feat : 디스코드 webhook + 클로드.md 추가 #336
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Caution Review failedThe pull request is closed. Walkthrough
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Suggested reviewers
Pre-merge checks❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
📜 Recent review detailsConfiguration used: Repository UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (3)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Fix all issues with AI Agents 🤖
In @.github/workflows/pr-label-notify.yml:
- Line 19: The workflow exposes a hardcoded Discord webhook URL in the
DISCORD_WEBHOOK_URL environment variable; remove the hardcoded fallback,
rotate/invalidate the exposed webhook immediately, create a new webhook and
store it only in the repository GitHub Secret named DISCORD_WEBHOOK_URL, and
update the workflow to reference only ${{ secrets.DISCORD_WEBHOOK_URL }} (no
fallback/default value) so the value comes exclusively from Secrets; also
confirm no other files contain the leaked URL and replace any occurrences with
the secret reference.
- Line 58: Remove the hardcoded Discord webhook fallback in the
DISCORD_WEBHOOK_URL environment assignment and rely solely on the GitHub Actions
secret; update the line that sets DISCORD_WEBHOOK_URL so it references only
secrets.DISCORD_WEBHOOK_URL (no "||" fallback or literal URL) and ensure any
other occurrences of the same pattern are similarly changed to prevent embedding
a public webhook.
- Around line 20-25: Avoid directly injecting GitHub context into a shell
command; instead assign and escape those values before use to prevent command
substitution. Replace the inline run assignments for PR_NUMBER, PR_TITLE,
PR_AUTHOR, PR_URL, and REPO_NAME with safe assignments such as exporting them
from the workflow env: block or using escaped assignment inside the run step
like PR_TITLE="$(printf '%s' "${{ github.event.pull_request.title }}")" (and
similarly for PR_AUTHOR, PR_URL, PR_NUMBER, REPO_NAME) so the values are treated
as literal strings and cannot be interpreted as shell code.
🧹 Nitpick comments (3)
.github/workflows/pr-label-notify.yml (3)
13-14: 불필요한 체크아웃 단계입니다.이 워크플로우는 저장소 파일을 사용하지 않고 Discord 알림만 전송하므로, 체크아웃 단계가 필요하지 않습니다. 제거하면 실행 시간을 단축할 수 있습니다.
🔎 제안하는 수정사항
- - name: Checkout code - uses: actions/checkout@v4 - - name: Send Discord notification for PR label
27-53: Discord 임베드 구조가 올바르게 구성되어 있습니다.Discord API의 임베드 형식에 맞게 잘 작성되어 있으며, PR 정보를 명확하게 표시합니다. 다만 Line 30의
@프론트멘션을 환경 변수나 설정으로 관리하면 더 유연해질 수 있습니다.
60-64: 메시지에 특수 문자가 포함되면 JSON 구문 오류가 발생할 수 있습니다.
MESSAGE변수에 큰따옴표나 개행 문자가 포함되면 JSON이 깨질 수 있습니다.jq를 사용하여 안전하게 JSON을 생성하는 것을 권장합니다.🔎 제안하는 수정사항
- name: Send Discord notification for webhook if: github.event_name == 'repository_dispatch' env: DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + MESSAGE: ${{ github.event.client_payload.message || '리뷰가 필요합니다! @프론트' }} run: | - MESSAGE="${{ github.event.client_payload.message || '리뷰가 필요합니다! @프론트' }}" - - curl -X POST "$DISCORD_WEBHOOK_URL" \ + jq -n \ + --arg content "$MESSAGE" \ + '{content: $content}' \ + | curl -X POST "$DISCORD_WEBHOOK_URL" \ -H "Content-Type: application/json" \ - -d "{\"content\": \"$MESSAGE\"}" + -d @-
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (5)
.github/workflows/pr-label-notify.ymllint-fix.prd.mdsolid-connect-web@2.2445tsc클로드.md
💤 Files with no reviewable changes (1)
- lint-fix.prd.md
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 242
File: src/components/ui/TabSelector.tsx:10-11
Timestamp: 2025-08-12T09:41:44.182Z
Learning: manNomi prefers to keep reusable UI components simple and focused on core functionality rather than adding many features. They don't want to over-engineer flexible/reusable UI components at the initial stage.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 245
File: src/components/mentor/MentorChatCard/index.tsx:17-21
Timestamp: 2025-08-24T11:14:34.297Z
Learning: manNomi prefers not to receive accessibility suggestions or recommendations during code reviews.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 245
File: src/api/auth/client/usePostLogout.ts:17-33
Timestamp: 2025-08-24T11:13:08.477Z
Learning: manNomi prefers to prioritize user experience over perfect state consistency in auth flows. Specifically, in logout scenarios, they prefer to keep tokens intact on API failure to avoid forcing users to re-login, even if it means temporary UI state inconsistency.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 245
File: src/api/auth/client/useDeleteUserAccount.ts:17-27
Timestamp: 2025-08-24T11:11:40.758Z
Learning: manNomi prefers optimistic navigation in auth-related flows (like account deletion) to prevent race conditions where token clearing before navigation could cause intermediate redirects to login page due to pending async requests failing.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 242
File: src/types/mentor.ts:70-73
Timestamp: 2025-08-12T04:07:04.134Z
Learning: manNomi prefers using Korean labels directly in enum values (e.g., MentorTab.MY_MENTEE = "나의 멘티") over separating enum keys from UI labels for efficiency and intuitiveness, considering scalability concerns as excessive for their current project needs.
🪛 actionlint (1.7.9)
.github/workflows/pr-label-notify.yml
20-20: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details
(expression)
🔇 Additional comments (4)
클로드.md (4)
1-8: 커밋 규칙이 명확하고 잘 정리되어 있습니다.이모지 사용, 원자적 커밋, 간결한 메시지 작성이라는 세 가지 핵심 원칙이 간결하게 잘 표현되어 있습니다.
9-30: 이모지 가이드가 포괄적이고 실용적입니다.17개의 이모지가 일반적인 커밋 시나리오를 모두 커버하고 있어 팀원들이 적절한 이모지를 쉽게 선택할 수 있습니다.
31-46: 예시가 명확하고 교육적입니다.좋은 예와 나쁜 예를 통해 커밋 메시지 작성 규칙이 직관적으로 이해되도록 구성되어 있습니다.
48-56: 원자적 커밋 가이드가 명확합니다.커밋을 논리적 단위로 분리하는 기준이 구체적으로 제시되어 있어 팀원들이 실천하기 쉽습니다.
There was a problem hiding this comment.
Actionable comments posted: 1
Fix all issues with AI Agents 🤖
In @.github/workflows/pr-label-notify.yml:
- Around line 64-76: The MESSAGE variable is assigned directly from
github.event.client_payload.message and injected into a JSON string, allowing
script injection; stop building the JSON with manual shell string interpolation
and instead construct the payload safely with jq (e.g., pass the incoming
message into jq via --arg and let jq produce the JSON), then feed jq's output to
curl (curl -d @-), ensuring you no longer interpolate "$MESSAGE" into the
single-quoted JSON body and you keep the allowed_mentions structure created by
jq.
♻️ Duplicate comments (3)
.github/workflows/pr-label-notify.yml (3)
19-19: 하드코딩된 Discord 웹훅 URL을 즉시 제거해야 합니다.이전 리뷰에서 지적된 보안 취약점이 여전히 수정되지 않았습니다. 노출된 웹훅 URL은 누구나 해당 Discord 채널에 메시지를 전송할 수 있게 하므로, 폴백 값을 완전히 제거하고 GitHub Secrets만 사용해야 합니다.
🔎 제안하는 수정사항
- DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL || 'https://discord.com/api/webhooks/1457757557438550177/8WvnhSLYFfxGRpsDD_ExCONT41dNKhpxw78D6m66nxEkwVMsuTdXifHQXm0JT4Z7dNp2' }} + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
20-58: 스크립트 인젝션 취약점을 수정해야 합니다.이전 리뷰에서 지적된 보안 취약점이 여전히 수정되지 않았습니다. PR 제목, 작성자명 등의 신뢰할 수 없는 입력값을 쉘 스크립트와 JSON 페이로드에서 직접 사용하면 악의적인 코드 실행이 가능합니다.
더 나아가, 단순히 환경 변수로 이동하는 것만으로는 불충분합니다. JSON 문자열 내에서 변수를 직접 삽입할 때(예: line 34, 41, 46) 적절한 이스케이핑 없이는 여전히 인젝션 공격에 취약합니다.
🔎 제안하는 안전한 수정사항
jq를 사용하여 JSON을 안전하게 생성하세요:- name: Send Discord notification for PR label if: github.event_name == 'pull_request' && github.event.label.name == 'need_review' env: DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_TITLE: ${{ github.event.pull_request.title }} + PR_AUTHOR: ${{ github.event.pull_request.user.login }} + PR_URL: ${{ github.event.pull_request.html_url }} + REPO_NAME: ${{ github.repository }} + DISCORD_ROLE_ID: ${{ secrets.DISCORD_ROLE_ID || '1368737911301865503' }} run: | - PR_NUMBER="${{ github.event.pull_request.number }}" - PR_TITLE="${{ github.event.pull_request.title }}" - PR_AUTHOR="${{ github.event.pull_request.user.login }}" - PR_URL="${{ github.event.pull_request.html_url }}" - REPO_NAME="${{ github.repository }}" - - curl -X POST "$DISCORD_WEBHOOK_URL" \ + TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ) + + PAYLOAD=$(jq -n \ + --arg username "프론트 PR 리뷰봇" \ + --arg avatar_url "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png" \ + --arg content "리뷰가 필요합니다! <@&$DISCORD_ROLE_ID>" \ + --arg pr_number "$PR_NUMBER" \ + --arg pr_title "$PR_TITLE" \ + --arg pr_url "$PR_URL" \ + --arg pr_author "$PR_AUTHOR" \ + --arg repo_name "$REPO_NAME" \ + --arg timestamp "$TIMESTAMP" \ + --arg role_id "$DISCORD_ROLE_ID" \ + '{ + username: $username, + avatar_url: $avatar_url, + content: $content, + embeds: [{ + title: ("PR #" + $pr_number + ": " + $pr_title), + description: "리뷰 요청이 있습니다", + url: $pr_url, + color: 3447003, + fields: [ + { + name: "작성자", + value: $pr_author, + inline: true + }, + { + name: "저장소", + value: $repo_name, + inline: true + } + ], + footer: { + text: "GitHub Actions" + }, + timestamp: $timestamp + }], + allowed_mentions: { + roles: [$role_id] + } + }') + + curl -X POST "$DISCORD_WEBHOOK_URL" \ -H "Content-Type: application/json" \ - -d '{ - "username": "프론트 PR 리뷰봇", - "avatar_url": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", - "content": "리뷰가 필요합니다! <@&1368737911301865503>", - "embeds": [{ - "title": "PR #'"$PR_NUMBER"': '"$PR_TITLE"'", - "description": "리뷰 요청이 있습니다", - "url": "'"$PR_URL"'", - "color": 3447003, - "fields": [ - { - "name": "작성자", - "value": "'"$PR_AUTHOR"'", - "inline": true - }, - { - "name": "저장소", - "value": "'"$REPO_NAME"'", - "inline": true - } - ], - "footer": { - "text": "GitHub Actions" - }, - "timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'" - }], - "allowed_mentions": { - "roles": ["1368737911301865503"] - } - }' + -d "$PAYLOAD"
63-63: 하드코딩된 Discord 웹훅 URL을 제거해야 합니다.Line 19와 동일한 보안 취약점이 여기에도 존재합니다. 하드코딩된 폴백 URL을 제거하고 GitHub Secrets만 사용해야 합니다.
🔎 제안하는 수정사항
- DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL || 'https://discord.com/api/webhooks/1457757557438550177/8WvnhSLYFfxGRpsDD_ExCONT41dNKhpxw78D6m66nxEkwVMsuTdXifHQXm0JT4Z7dNp2' }} + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/pr-label-notify.yml
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 242
File: src/components/ui/TabSelector.tsx:10-11
Timestamp: 2025-08-12T09:41:44.182Z
Learning: manNomi prefers to keep reusable UI components simple and focused on core functionality rather than adding many features. They don't want to over-engineer flexible/reusable UI components at the initial stage.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 245
File: src/components/mentor/MentorChatCard/index.tsx:17-21
Timestamp: 2025-08-24T11:14:34.297Z
Learning: manNomi prefers not to receive accessibility suggestions or recommendations during code reviews.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 245
File: src/api/auth/client/usePostLogout.ts:17-33
Timestamp: 2025-08-24T11:13:08.477Z
Learning: manNomi prefers to prioritize user experience over perfect state consistency in auth flows. Specifically, in logout scenarios, they prefer to keep tokens intact on API failure to avoid forcing users to re-login, even if it means temporary UI state inconsistency.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 245
File: src/api/auth/client/useDeleteUserAccount.ts:17-27
Timestamp: 2025-08-24T11:11:40.758Z
Learning: manNomi prefers optimistic navigation in auth-related flows (like account deletion) to prevent race conditions where token clearing before navigation could cause intermediate redirects to login page due to pending async requests failing.
Learnt from: manNomi
Repo: solid-connection/solid-connect-web PR: 242
File: src/types/mentor.ts:70-73
Timestamp: 2025-08-12T04:07:04.134Z
Learning: manNomi prefers using Korean labels directly in enum values (e.g., MentorTab.MY_MENTEE = "나의 멘티") over separating enum keys from UI labels for efficiency and intuitiveness, considering scalability concerns as excessive for their current project needs.
🪛 actionlint (1.7.9)
.github/workflows/pr-label-notify.yml
20-20: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details
(expression)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Build
🔇 Additional comments (1)
.github/workflows/pr-label-notify.yml (1)
1-14: 워크플로우 구조가 적절합니다.PR 라벨 이벤트와 repository_dispatch를 감지하는 트리거 설정이 올바르게 구성되어 있습니다.
- fork PR에서 secrets 접근 가능하도록 pull_request_target 사용 - CODEOWNERS만 Discord 알림을 트리거할 수 있도록 보안 체크 추가 - CODEOWNERS에 enunsnv, khwww 추가 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
관련 이슈
작업 내용
특이 사항
리뷰 요구사항 (선택)