From e157a943bb5146968550361e28bc14bed90c89ac Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 02:20:59 +0100 Subject: [PATCH] =?UTF-8?q?plan=20=C2=A74.1:=20commenter=20auth=20via=20/p?= =?UTF-8?q?ermission=20endpoint=20(write+),=20not=20the=20collaborators=20?= =?UTF-8?q?list?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The repo's explicit collaborator list is empty — bot and maintainers (trav/notplants) all access via org ownership, so the collaborators check 404s for everyone. Authorize via GET /collaborators/{user}/permission requiring owner/admin/write (matches the builder's fix). Co-Authored-By: Claude Opus 4.7 (1M context) --- cc-ci-plan/plan.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/cc-ci-plan/plan.md b/cc-ci-plan/plan.md index 760e558..1cf2a05 100644 --- a/cc-ci-plan/plan.md +++ b/cc-ci-plan/plan.md @@ -338,10 +338,13 @@ Bridge posts/updates a Gitea PR comment with the run URL and (on completion) pas git.autonomic.zone, outbound — the reliably-working path) at ≤60s to satisfy D1. Because the modes are exclusive, no cross-path dedupe is needed; just don't re-fire already-seen comments when poll mode is switched on. Either mode alone satisfies D1. -- **Collaborator check must count org access.** The commenter-authorization step rejects - non-collaborators (correct, per §6) — but it must treat `recipe-maintainers` **org members/admins** - as authorized (the bot is org admin; a naive repo-collaborator check rejects it). Verify real - maintainers pass; don't gate legitimate `!testme` on a too-narrow collaborator lookup. +- **Commenter auth uses effective permission, not the collaborators list.** The repo's explicit + collaborator list is empty — the bot *and* the real maintainers (`trav`/`notplants`) all reach + `recipe-maintainers/cc-ci` as **org owners**, so `GET /collaborators/{user}` 404s for everyone and + a naive is-collaborator check rejects all legitimate `!testme`. Authorize instead via + `GET /repos/{repo}/collaborators/{user}/permission` and require `owner`/`admin`/`write` (rejects + `read`/`none`/404 → still satisfies §6's non-collaborator-rejection check; fail-closed on any API + error). The bot token needs repo-admin to read another user's permission — fine, it's org owner. - Enrollment = registering the Gitea webhook on a recipe repo (script in `runner/` or documented in `enroll-recipe.md`) + ensuring a `tests//` dir exists. The `autonomic-bot` account is **admin on the `recipe-maintainers` org**, so it can create repos there and add webhooks to any