Consider abuse - Githubissues

timja / github-comment-ops

A tool for managing GitHub issues and pull requests via comment-ops. It uses GitHub webhooks to scale across repositories without needing to add a GitHub action to each of them.

https://github.com/timja/github-comment-ops

MIT License

0 stars 2 forks source link

Consider abuse #59

Open daniel-beck opened 2 years ago

daniel-beck commented 2 years ago

What feature do you want to see added?

The design of this bot needs to consider what happens in the case of abuse. It doesn't look like that's been done.

Some rando shows up and runs all the bot commands just to see what happens.
A jenkinsci org member (asked nicely for org membership but otherwise some rando) shows up and runs all the bot commands just to see what happens.

It's not like we've never been subject to this before, see e.g. nonsensical votes in changelog weather feedback, spam on the wiki and in Jira.

Some suggestions:

Rate limiting
Safer defaults than "the entire internet can do everything except close PRs"
Audit logging, notifications sent to a channel (e.g. #jenkins-infra on IRC)
Easy way to batch-undo actions by certain users

Upstream changes

No response

timja commented 2 years ago

Audit logging

Audit logging is done currently by logging all actions and includes the GitHub username. It should be enhanced by adding the timestamp.