fix(github): require repo stats allowlist#4978
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
gittensory-ui | ad39b5d | Commit Preview URL Branch Preview URL |
Jul 11 2026, 01:10 PM |
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
…ult-deny allowlist Two tests in test/integration/api.test.ts called the public repo-stats route without configuring PUBLIC_REPO_STATS_ALLOWLIST, relying on the old "unset allowlist = allow any repo" behavior this PR intentionally removes (unset now denies all, closing the unauthenticated-proxy gap). Added an explicit allowlist entry to each so they keep testing their own actual concern (GITHUB_PUBLIC_TOKEN absence; transient-error stale-cache fallback) independently of the new allowlist requirement, rather than being confounded by it. Also resolves the rebase onto current main (a real content conflict in the allowlist test naming, and a mechanical worker-configuration.d.ts regeneration).
b691d04 to
ad39b5d
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4978 +/- ##
=======================================
Coverage 94.18% 94.18%
=======================================
Files 468 468
Lines 39608 39608
Branches 14448 14448
=======================================
Hits 37306 37306
Misses 1646 1646
Partials 656 656
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 Gittensory review result - fixes requiredReview updated: 2026-07-12 01:09:56 UTC
🛑 Suggested Action - Manual Review
Review summary Nits — 5 non-blocking
Why this is blocked
CI checks failing
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands Visual preview
Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
…tion.d.ts The prior regeneration (via npm run cf-typegen, resolving the rebase conflict) pulled in ~176 lines of unrelated drift from this local machine's wrangler/ workerd cache being out of sync with whatever last regenerated main's copy. Reset to origin/main's exact file, then hand-inserted just the one new binding this PR's wrangler.jsonc change actually needs (PUBLIC_REPO_STATS_ALLOWLIST, in both the literal-value interface and the sorted ProcessEnv union), mirroring the exact declaration position/format of the adjacent existing entries.


Motivation
GITHUB_PUBLIC_TOKEN, which could expose metadata or exhaust shared token quota.PUBLIC_REPO_STATS_ALLOWLISTmay be requested by the public endpoint.Description
publicRepoFullName(...)so an empty/unsetPUBLIC_REPO_STATS_ALLOWLISTno longer permits all repos (change insrc/github/public.ts).PUBLIC_REPO_STATS_ALLOWLISTdenies all unauthenticated repo-stats requests (change insrc/env.d.ts).JSONbored/gittensoryand regenerate Cloudflare/OpenAPI artifacts to keep deployment defaults consistent (changes inwrangler.jsonc,worker-configuration.d.ts,src/openapi/spec.ts, andapps/gittensory-ui/public/openapi.json).test/integration/api.test.ts).Testing
npm --workspace @jsonbored/gittensory-engine run buildand it completed successfully.npx vitest run test/integration/api.test.ts -t "public GitHub repo stats" --reporter=verboseand the updated tests for the public GitHub repo stats passed (5 passed, other unrelated tests skipped as expected).npm run ui:openapi:check,npm run cf-typegen:check, andnpm run typecheckto verify regenerated artifacts and types, and all checks succeeded.Codex Task