feat: exclude hidden transactions from Top Category %, show Top Category % based on share of absolute money flow #89
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Review Bot | |
| # SECURITY MODEL: | |
| # This workflow handles untrusted code from external contributors and has access to secrets. | |
| # To prevent secret exfiltration: | |
| # 1. We checkout the BASE branch (trusted code), never the PR branch | |
| # 2. We only FETCH the PR branch to get the diff (never execute it) | |
| # 3. The security_review.py script runs from the trusted base branch | |
| # 4. We verify we're on the base branch before running with secrets | |
| # 5. Minimal permissions: only read contents + write PR comments | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| security-review: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write # Post review comments | |
| contents: read # Read repository code | |
| steps: | |
| - name: Checkout base branch | |
| uses: actions/checkout@v4 | |
| with: | |
| # SECURITY: Always checkout base branch (trusted code), never PR branch | |
| # This is critical when using pull_request_target which has access to secrets | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| fetch-depth: 0 | |
| - name: Check if contributor is trusted | |
| id: check-trusted | |
| run: | | |
| PR_AUTHOR="${{ github.event.pull_request.user.login }}" | |
| TRUSTED_USERS=$(jq -r '.trusted_github_usernames[]' .github/trusted-contributors.json) | |
| if echo "$TRUSTED_USERS" | grep -qx "$PR_AUTHOR"; then | |
| echo "is_trusted=true" >> $GITHUB_OUTPUT | |
| echo "✅ $PR_AUTHOR is a trusted contributor - skipping security review" | |
| else | |
| echo "is_trusted=false" >> $GITHUB_OUTPUT | |
| echo "🔍 $PR_AUTHOR is an external contributor - running security review" | |
| fi | |
| - name: Fetch PR for diff (without checking out) | |
| if: steps.check-trusted.outputs.is_trusted != 'true' | |
| run: | | |
| # Fetch PR branch but DON'T check it out (security: don't run untrusted code) | |
| git fetch origin pull/${{ github.event.pull_request.number }}/head:pr-branch | |
| - name: Set up Python | |
| if: steps.check-trusted.outputs.is_trusted != 'true' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| if: steps.check-trusted.outputs.is_trusted != 'true' | |
| run: | | |
| pip install anthropic PyGithub | |
| - name: Verify running from base branch | |
| if: steps.check-trusted.outputs.is_trusted != 'true' | |
| run: | | |
| # Security check: Ensure we're on base branch (not PR branch) | |
| # This prevents malicious PRs from modifying the review script | |
| CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD) | |
| echo "Current branch: $CURRENT_BRANCH" | |
| if [ "$CURRENT_BRANCH" != "${{ github.base_ref }}" ]; then | |
| echo "❌ ERROR: Not on base branch! Security risk detected." | |
| exit 1 | |
| fi | |
| echo "✅ Verified: Running security review script from trusted base branch" | |
| - name: Run security review | |
| if: steps.check-trusted.outputs.is_trusted != 'true' | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| REPO_NAME: ${{ github.repository }} | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| # Run from base branch (trusted code) - PR branch is only fetched for diff | |
| python .github/scripts/security_review.py |