recipe-maintainers/cc-ci-orchestrator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

plan §4.1: commenter auth via /permission endpoint (write+), not the collaborators list

Browse Source 
The repo's explicit collaborator list is empty — bot and maintainers (trav/notplants)
all access via org ownership, so the collaborators check 404s for everyone. Authorize via
GET /collaborators/{user}/permission requiring owner/admin/write (matches the builder's fix).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 02:20:59 +01:00
parent ef42e3d922
commit e157a943bb
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cc-ci-plan/plan.md
View File

@ -338,10 +338,13 @@ Bridge posts/updates a Gitea PR comment with the run URL and (on completion) pas
git.autonomic.zone, outbound — the reliably-working path) at ≤60s to satisfy D1. Because the modes
are exclusive, no cross-path dedupe is needed; just don't re-fire already-seen comments when poll
mode is switched on. Either mode alone satisfies D1.
- **Collaborator check must count org access.** The commenter-authorization step rejects
non-collaborators (correct, per §6) — but it must treat `recipe-maintainers` **org members/admins**
as authorized (the bot is org admin; a naive repo-collaborator check rejects it). Verify real
maintainers pass; don't gate legitimate `!testme` on a too-narrow collaborator lookup.
- **Commenter auth uses effective permission, not the collaborators list.** The repo's explicit
collaborator list is empty — the bot *and* the real maintainers (`trav`/`notplants`) all reach
`recipe-maintainers/cc-ci` as **org owners**, so `GET /collaborators/{user}` 404s for everyone and
a naive is-collaborator check rejects all legitimate `!testme`. Authorize instead via
`GET /repos/{repo}/collaborators/{user}/permission` and require `owner`/`admin`/`write` (rejects
`read`/`none`/404 → still satisfies §6's non-collaborator-rejection check; fail-closed on any API
error). The bot token needs repo-admin to read another user's permission — fine, it's org owner.
- Enrollment = registering the Gitea webhook on a recipe repo (script in `runner/` or documented
in `enroll-recipe.md`) + ensuring a `tests/<recipe>/` dir exists. The `autonomic-bot` account is
**admin on the `recipe-maintainers` org**, so it can create repos there and add webhooks to any