Dont filter content from trusted bots

JoannaaKL · JoannaaKL · commit 869c0247e3a4 · 2025-11-21T12:04:23.000+01:00
diff --git a/pkg/lockdown/lockdown.go b/pkg/lockdown/lockdown.go
@@ -15,24 +15,27 @@ import (
 // RepoAccessCache caches repository metadata related to lockdown checks so that
 // multiple tools can reuse the same access information safely across goroutines.
 type RepoAccessCache struct {
-	client *githubv4.Client
-	mu     sync.Mutex
-	cache  *cache2go.CacheTable
-	ttl    time.Duration
-	logger *slog.Logger
+	client           *githubv4.Client
+	mu               sync.Mutex
+	cache            *cache2go.CacheTable
+	ttl              time.Duration
+	logger           *slog.Logger
+	trustedBotLogins map[string]struct{}
 }
 
 type repoAccessCacheEntry struct {
 	isPrivate   bool
 	knownUsers  map[string]bool // normalized login -> has push access
 	viewerLogin string
+	viewerType  string
 }
 
 // RepoAccessInfo captures repository metadata needed for lockdown decisions.
 type RepoAccessInfo struct {
 	IsPrivate     bool
 	HasPushAccess bool
 	ViewerLogin   string
+	ViewerType    string
 }
 
 const (
@@ -85,6 +88,12 @@ func GetInstance(client *githubv4.Client, opts ...RepoAccessOption) *RepoAccessC
 			client: client,
 			cache:  cache2go.Cache(defaultRepoAccessCacheKey),
 			ttl:    defaultRepoAccessTTL,
+			trustedBotLogins: map[string]struct{}{
+				"dependabot[bot]":         {},
+				"dependabot-preview[bot]": {},
+				"github-actions[bot]":     {},
+				"github-copilot[bot]":     {},
+			},
 		}
 		for _, opt := range opts {
 			if opt != nil {
@@ -115,7 +124,8 @@ func (c *RepoAccessCache) IsSafeContent(ctx context.Context, username, owner, re
 		c.logDebug("error checking repo access info for content filtering", "owner", owner, "repo", repo, "user", username, "error", err)
 		return false, err
 	}
-	if repoInfo.IsPrivate || repoInfo.ViewerLogin == username {
+
+	if c.isTrustedBot(username, repoInfo.ViewerType) || repoInfo.IsPrivate || repoInfo.ViewerLogin == username {
 		return true, nil
 	}
 	return repoInfo.HasPushAccess, nil
@@ -150,12 +160,14 @@ func (c *RepoAccessCache) getRepoAccessInfo(ctx context.Context, username, owner
 		}
 		entry.knownUsers[userKey] = info.HasPushAccess
 		entry.viewerLogin = info.ViewerLogin
+		entry.viewerType = info.ViewerType
 		entry.isPrivate = info.IsPrivate
 		c.cache.Add(key, c.ttl, entry)
 		return RepoAccessInfo{
 			IsPrivate:     entry.isPrivate,
 			HasPushAccess: entry.knownUsers[userKey],
 			ViewerLogin:   entry.viewerLogin,
+			ViewerType:    entry.viewerType,
 		}, nil
 	}
 
@@ -171,13 +183,15 @@ func (c *RepoAccessCache) getRepoAccessInfo(ctx context.Context, username, owner
 		knownUsers:  map[string]bool{userKey: info.HasPushAccess},
 		isPrivate:   info.IsPrivate,
 		viewerLogin: info.ViewerLogin,
+		viewerType:  info.ViewerType,
 	}
 	c.cache.Add(key, c.ttl, entry)
 
 	return RepoAccessInfo{
 		IsPrivate:     entry.isPrivate,
 		HasPushAccess: entry.knownUsers[userKey],
 		ViewerLogin:   entry.viewerLogin,
+		ViewerType:    entry.viewerType,
 	}, nil
 }
 
@@ -188,7 +202,8 @@ func (c *RepoAccessCache) queryRepoAccessInfo(ctx context.Context, username, own
 
 	var query struct {
 		Viewer struct {
-			Login githubv4.String
+			Typename string `graphql:"__typename"`
+			Login    githubv4.String
 		}
 		Repository struct {
 			IsPrivate     githubv4.Boolean
@@ -227,15 +242,24 @@ func (c *RepoAccessCache) queryRepoAccessInfo(ctx context.Context, username, own
 		IsPrivate:     bool(query.Repository.IsPrivate),
 		HasPushAccess: hasPush,
 		ViewerLogin:   string(query.Viewer.Login),
+		ViewerType:    query.Viewer.Typename,
 	}, nil
 }
 
-func cacheKey(owner, repo string) string {
-	return fmt.Sprintf("%s/%s", strings.ToLower(owner), strings.ToLower(repo))
-}
-
 func (c *RepoAccessCache) logDebug(msg string, args ...any) {
 	if c != nil && c.logger != nil {
 		c.logger.Debug(msg, args...)
 	}
 }
+
+func (c *RepoAccessCache) isTrustedBot(username string, viewerType string) bool {
+	if viewerType != "Bot" {
+		return false
+	}
+	_, ok := c.trustedBotLogins[strings.ToLower(username)]
+	return ok
+}
+
+func cacheKey(owner, repo string) string {
+	return fmt.Sprintf("%s/%s", strings.ToLower(owner), strings.ToLower(repo))
+}
diff --git a/pkg/lockdown/lockdown_test.go b/pkg/lockdown/lockdown_test.go
@@ -19,7 +19,8 @@ const (
 
 type repoAccessQuery struct {
 	Viewer struct {
-		Login githubv4.String
+		Typename string `graphql:"__typename"`
+		Login    githubv4.String
 	}
 	Repository struct {
 		IsPrivate     githubv4.Boolean
@@ -66,7 +67,8 @@ func newMockRepoAccessCache(t *testing.T, ttl time.Duration) (*RepoAccessCache,
 
 	response := githubv4mock.DataResponse(map[string]any{
 		"viewer": map[string]any{
-			"login": testUser,
+			"__typename": "User",
+			"login":      testUser,
 		},
 		"repository": map[string]any{
 			"isPrivate": false,
@@ -99,6 +101,7 @@ func TestRepoAccessCacheEvictsAfterTTL(t *testing.T) {
 	info, err := cache.getRepoAccessInfo(ctx, testUser, testOwner, testRepo)
 	require.NoError(t, err)
 	require.Equal(t, testUser, info.ViewerLogin)
+	require.Equal(t, "User", info.ViewerType)
 	require.True(t, info.HasPushAccess)
 	require.EqualValues(t, 1, transport.CallCount())
 
@@ -107,6 +110,7 @@ func TestRepoAccessCacheEvictsAfterTTL(t *testing.T) {
 	info, err = cache.getRepoAccessInfo(ctx, testUser, testOwner, testRepo)
 	require.NoError(t, err)
 	require.Equal(t, testUser, info.ViewerLogin)
+	require.Equal(t, "User", info.ViewerType)
 	require.True(t, info.HasPushAccess)
 	require.EqualValues(t, 2, transport.CallCount())
 }
