Do not allow new users to run /retest or /build-and-push-container

[myakove]

New users (unknown) is not allowed to run /retest and /build-and-push-container commands without permission from one of the approvers.

Summary by CodeRabbit

• New Features

  • Added user permission checks for commands triggered by issue comments on pull requests. Only authorized users (contributors, collaborators, or those explicitly allowed) can run retest, cherry-pick, and build-and-push-container commands.
  • Users who are not authorized will receive a comment explaining the restriction and listing maintainers who can grant permission.
  • Enhanced distinction between repository-level and pull-request-level approvers and reviewers for clearer access control and notifications.

• Style

  • Improved formatting and consistency in configuration files. Updated the required Python version to 3.12.
  • Removed debug logging from configuration loading to streamline logs.

[coderabbitai]

Warning

Rate limit exceeded

@myakove has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 0 minutes and 20 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 396f27e and 0bac0e6.

📒 Files selected for processing (1)

• webhook_server/libs/config.py (2 hunks)

"""

Walkthrough

The changes introduce user permission checks for executing specific commands via issue comments on pull requests. Only contributors, collaborators, maintainers, or explicitly allowed users can trigger retest, cherry-pick, or build-and-push-container commands. The Python version requirement in pyproject.toml is updated, and formatting is standardized.

Changes

Files/Paths	Change Summary
pyproject.toml	Updated Python version requirement to ">=3.12"; standardized formatting and array brackets; added trailing comma.
webhook_server/libs/github_api.py	Renamed approver/reviewer attributes with all_repository_ and all_pull_request_ prefixes; added cached properties and methods for collaborators, contributors, maintainers, and user validation; updated method signatures and control flow to enforce user permission checks before running retest, cherry-pick, and build commands.
webhook_server/tests/test_pull_request_owners.py	Renamed test variables and method calls to use repository and pull_request prefixes in approver/reviewer related identifiers for consistency; no logic changes.
webhook_server/libs/config.py	Removed debug logging statements related to config loading; improved error logging message for config file loading failure.

Possibly related PRs

• Only approvers should be able to set hold lable on PR #558: Both PRs enhance user permission logic for commands issued via GitHub comments, though they focus on different specific commands and permission types.
• Fix no owners for subfolders #639: Both PRs modify github_api.py with overlapping concerns about owners/approvers handling, including type annotations and logic changes.
• check only parent path for owners file, make sure root owners are alw… #631: Both PRs modify approver/reviewer handling in github_api.py, with this PR adding user validation and clearer distinction between repository and pull request roles.

Suggested labels

size/M, verified, can-be-merged, approved-myakove, lgtm-rnetser

Suggested reviewers

• rnetser
  """

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[myakove-bot]

Report bugs in Issues

The following are automatically added:

• Add reviewers from OWNER file (in the root of the repository) under reviewers section.
• Set PR size label.
• New issue is created for the PR. (Closed when PR is merged/closed)
• Run pre-commit if .pre-commit-config.yaml exists in the repo.

Available user actions:

• To mark PR as WIP comment /wip to the PR, To remove it from the PR comment /wip cancel to the PR.
• To block merging of PR comment /hold, To un-block merging of PR comment /hold cancel.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To cherry pick a merged PR comment /cherry-pick <target branch to cherry-pick to> in the PR.
  • Multiple target branches can be cherry-picked, separated by spaces. (/cherry-pick branch1 branch2)
  • Cherry-pick will be started when PR is merged
• To build and push container image command /build-and-push-container in the PR (tag will be the PR number).
  • You can add extra args to the Podman build command
    • Example: /build-and-push-container --build-arg OPENSHIFT_PYTHON_WRAPPER_COMMIT=<commit_hash>
• To add a label by comment use /<label name>, to remove, use /<label name> cancel
• To assign reviewers based on OWNERS file use /assign-reviewers
• To check if PR can be merged use /check-can-merge
• to assign reviewer to PR use /assign-reviewer @<reviewer>

PR will be approved when the following conditions are met:

• /approve from one of the approvers.
• Minimum number of required /lgtm (1) is met.

Approvers and Reviewers

• Approvers:

  • myakove
  • rnetser

• Reviewers:

  • myakove
  • rnetser

Supported /retest check runs

• /retest tox: Retest tox
• /retest build-container: Retest build-container
• /retest python-module-install: Retest python-module-install
• /retest pre-commit: Retest pre-commit
• /retest all: Retest all

Supported labels

• hold
• verified
• wip
• lgtm
• approve

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

pyproject.toml (1)

75-75: Remove stray leading space in author e-mail
There is a leading space before myakove@gmail.com; packaging metadata parsers will keep it verbatim.

-email = " myakove@gmail.com"
+email = "myakove@gmail.com"

webhook_server/libs/github_api.py (1)

2297-2318: Improve maintainers-notice formatting & make lookup constant-time

1. Message renders the first maintainer without the leading dash.
2. Each call walks every comment – consider caching the “allowed” decision per PR.

-    {"\n - @".join(self.all_approvers)}
+    {"".join([f"\n - @{u}" for u in self.all_approvers])}

Low-priority, but it will read better for users of the bot.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc97763 and 6dee482.

📒 Files selected for processing (2)

• pyproject.toml (4 hunks)
• webhook_server/libs/github_api.py (7 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

webhook_server/libs/github_api.py (1)

webhook_server/tests/test_add_reviewer_action.py (2)

• get_contributors (13-14)
• create_issue_comment (21-22)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: python-module-install
• GitHub Check: tox
• GitHub Check: build-container
• GitHub Check: pre-commit

🔇 Additional comments (3)

pyproject.toml (1)

42-42: Verify CI/runtime availability for Python 3.12
The required Python version jumped from >=3.10 to >=3.12.
• Make sure your CI runners (e.g. GitHub Actions) and prod images already provide 3.12.
• Double-check that all pinned/tested dependencies are 3.12-compatible (some tools – especially binary wheels – often lag a minor version).
If either of the above is not true, pipeline breaks are likely.

webhook_server/libs/github_api.py (2)

1358-1360: Double validation path consideration
_run_build_container now performs its own permission check only when reviewed_user is passed. During /retest build-container, the function is invoked without that argument (it was already validated earlier). This is fine, but keep in mind that future internal calls must either supply the user or rely on the outer validation to avoid bypasses.

---

1091-1099: Good addition – propagates user identity for permission checks
Passing reviewed_user down to the concrete command handlers enables granular gating. Looks correct after the refactor.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (2)

webhook_server/libs/github_api.py (2)

1753-1789: ⚠️ Potential issue

Missing user validation in process_cherry_pick_command.

Unlike process_retest_command and _run_build_container, this method doesn't validate if the user is allowed to run cherry-pick commands, creating an inconsistency in the permission model.

Apply this fix to add the validation check:

def process_cherry_pick_command(self, command_args: str, reviewed_user: str) -> None:
+    if not self._is_user_valid_to_run_commands(reviewed_user=reviewed_user):
+        return
+
    _target_branches: list[str] = command_args.split()
    _exits_target_branches: set[str] = set()
    _non_exits_target_branches_msg: str = ""

---

2297-2319: ⚠️ Potential issue

Potential exceptions in _is_user_valid_to_run_commands and missing error handling.

The method assumes self.pull_request is always available and lacks error handling for GitHub API operations.

Add error handling and safer access to pull_request:

def _is_user_valid_to_run_commands(self, reviewed_user: str) -> bool:
    allow_user_comment = f"/add-allowed-user @{reviewed_user}"
    comment_msg = f"""
{reviewed_user} is not allowed to run retest commands.
maintainers can allow it by comment `{allow_user_comment}`
Maintainers:
    {"\n - @".join(self.all_approvers)}
"""

    if reviewed_user not in self.valid_users_to_run_commands:
+        if not hasattr(self, "pull_request") or not self.pull_request:
+            self.logger.error(f"{self.log_prefix} Cannot check user permissions: pull_request not available")
+            return False
+
+        try:
            comments_from_approvers = [
                comment.body for comment in self.pull_request.get_comments() if comment.user.login in self.all_approvers
            ]
            for comment in comments_from_approvers:
                if allow_user_comment in comment:
                    return True

            self.logger.debug(f"{self.log_prefix} {reviewed_user} is not in {self.valid_users_to_run_commands}")
            self.pull_request.create_issue_comment(comment_msg)
+        except Exception as e:
+            self.logger.error(f"{self.log_prefix} Error checking user permissions: {e}")
        return False

    return True

♻️ Duplicate comments (1)

webhook_server/libs/github_api.py (1)

154-154: ⚠️ Potential issue

The valid_users_to_run_commands initialization is too early.

The initialization happens in __init__ before self.pull_request is available (it's set later in the process method at line 163). This will cause _get_valid_users_to_run_commands to always return an empty set, meaning every user will be treated as new/unknown and unable to run commands.

Apply this fix:

-        self.valid_users_to_run_commands = self._get_valid_users_to_run_commands()
+        # Will be populated after pull_request is available
+        self.valid_users_to_run_commands: set[str] = set()

Then update the process method to populate this after the pull request is obtained:

         try:
             self.pull_request = self._get_pull_request()
             self.log_prefix = self.prepare_log_prefix(pull_request=self.pull_request)
             self.logger.debug(f"{self.log_prefix} {event_log}")
             self.last_commit = self._get_last_commit()
             self.parent_committer = self.pull_request.user.login
             self.last_committer = getattr(self.last_commit.committer, "login", self.parent_committer)
             self.changed_files = self.list_changed_files()
             self.pull_request_branch = self.pull_request.base.ref
             self.all_approvers_and_reviewers = self.get_all_approvers_and_reviewers()
             self.all_approvers = self.get_all_approvers()
             self.all_reviewers = self.get_all_reviewers()
+            self.valid_users_to_run_commands = self._get_valid_users_to_run_commands()

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6dee482 and 1f40e5f.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• webhook_server/libs/github_api.py (7 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

webhook_server/libs/github_api.py (1)

webhook_server/tests/test_add_reviewer_action.py (2)

• get_contributors (13-14)
• create_issue_comment (21-22)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: tox
• GitHub Check: pre-commit
• GitHub Check: build-container
• GitHub Check: python-module-install

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

webhook_server/libs/github_api.py (1)

2294-2316: 🛠️ Refactor suggestion

User validation logic needs to handle approvers consistently

The user validation logic checks if a user is in valid_users_to_run_commands or has been explicitly allowed by an approver. However, it doesn't automatically allow approvers themselves, which seems inconsistent.

Improve the method to automatically allow approvers:

    def _is_user_valid_to_run_commands(self, reviewed_user: str) -> bool:
+        # Approvers are always allowed to run commands
+        if reviewed_user in self.all_approvers:
+            return True
+            
        allow_user_comment = f"/add-allowed-user @{reviewed_user}"
        comment_msg = f"""
{reviewed_user} is not allowed to run retest commands.
maintainers can allow it by comment `{allow_user_comment}`
Maintainers:
    {"\n - @".join(self.all_approvers)}
"""

        if reviewed_user not in self.valid_users_to_run_commands:
            comments_from_approvers = [
                comment.body for comment in self.pull_request.get_comments() if comment.user.login in self.all_approvers
            ]
            for comment in comments_from_approvers:
                if allow_user_comment in comment:
                    return True

            self.logger.debug(f"{self.log_prefix} {reviewed_user} is not in {self.valid_users_to_run_commands}")
            self.pull_request.create_issue_comment(comment_msg)
            return False

        return True

♻️ Duplicate comments (1)

webhook_server/libs/github_api.py (1)

173-173: ⚠️ Potential issue

Critical timing issue: valid_users_to_run_commands initialized before pull_request is available

The initialization of valid_users_to_run_commands occurs in __init__ at line 173, but self.pull_request is only set later during the process() method at line 162. This means that _get_valid_users_to_run_commands() will be called before self.pull_request is available, making the permission checks ineffective.

Move this initialization after self.pull_request is set in the process() method:

-            self.valid_users_to_run_commands = self._get_valid_users_to_run_commands()

Then add this line after line 172 in the process() method:

            self.all_reviewers = self.get_all_reviewers()
+            self.valid_users_to_run_commands = self._get_valid_users_to_run_commands()

🧹 Nitpick comments (1)

webhook_server/libs/github_api.py (1)

1080-1104: user_commands method needs updating to maintain consistency

The user_commands method needs to be updated to maintain consistency with the changes made for user validation.

Consider adding a check at the beginning of the user_commands method to validate the user early and avoid duplicate checks in individual command handlers:

    def user_commands(self, command: str, reviewed_user: str, issue_comment_id: int) -> None:
+        # Check if user is allowed to run any commands
+        if command in [COMMAND_RETEST_STR, BUILD_AND_PUSH_CONTAINER_STR, COMMAND_CHERRY_PICK_STR]:
+            if not self._is_user_valid_to_run_commands(reviewed_user=reviewed_user):
+                return
+
        available_commands: list[str] = [
            COMMAND_RETEST_STR,
            COMMAND_CHERRY_PICK_STR,
            COMMAND_ASSIGN_REVIEWERS_STR,
            COMMAND_CHECK_CAN_MERGE_STR,
            BUILD_AND_PUSH_CONTAINER_STR,
            COMMAND_ASSIGN_REVIEWER_STR,
        ]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f40e5f and 1a62b5e.

📒 Files selected for processing (1)

• webhook_server/libs/github_api.py (7 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

webhook_server/libs/github_api.py (1)

webhook_server/tests/test_add_reviewer_action.py (2)

• get_contributors (13-14)
• create_issue_comment (21-22)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: build-container
• GitHub Check: python-module-install
• GitHub Check: tox
• GitHub Check: pre-commit

🔇 Additional comments (2)

webhook_server/libs/github_api.py (2)

1091-1092: Improved signature changes for command methods

The signature changes to use reviewed_user instead of issue_comment_id in process_cherry_pick_command, process_retest_command, and the call to _run_build_container are appropriate for the new permission model.

Also applies to: 1094-1095, 1098-1098

---

1790-1793: Well implemented permission check in process_retest_command

The early return when user validation fails is implemented correctly here.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a62b5e and 9da8d35.

📒 Files selected for processing (2)

• webhook_server/libs/github_api.py (21 hunks)
• webhook_server/tests/test_pull_request_owners.py (19 hunks)

✅ Files skipped from review due to trivial changes (1)

• webhook_server/tests/test_pull_request_owners.py

🧰 Additional context used

🧬 Code Graph Analysis (1)

webhook_server/libs/github_api.py (1)

webhook_server/tests/test_add_reviewer_action.py (2)

• get_contributors (13-14)
• create_issue_comment (21-22)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: tox
• GitHub Check: build-container
• GitHub Check: python-module-install
• GitHub Check: pre-commit

🔇 Additional comments (1)

webhook_server/libs/github_api.py (1)

171-175: ✔️ Property is now evaluated after PR context is ready

Calling _get_valid_users_to_run_commands after self.pull_request is available fixes the “initialisation-too-early” problem raised in the previous review – good catch.

[rnetser]

/lgtm

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

webhook_server/libs/github_api.py (1)

2347-2348: Consider improving variable name for clarity

The variable allowed_user_to_approve appears to represent a list of users who can approve other users to run commands. Consider renaming to users_allowed_to_grant_permission or permission_granting_users for clarity.

-    allowed_user_to_approve = self.get_all_repository_maintainers() + self.all_repository_approvers
+    users_allowed_to_grant_permission = self.get_all_repository_maintainers() + self.all_repository_approvers

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f13a7b and fe2ca7f.

📒 Files selected for processing (1)

• webhook_server/libs/github_api.py (22 hunks)

🧰 Additional context used

🧠 Learnings (1)

webhook_server/libs/github_api.py (1)

Learnt from: myakove
PR: myk-org/github-webhook-server#612
File: webhook_server_container/libs/github_api.py:2089-2100
Timestamp: 2024-10-29T08:09:57.157Z
Learning: In `webhook_server_container/libs/github_api.py`, when the function `_keep_approved_by_approvers_after_rebase` is called, existing approval labels have already been cleared after pushing new changes, so there's no need to check for existing approvals within this function.

🧬 Code Graph Analysis (1)

webhook_server/libs/github_api.py (2)

webhook_server/tests/test_pull_request_owners.py (1)

• all_repository_approvers_and_reviewers (56-73)

webhook_server/tests/test_add_reviewer_action.py (2)

• get_contributors (13-14)
• create_issue_comment (21-22)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: pre-commit
• GitHub Check: python-module-install
• GitHub Check: build-container
• GitHub Check: tox

🔇 Additional comments (9)

webhook_server/libs/github_api.py (9)

1949-1956: Good use of cached_property for expensive GitHub API calls

Using @functools.cached_property for GitHub API calls is an excellent performance improvement that prevents repeated API calls which could hit rate limits.

---

173-178: Improved clarity by separating repository-wide vs PR-specific users

The renaming of variables to clearly distinguish between repository-wide approvers/reviewers and PR-specific ones improves code readability and makes the security model clearer.

---

1357-1364: Security improvement: User validation for build container command

Adding permission validation for the build container command is an important security enhancement that prevents unauthorized users from triggering container builds.

---

1794-1797: Security improvement: User validation for retest command

Similar to the build container command, adding permission validation for the retest command is another important security enhancement that prevents unauthorized users from triggering tests.

---

2346-2371: Well-implemented permission check with approver override

The implementation of _is_user_valid_to_run_commands is robust - it checks if a user is authorized and allows approvers to explicitly grant permission to specific users via comments.

---

1957-1973: Good helper methods to determine user permissions

These helper methods provide a clean abstraction for retrieving repository contributors, collaborators and maintainers, making the permission logic more readable.

---

537-538: Updated reviewer assignment to use PR-specific reviewers

The code now correctly uses PR-specific reviewers instead of repository-wide reviewers, making reviewer assignment more contextual to the changes in the PR.

---

2350-2355: Good maintainer list formatting in comment message

The maintainer list in the rejection message is now correctly formatted with each entry properly prefixed with a dash.

---

2360-2361: Correctly using issue comments instead of review comments

Using get_issue_comments() is the right approach for checking for permission commands, as these will appear in the PR conversation and not as review comments.

[myakove]

/retest all

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

webhook_server/libs/github_api.py (3)

1362-1363: Check for None explicitly for safer validation

The validation condition could handle the None case more explicitly for consistency and safety.

-    if reviewed_user and not self._is_user_valid_to_run_commands(reviewed_user=reviewed_user):
+    if reviewed_user is not None and not self._is_user_valid_to_run_commands(reviewed_user=reviewed_user):

---

2352-2356: Fix formatting issue in maintainers list message

The template string for maintainers list has a formatting inconsistency where the first maintainer doesn't have the "@" prefix.

-Maintainers:
- - {"\n - @".join(allowed_user_to_approve)}
+Maintainers:
+ - @{"\n - @".join(allowed_user_to_approve)}

---

2358-2371: Add error handling for GitHub API calls

The method doesn't handle potential exceptions when fetching comments from GitHub API, which could lead to unexpected failures.

if reviewed_user not in self.valid_users_to_run_commands:
-    comments_from_approvers = [
-        comment.body
-        for comment in self.pull_request.get_issue_comments()
-        if comment.user.login in allowed_user_to_approve
-    ]
+    try:
+        comments_from_approvers = [
+            comment.body
+            for comment in self.pull_request.get_issue_comments()
+            if comment.user.login in allowed_user_to_approve
+        ]
+    except Exception as e:
+        self.logger.error(f"{self.log_prefix} Error fetching issue comments: {e}")
+        comments_from_approvers = []

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe2ca7f and fc8f845.

📒 Files selected for processing (1)

• webhook_server/libs/github_api.py (22 hunks)

🧰 Additional context used

🧠 Learnings (1)

webhook_server/libs/github_api.py (1)

Learnt from: myakove
PR: myk-org/github-webhook-server#612
File: webhook_server_container/libs/github_api.py:2089-2100
Timestamp: 2024-10-29T08:09:57.157Z
Learning: In `webhook_server_container/libs/github_api.py`, when the function `_keep_approved_by_approvers_after_rebase` is called, existing approval labels have already been cleared after pushing new changes, so there's no need to check for existing approvals within this function.

🧬 Code Graph Analysis (1)

webhook_server/libs/github_api.py (2)

webhook_server/tests/test_pull_request_owners.py (1)

• all_repository_approvers_and_reviewers (56-73)

webhook_server/tests/test_add_reviewer_action.py (2)

• get_contributors (13-14)
• create_issue_comment (21-22)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: build-container
• GitHub Check: pre-commit
• GitHub Check: tox
• GitHub Check: python-module-install

🔇 Additional comments (3)

webhook_server/libs/github_api.py (3)

1757-1757: LGTM: Cherry pick command with user validation

The method correctly accepts a reviewed_user parameter that can be used for permission validation.

---

1949-1956: Good use of cached properties for API calls

Using @functools.cached_property for GitHub API calls is an excellent optimization to prevent redundant network requests.

---

2338-2346: LGTM: Comprehensive authorized users calculation

The cached property efficiently aggregates users from various sources who should have command execution permissions.

[myakove]

/retest tox

[myakove]

/retest tox

[myakove]

/retest tox

[myakove]

/retest all

[myakove]

/approve

[myakove]

/lgtm

[myakove-bot]

Failed to delete tag: ghcr.io/myk-org/github-webhook-server:pr-769. Please delete it manually.

[myakove-bot]

New container for ghcr.io/myk-org/github-webhook-server:latest published