Commit 33edc25
authored
[gateway] Correct commit integrity elevation for personal repos on non-default refs (#4283)
`list_commits`/`get_commit` on non-default refs could label
owner-authored commits in public personal repos as `none:*` because
commit payloads often lack `author_association`, and
collaborator-permission elevation was org-gated. This caused valid
commits to be filtered when `min-integrity` was `approved`.
- **Integrity elevation path**
- Removed org-only short-circuit in
`elevate_via_collaborator_permission`, so public personal repos can use
collaborator-permission fallback the same as org repos.
- Updated inline docs/comments to reflect the generalized behavior
(missing/`NONE` association handling, not org-specific).
- **Commit owner fast-path**
- In `commit_integrity`, added a public-repo owner match shortcut:
- when `author.login` matches the repo owner segment of `owner/repo`,
integrity is raised to at least `writer`.
- This covers the common `list_commits` shape where `author_association`
is absent.
- **Targeted tests**
- Added coverage for owner-authored commits on public personal repos
without `author_association`, asserting writer-level integrity.
- Updated collaborator-permission fallback test semantics to match the
new non-org behavior.
```rust
if !repo_private {
if let Some((owner, _)) = repo_full_name.split_once('/') {
if author_login.eq_ignore_ascii_case(owner) {
integrity = max_integrity(
repo_full_name,
integrity,
writer_integrity(repo_full_name, ctx),
ctx,
);
}
}
integrity = elevate_via_collaborator_permission(
author_login,
repo_full_name,
"commit",
&format!("{}@{}", repo_full_name, short_sha),
integrity,
ctx,
);
}
```
> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build2733438357/b509/launcher.test
/tmp/go-build2733438357/b509/launcher.test
-test.testlogfile=/tmp/go-build2733438357/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rotocol/[email protected]/auth/auth.go
rotocol/[email protected]/auth/authorization_code.go x_amd64/vet --gdwarf-5
ternal/wasm/bina-atomic -o x_amd64/vet 6163��` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b513/launcher.test
/tmp/go-build2946369755/b513/launcher.test
-test.testlogfile=/tmp/go-build2946369755/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o
f07e34dca1.build--stateless-rpc lib/rustlib/x86_--helper-status lib/��
lib/rustlib/x86_--verbose lib/rustlib/x86_--no-progress
lib/rustlib/x86_REDACTED lib/rustlib/x86_bash
lib/rustlib/x86_/usr/bin/runc lib/rustlib/x86_--version
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib`
(dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2733438357/b491/config.test
/tmp/go-build2733438357/b491/config.test
-test.testlogfile=/tmp/go-build2733438357/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
@v1.1.3/cpu/arm64/arm64.go 6163950/b151/ x_amd64/vet --gdwarf-5 pproxy
-o x_amd64/vet 6163�� g_.a GQCceE2Bv x_amd64/vet --gdwarf-5` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b495/config.test
/tmp/go-build2946369755/b495/config.test
-test.testlogfile=/tmp/go-build2946369755/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o .o .o .o .o .o
.o .o .o ndor/bin/as 2R/5XmsTr43ByGyUorigin` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build2733438357/b509/launcher.test
/tmp/go-build2733438357/b509/launcher.test
-test.testlogfile=/tmp/go-build2733438357/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rotocol/[email protected]/auth/auth.go
rotocol/[email protected]/auth/authorization_code.go x_amd64/vet --gdwarf-5
ternal/wasm/bina-atomic -o x_amd64/vet 6163��` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b513/launcher.test
/tmp/go-build2946369755/b513/launcher.test
-test.testlogfile=/tmp/go-build2946369755/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o
f07e34dca1.build--stateless-rpc lib/rustlib/x86_--helper-status lib/��
lib/rustlib/x86_--verbose lib/rustlib/x86_--no-progress
lib/rustlib/x86_REDACTED lib/rustlib/x86_bash
lib/rustlib/x86_/usr/bin/runc lib/rustlib/x86_--version
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib`
(dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build2733438357/b509/launcher.test
/tmp/go-build2733438357/b509/launcher.test
-test.testlogfile=/tmp/go-build2733438357/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rotocol/[email protected]/auth/auth.go
rotocol/[email protected]/auth/authorization_code.go x_amd64/vet --gdwarf-5
ternal/wasm/bina-atomic -o x_amd64/vet 6163��` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b513/launcher.test
/tmp/go-build2946369755/b513/launcher.test
-test.testlogfile=/tmp/go-build2946369755/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o
f07e34dca1.build--stateless-rpc lib/rustlib/x86_--helper-status lib/��
lib/rustlib/x86_--verbose lib/rustlib/x86_--no-progress
lib/rustlib/x86_REDACTED lib/rustlib/x86_bash
lib/rustlib/x86_/usr/bin/runc lib/rustlib/x86_--version
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib`
(dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2733438357/b518/mcp.test
/tmp/go-build2733438357/b518/mcp.test
-test.testlogfile=/tmp/go-build2733438357/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 1n8gjiV1M -I
x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -W .cfg
olang.org/grpc@v-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet`
(dns block)
> - Triggering command: `/tmp/go-build2946369755/b522/mcp.test
/tmp/go-build2946369755/b522/mcp.test
-test.testlogfile=/tmp/go-build2946369755/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s lib/��
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/librustc_std_workspace_alloc-76b5fe9328c1063f.rlib
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libminiz_oxide-2b6a8d2f6e1dc71b.rlib
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet 64/src/runtime/cbash
sql/driver/drive/usr/bin/runc cal/bin/as
ache/go/1.25.9/x64/pkg/tool/linu/home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de-d
-ato��` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>2 files changed
Lines changed: 36 additions & 14 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1310 | 1310 | | |
1311 | 1311 | | |
1312 | 1312 | | |
1313 | | - | |
| 1313 | + | |
1314 | 1314 | | |
1315 | 1315 | | |
1316 | 1316 | | |
1317 | 1317 | | |
1318 | | - | |
1319 | | - | |
1320 | | - | |
| 1318 | + | |
| 1319 | + | |
1321 | 1320 | | |
1322 | 1321 | | |
1323 | 1322 | | |
| |||
1346 | 1345 | | |
1347 | 1346 | | |
1348 | 1347 | | |
1349 | | - | |
1350 | | - | |
1351 | | - | |
1352 | | - | |
1353 | 1348 | | |
1354 | 1349 | | |
1355 | 1350 | | |
| |||
1676 | 1671 | | |
1677 | 1672 | | |
1678 | 1673 | | |
1679 | | - | |
1680 | | - | |
| 1674 | + | |
| 1675 | + | |
| 1676 | + | |
| 1677 | + | |
| 1678 | + | |
| 1679 | + | |
| 1680 | + | |
| 1681 | + | |
| 1682 | + | |
| 1683 | + | |
| 1684 | + | |
| 1685 | + | |
| 1686 | + | |
| 1687 | + | |
| 1688 | + | |
| 1689 | + | |
| 1690 | + | |
1681 | 1691 | | |
1682 | 1692 | | |
1683 | 1693 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
826 | 826 | | |
827 | 827 | | |
828 | 828 | | |
| 829 | + | |
| 830 | + | |
| 831 | + | |
| 832 | + | |
| 833 | + | |
| 834 | + | |
| 835 | + | |
| 836 | + | |
| 837 | + | |
| 838 | + | |
| 839 | + | |
| 840 | + | |
| 841 | + | |
| 842 | + | |
829 | 843 | | |
830 | 844 | | |
831 | 845 | | |
| |||
5187 | 5201 | | |
5188 | 5202 | | |
5189 | 5203 | | |
5190 | | - | |
5191 | | - | |
5192 | | - | |
| 5204 | + | |
5193 | 5205 | | |
5194 | 5206 | | |
5195 | 5207 | | |
5196 | 5208 | | |
5197 | 5209 | | |
5198 | 5210 | | |
5199 | 5211 | | |
5200 | | - | |
| 5212 | + | |
5201 | 5213 | | |
5202 | 5214 | | |
5203 | 5215 | | |
| |||
0 commit comments