feat: add opt-in write access for all token-visible repos
This commit is contained in:
@@ -128,6 +128,13 @@ class Settings(BaseSettings):
|
||||
description="Comma-separated repository whitelist for write mode (owner/repo)",
|
||||
alias="WRITE_REPOSITORY_WHITELIST",
|
||||
)
|
||||
write_allow_all_token_repos: bool = Field(
|
||||
default=False,
|
||||
description=(
|
||||
"Allow write-mode operations on any repository the token can access. "
|
||||
"Disabled by default."
|
||||
),
|
||||
)
|
||||
automation_enabled: bool = Field(
|
||||
default=False,
|
||||
description="Enable automation endpoints and workflows",
|
||||
@@ -221,8 +228,11 @@ class Settings(BaseSettings):
|
||||
if len(key) < 32:
|
||||
raise ValueError("API keys must be at least 32 characters long")
|
||||
|
||||
if self.write_mode and not write_repositories:
|
||||
raise ValueError("WRITE_MODE=true requires WRITE_REPOSITORY_WHITELIST to be configured")
|
||||
if self.write_mode and not self.write_allow_all_token_repos and not write_repositories:
|
||||
raise ValueError(
|
||||
"WRITE_MODE=true requires WRITE_REPOSITORY_WHITELIST to be configured "
|
||||
"unless WRITE_ALLOW_ALL_TOKEN_REPOS=true"
|
||||
)
|
||||
|
||||
return self
|
||||
|
||||
|
||||
@@ -218,7 +218,10 @@ class PolicyEngine:
|
||||
if not repository:
|
||||
return PolicyDecision(False, "write operation requires a repository target")
|
||||
|
||||
if repository not in self.settings.write_repository_whitelist:
|
||||
if (
|
||||
not self.settings.write_allow_all_token_repos
|
||||
and repository not in self.settings.write_repository_whitelist
|
||||
):
|
||||
return PolicyDecision(False, "repository is not in write-mode whitelist")
|
||||
|
||||
repo_policy = self.config.repositories.get(repository) if repository else None
|
||||
|
||||
Reference in New Issue
Block a user