Skip to content

fix: handle PR comment fork branches safely#434

Merged
captainsafia merged 4 commits intomainfrom
safia/fix-fork-handling
May 6, 2026
Merged

fix: handle PR comment fork branches safely#434
captainsafia merged 4 commits intomainfrom
safia/fix-fork-handling

Conversation

@captainsafia
Copy link
Copy Markdown
Collaborator

@captainsafia captainsafia commented May 6, 2026

Summary

  • Gate fork PR comment response runs on trusted trigger actors using author association or optional org membership checks.
  • Route PR comment responses to the correct branch target for same-repo branches, modifiable fork heads, and fallback follow-up PRs into contributor forks.
  • Clarify agent prompts and completion comments for fallback fork PR flows.
  • Add coverage for trust gating, branch strategy payloads, prompts, and apply behavior.

Tests

  • python3 -m pytest tests

Co-Authored-By: Oz oz-agent@warp.dev

captainsafia and others added 3 commits May 5, 2026 17:07
@captainsafia @oz-agent
feat: gate fork comment runs by trusted actor
121a4ad 
Co-Authored-By: Oz <oz-agent@warp.dev>
@captainsafia @oz-agent
fix: handle PR comment branch targets safely
23c8626 
Co-Authored-By: Oz <oz-agent@warp.dev>
@captainsafia @oz-agent
test: cover PR comment fork handling
27d770e 
Co-Authored-By: Oz <oz-agent@warp.dev>
@oz-for-oss
Copy link
Copy Markdown
Contributor

oz-for-oss Bot commented May 6, 2026
edited
Loading

@captainsafia

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

github-advanced-security[bot]
github-advanced-security AI found potential problems May 6, 2026
View reviewed changes
Comment thread core/workflows/respond_to_pr_comment.py Dismissed
Comment thread core/workflows/respond_to_pr_comment.py Dismissed
oz-for-oss[bot]
oz-for-oss Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR adds trust gating and branch-target handling for respond-to-PR-comment runs on forked pull requests, including fallback follow-up PR creation when the fork head cannot be modified directly.

Concerns

  • The fallback apply path always creates a new follow-up PR. Because the fallback branch name is deterministic per original PR, any later response run for the same PR will fail when GitHub reports an existing PR for that head/base pair, even though the branch was updated successfully.

Verdict

Found: 0 critical, 1 important, 0 suggestions

Request changes

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

Comment thread core/workflows/respond_to_pr_comment.py Outdated
@captainsafia @oz-agent
fix: reuse fallback PR for fork responses
d983a1a 
Co-Authored-By: Oz <oz-agent@warp.dev>
@captainsafia
Copy link
Copy Markdown
Collaborator Author

captainsafia commented May 6, 2026

/oz-review

@oz-for-oss
Copy link
Copy Markdown
Contributor

oz-for-oss Bot commented May 6, 2026
edited
Loading

@captainsafia

I'm re-reviewing this pull request in response to a review request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oz-for-oss oz-for-oss Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR adds trusted-actor gating for fork PR comment-response runs and expands branch handling for same-repo heads, directly modifiable fork heads, and follow-up PR fallback flows. It also updates prompts, apply behavior, documentation, and tests around those branch strategies.

Concerns

No blocking correctness, security, or error-handling concerns found in the reviewed diff.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@captainsafia
Copy link
Copy Markdown
Collaborator Author

captainsafia commented May 6, 2026

@peicodes @vkodithala This sets us up so that at least Warpers can mention Oz to fix issues on PRs that come from forks. It includes some logic that let's us detect if the PR opener has allowed pushing changes to their fork (ref) or if we need to open a PR against it.

@peicodes
Copy link
Copy Markdown

peicodes commented May 6, 2026

Thanks for this!!

@captainsafia captainsafia merged commit 0e421ed into main May 6, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments

@peicodes peicodes peicodes approved these changes

@vkodithala vkodithala Awaiting requested review from vkodithala

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@captainsafia @peicodes @github-advanced-security