Skip to content

fix(github-app): avoid PR write overprivilege#427

Merged
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-pr-permission-vulnerability
Jun 5, 2026
Merged

fix(github-app): avoid PR write overprivilege#427
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-pr-permission-vulnerability

Conversation

@JSONbored
Copy link
Copy Markdown
Owner

@JSONbored JSONbored commented Jun 5, 2026

Motivation

  • The app mistakenly required pull_requests: write for public comment/label and command-preview flows even though those surfaces use GitHub Issues API endpoints, broadening installation token privileges unnecessarily.
  • The intent is to restore the least-privilege model while keeping existing public comment/label functionality intact.

Description

  • Reverted the required app permission pull_requests from write back to read in REQUIRED_INSTALLATION_PERMISSIONS by updating src/github/backfill.ts to reflect the actual usage.
  • Adjusted installation repair diagnostics so comment/label mode impact entries reference issues: write (the Issues API) instead of pull_requests: write.
  • Updated command-preview logic in src/api/routes.ts to block public previews only when issues: write is missing and to stop treating pull_requests as a blocking permission for posting comments/labels.
  • Updated settings preview messaging in src/signals/settings-preview.ts to instruct operators to restore Issues: write (not Pull requests: write) for public comments/labels and command responses.
  • Updated tests that asserted the broader permission model to expect the narrower pull_requests: read + issues: write behavior.

Testing

  • Ran npm run typecheck and fixed a typing issue; the TypeScript build completed successfully.
  • Ran unit and integration tests with npm test -- --run test/unit/backfill.test.ts test/integration/api.test.ts test/unit/settings-preview.test.ts, and all tests passed.
  • Ran git diff --check as a local lint/sanity check; no diff/check errors remained.

Codex Task

@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jun 5, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Jun 5, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 gittensory-ui 493b443 Commit Preview URL

Branch Preview URL		 Jun 05 2026, 06:32 PM

@gittensory
Copy link
Copy Markdown

gittensory Bot commented Jun 5, 2026
edited
Loading

Note

Gittensory Gate skipped

PR closed before full evaluation. No late first comment was created.

Signal Result Evidence Action
Gate result ⚠️ Skipped #427 is no longer open. No action.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

@gittensory gittensory Bot added the gittensory:reviewed Gittensor contributor context label Jun 5, 2026
@github-actions github-actions Bot added the bug Something isn't working label Jun 5, 2026
@JSONbored JSONbored self-assigned this Jun 5, 2026
This was referenced Jun 5, 2026
Merged
Merged
@JSONbored JSONbored merged commit f3d38f0 into main Jun 5, 2026
9 of 10 checks passed
@JSONbored JSONbored deleted the codex/propose-fix-for-pr-permission-vulnerability branch June 5, 2026 23:07
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JSONbored JSONbored

Labels

aardvark bug Something isn't working codex gittensory:reviewed Gittensor contributor context size:S This PR changes 10-29 lines, ignoring generated files.

Projects

gittensory - v1 roadmap
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JSONbored