-
Notifications
You must be signed in to change notification settings - Fork 0
Allow PR review workflow OIDC for AiGateway #69
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,8 +8,8 @@ DEPLOY_DIR="${CODEX_AUDIT_SERVICE_DEPLOY_DIR:-/opt/codex-audit-bridge}" | |
| AUDIT_PORT="${CODEX_AUDIT_SERVICE_PORT:-8797}" | ||
| AUDIENCE="${CODEX_AUDIT_SERVICE_AUDIENCE:-quant-codex-audit}" | ||
| ALLOWED_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORIES:-QuantStrategyLab/CodexAuditBridge,QuantStrategyLab/AIAuditBridge}" | ||
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" | ||
| ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main}" | ||
| ALLOWED_WORKFLOW_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFS:-QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/heads/main,QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@refs/pull/*/merge,QuantStrategyLab/AIAuditBridge/.github/workflows/codex_audit.yml@refs/heads/main}" | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
When this new PR-review OIDC allowlist lets the same-repo Useful? React with 👍 / 👎. |
||
| ALLOWED_REFS="${CODEX_AUDIT_SERVICE_ALLOWED_REFS:-refs/heads/main,refs/pull/*/merge}" | ||
|
Comment on lines
+11
to
+12
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
When operators use the documented direct VPS deploy path, Useful? React with 👍 / 👎. |
||
| ALLOWED_REPOSITORY_VISIBILITIES="${CODEX_AUDIT_SERVICE_ALLOWED_REPOSITORY_VISIBILITIES:-public}" | ||
| ALLOWED_SOURCE_REPOSITORIES="${CODEX_AUDIT_SERVICE_ALLOWED_SOURCE_REPOSITORIES:-QuantStrategyLab/CryptoLivePoolPipelines,QuantStrategyLab/HkEquitySnapshotPipelines,QuantStrategyLab/UsEquitySnapshotPipelines,QuantStrategyLab/ResearchSignalContextPipelines}" | ||
| JOB_DIR="${CODEX_AUDIT_SERVICE_JOB_DIR:-/var/lib/codex-audit-bridge/jobs}" | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For
workflow_callPR reviews (the workflow advertisesuses: QuantStrategyLab/CodexAuditBridge/.github/workflows/codex_pr_review.yml@mainfrom other repos), adding the called workflow toCODEX_AUDIT_SERVICE_ALLOWED_WORKFLOW_REFSdoes not authorize the token the service validates: GitHub's OIDCrepository/workflow_refdescribe the caller repo/workflow, while the called reusable workflow is exposed separately asjob_workflow_ref. Sinceservice/auth/__init__.pystill checks onlyrepository,workflow_ref, andref, consumer repos will continue to receive the same 401 instead of reaching AiGateway unless the allowlist/auth logic admits the caller repos and validates the reusable workflow claim.Useful? React with 👍 / 👎.