Allow docker agent to request reviews

Signed-off-by: Derek Misler <derek.misler@docker.com>

Author: derekmisler

.github/workflows/review-pr.yml

@@ -232,6 +232,7 @@ jobs:
           add-prompt-files: ${{ inputs.add-prompt-files }}
           model: ${{ inputs.model }}
           github-token: ${{ steps.app-token.outputs.token || github.token }}
+          trusted-bot-app-id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
           google-api-key: ${{ secrets.GOOGLE_API_KEY }}

action.yml

@@ -78,6 +78,10 @@ inputs:
     description: "Additional arguments to pass to cagent run"
     required: false
     default: ""
+  trusted-bot-app-id:
+    description: "GitHub App ID of a trusted bot that can bypass comment-based auth checks (e.g., for self-review triggers)"
+    required: false
+    default: ""
   add-prompt-files:
     description: "Comma-separated list of files to append to the prompt (e.g., 'AGENTS.md,CLAUDE.md')"
     required: false
@@ -190,10 +194,12 @@ runs:
       shell: bash
       env:
         ACTION_PATH: ${{ github.action_path }}
-        # Get author_association from comment events (the main risk)
-        COMMENT_ASSOCIATION: ${{ github.event.comment.author_association }}
+        TRUSTED_BOT_APP_ID: ${{ inputs.trusted-bot-app-id }}
         DEBUG: ${{ inputs.debug }}
       run: |
+        # Read comment fields directly from the event payload (cannot be overridden by workflow env vars)
+        COMMENT_ASSOCIATION=$(jq -r '.comment.author_association // empty' "$GITHUB_EVENT_PATH")
+
         # Only enforce auth for comment-triggered events
         # This prevents abuse via /commands while allowing PR-triggered workflows to run
         if [ -z "$COMMENT_ASSOCIATION" ]; then
@@ -202,6 +208,20 @@ runs:
           exit 0
         fi
 
+        # Allow a trusted GitHub App bot to bypass auth (e.g., auto-triage posts /review).
+        # Verified via user type + app ID from the event payload to prevent spoofing.
+        if [ -n "$TRUSTED_BOT_APP_ID" ]; then
+          COMMENT_USER_TYPE=$(jq -r '.comment.user.type // empty' "$GITHUB_EVENT_PATH")
+          COMMENT_APP_ID=$(jq -r '.comment.performed_via_github_app.id // empty' "$GITHUB_EVENT_PATH")
+
+          if [ "$COMMENT_USER_TYPE" = "Bot" ] && [ -n "$COMMENT_APP_ID" ] && [ "$COMMENT_APP_ID" = "$TRUSTED_BOT_APP_ID" ]; then
+            COMMENT_USER_LOGIN=$(jq -r '.comment.user.login // empty' "$GITHUB_EVENT_PATH")
+            echo "ℹ️ Skipping auth check (trusted bot: $COMMENT_USER_LOGIN, app_id: $COMMENT_APP_ID)"
+            echo "authorized=bot" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        fi
+
         echo "Using comment author_association: $COMMENT_ASSOCIATION"
 
         # Allowed roles (hardcoded for security - cannot be overridden)

review-pr/action.yml

@@ -53,6 +53,10 @@ inputs:
     description: "Comma-separated list of files to append to the prompt (e.g., 'AGENTS.md,CLAUDE.md')"
     required: false
     default: ""
+  trusted-bot-app-id:
+    description: "GitHub App ID of a trusted bot that can bypass comment-based auth checks"
+    required: false
+    default: ""
 
 outputs:
   exit-code:
@@ -464,6 +468,7 @@ runs:
         nebius-api-key: ${{ inputs.nebius-api-key }}
         mistral-api-key: ${{ inputs.mistral-api-key }}
         github-token: ${{ steps.resolve-token.outputs.token }}
+        trusted-bot-app-id: ${{ inputs.trusted-bot-app-id }}
         extra-args: ${{ inputs.model && format('--model={0}', inputs.model) || '' }}
 
     # ========================================
@@ -551,6 +556,7 @@ runs:
         nebius-api-key: ${{ inputs.nebius-api-key }}
         mistral-api-key: ${{ inputs.mistral-api-key }}
         github-token: ${{ steps.resolve-token.outputs.token }}
+        trusted-bot-app-id: ${{ inputs.trusted-bot-app-id }}
         extra-args: ${{ inputs.model && format('--model={0}', inputs.model) || '' }}
         add-prompt-files: ${{ inputs.add-prompt-files }}