gitea 1.22.6's payload shape for this
# event does not reliably expose the state field that the GitHub-
# style guard expects (issue #2159). The evaluator
# (review-check.sh) reads the actual reviews from the API and
# checks for a real APPROVE, so running on COMMENT or
# REQUEST_CHANGES reviews is harmless (read-only, idempotent).
# sop-tier-check.yml uses the same pattern (no state guard) and
# provably fires on every review event.
# Comment-triggered refires live in sop-checklist.yml review-refire job.
if: |
github.event_name == 'pull_request_target' ||
(github.event_name == 'pull_request_review' &&
(github.event.review.state == 'APPROVED' || github.event.review.state == 'approved'))
github.event_name == 'pull_request_review'
runs-on: ubuntu-latest
steps:
- name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
.gitea/workflows/security-review.yml
+10 -4
View File
@@ -37,13 +37,19 @@ jobs:
approved:
# Gate the job:
# - On pull_request_target events: always run.
# - On pull_request_review_approved events: run so the gate flips
# immediately when a team member submits an APPROVE review.
# - On pull_request_review events: always run. We do NOT guard on
# review.state here because Gitea 1.22.6's payload shape for this
# event does not reliably expose the state field that the GitHub-
# style guard expects (issue #2159). The evaluator
# (review-check.sh) reads the actual reviews from the API and
# checks for a real APPROVE, so running on COMMENT or
# REQUEST_CHANGES reviews is harmless (read-only, idempotent).
# sop-tier-check.yml uses the same pattern (no state guard) and
# provably fires on every review event.
# Comment-triggered refires live in sop-checklist.yml review-refire job.
if: |
github.event_name == 'pull_request_target' ||
(github.event_name == 'pull_request_review' &&
(github.event.review.state == 'APPROVED' || github.event.review.state == 'approved'))
github.event_name == 'pull_request_review'
runs-on: ubuntu-latest
steps:
- name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)