Skip to content

Register github-but as user #496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
FBumann wants to merge 1 commit into from
Closed

Register github-but as user #496

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/workflows/workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Register Bot

on:
workflow_dispatch: # Manually trigger this
Comment on lines +3 to +4
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add access controls to prevent unintended workflow triggers.

The workflow uses workflow_dispatch without branch protection rules, allowing any user with repository access to manually trigger bot registration. Consider adding documentation or README guidelines about when/how this should be used, and whether you need to restrict triggering permissions via branch protection or organization policies.

🤖 Prompt for AI Agents 
.github/workflows/workflow.yml lines 3-4: the workflow uses workflow_dispatch
without any access controls, allowing any repo collaborator to manually trigger
bot registration; update the workflow to restrict manual triggers by either
removing workflow_dispatch if unnecessary, adding runtime checks to immediately
abort when github.event_name == 'workflow_dispatch' and github.actor is not in
an allowlist (or checking team membership), or configuring the workflow to
require a protected environment with required reviewers for manual runs; also
add README/docs describing who may trigger this workflow and why.


jobs:
register:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Create and push to temp branch
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git checkout -b temp-bot-registration
echo "This is a test file to register the bot" > bot-test.txt
git add bot-test.txt
git commit -m "Register github-actions bot"
git push origin temp-bot-registration
Comment on lines +1 to +20
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, understand the repository structure and look for related documentation
echo "=== Repository structure ==="
git ls-files | head -20

echo -e "\n=== Looking for documentation files ==="
fd -t f '(README|CONTRIBUTING|\.md)' | head -20

echo -e "\n=== Checking for other workflow files ==="
fd -t f 'workflow' .github/

echo -e "\n=== Looking for 'register' or 'bot' mentions in common files ==="
rg -i '(register|bot)' --type markdown --type yaml -A 2 -B 2 | head -50

Repository: flixOpt/flixopt

Length of output: 5759

🏁 Script executed:

#!/bin/bash

echo "=== Content of python-app.yaml (existing workflow) ==="
cat .github/workflows/python-app.yaml

echo -e "\n\n=== Checking git history for workflow.yml ==="
git log --oneline --all -- .github/workflows/workflow.yml | head -20

echo -e "\n\n=== Recent commits that modified .github ==="
git log --oneline --all -- .github/ | head -20

echo -e "\n\n=== Checking if temp-bot-registration branch exists ==="
git branch -a | grep -i temp

echo -e "\n\n=== Looking at PR or branch info ==="
git branch -v

Repository: flixOpt/flixopt

Length of output: 11027

🏁 Script executed:

#!/bin/bash

echo "=== Full commit details for workflow.yml ==="
git log --all --pretty=format:"%H %ai %s %b" -- .github/workflows/workflow.yml | head -50

echo -e "\n\n=== What changed in commit 9f40be8 ==="
git show 9f40be8 -- .github/workflows/workflow.yml | head -80

echo -e "\n\n=== Current branch status ==="
git status

echo -e "\n\n=== Comparing workflow.yml between branches ==="
git diff 13ba071..9f40be8 -- .github/workflows/workflow.yml

Repository: flixOpt/flixopt

Length of output: 1484

Based on my verification, I can now provide a rewritten review comment with confidence. The original review raised valid concerns that I've confirmed through investigation:

Fix critical issues: missing error handling, documentation, and idempotence.

This workflow will fail on repeated execution—git checkout -b temp-bot-registration fails if the branch already exists, and git push origin temp-bot-registration will fail if the branch has been pushed before. The purpose of "registering" the bot is undocumented. To address these concerns:

  1. Document the workflow's purpose in a comment explaining what "registering the bot" achieves and whether this is meant to run once or repeatedly.
  2. Add error handling for branch creation and deletion; use git checkout -B (capital B) to force overwrite or delete the branch first with git push origin --delete temp-bot-registration 2>/dev/null || true.
  3. Make it idempotent by either cleaning up on each run or handling the "branch already exists" case explicitly.
  4. Add cleanup logic after the push to remove the temporary branch, or document why it should persist.
  5. Add set -e to the run block to halt on errors (or handle them explicitly).

Reference the create-release job in python-app.yaml for comparison on error handling patterns and proper git configuration in GitHub Actions workflows.

🤖 Prompt for AI Agents 
.github/workflows/workflow.yml lines 1-20: The workflow lacks documentation,
error handling and is not idempotent (branch creation and push will fail on
repeated runs); add a top-of-file comment explaining the purpose and expected
frequency of runs, update the git steps to be idempotent by deleting the remote
branch if present (or using git checkout -B to reset local branch), or use git
push --force-with-lease to safely update the remote; add cleanup logic to remove
the temporary branch locally and remotely after successful push (or explicitly
document persistence), and ensure the run script uses set -e (or explicit error
checks) so failures halt the job and errors are logged.