fix: address review comments on resolve-pull-request-review-thread target config

Copilot · pelikhan · Copilot · commit 9c930266989b · 2026-02-28T20:18:16.000Z
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/actions/setup/js/resolve_pr_review_thread.cjs b/actions/setup/js/resolve_pr_review_thread.cjs
@@ -9,7 +9,7 @@ const { getErrorMessage } = require("./error_helpers.cjs");
 const { getPRNumber } = require("./update_context_helpers.cjs");
 const { logStagedPreviewInfo } = require("./staged_preview.cjs");
 const { createAuthenticatedGitHubClient } = require("./handler_auth.cjs");
-const { resolveTargetRepoConfig } = require("./repo_helpers.cjs");
+const { resolveTargetRepoConfig, validateTargetRepo } = require("./repo_helpers.cjs");
 
 /**
  * Type constant for handler identification
@@ -21,7 +21,7 @@ const HANDLER_TYPE = "resolve_pull_request_review_thread";
  * Used to validate the thread before resolving.
  * @param {any} github - GitHub GraphQL instance
  * @param {string} threadId - Review thread node ID (e.g., 'PRRT_kwDOABCD...')
- * @returns {Promise<{prNumber: number, repoNameWithOwner: string}|null>} The PR number and repo, or null if not found
+ * @returns {Promise<{prNumber: number, repoNameWithOwner: string|null}|null>} The PR number and repo, or null if not found
  */
 async function getThreadPullRequestInfo(github, threadId) {
   const query = /* GraphQL */ `
@@ -92,9 +92,10 @@ async function main(config = {}) {
   const resolveTarget = config.target || "triggering";
   const { defaultTargetRepo, allowedRepos } = resolveTargetRepoConfig(config);
 
-  // Normalize repo names to lowercase once for case-insensitive comparison during validation
-  const normalizedDefaultTargetRepo = defaultTargetRepo ? defaultTargetRepo.toLowerCase() : null;
-  const normalizedAllowedRepos = new Set(Array.from(allowedRepos).map(r => r.toLowerCase()));
+  // Whether the user explicitly configured cross-repo targeting.
+  // defaultTargetRepo always has a value (falls back to context.repo), so we check
+  // the raw config keys to distinguish user-configured from default.
+  const hasExplicitTargetConfig = !!(config["target-repo"] || config.allowed_repos?.length > 0);
 
   const authClient = await createAuthenticatedGitHubClient(config);
 
@@ -156,23 +157,25 @@ async function main(config = {}) {
 
       const { prNumber: threadPRNumber, repoNameWithOwner: threadRepo } = threadInfo;
 
-      // When a target-repo or allowed-repos is configured, validate the thread's repository.
+      // When the user explicitly configured target-repo or allowed-repos, validate the thread's
+      // repository using validateTargetRepo (supports wildcards like "*", "org/*").
       // Otherwise, fall back to the legacy behavior of scoping to the triggering PR only.
-      const hasTargetRepoConfig = defaultTargetRepo || allowedRepos.size > 0;
-
-      if (hasTargetRepoConfig) {
-        // Cross-repo mode: validate thread repo against configured repos
-        if (threadRepo) {
-          const normalizedThreadRepo = threadRepo.toLowerCase();
-          const isDefaultRepo = normalizedDefaultTargetRepo && normalizedThreadRepo === normalizedDefaultTargetRepo;
-          const isAllowedRepo = isDefaultRepo || normalizedAllowedRepos.has(normalizedThreadRepo);
-          if (!isAllowedRepo) {
-            core.warning(`Thread ${threadId} belongs to repo ${threadRepo}, which is not in the allowed repos`);
-            return {
-              success: false,
-              error: `Thread belongs to repo '${threadRepo}', but only threads in allowed repositories can be resolved. Allowed: ${defaultTargetRepo}${allowedRepos.size > 0 ? ", " + Array.from(allowedRepos).join(", ") : ""}`,
-            };
-          }
+      if (hasExplicitTargetConfig) {
+        // Cross-repo mode: validate thread repo against configured repos (fail closed if missing)
+        if (!threadRepo) {
+          core.warning(`Could not determine repository for thread ${threadId}`);
+          return {
+            success: false,
+            error: `Could not determine the repository for thread ${threadId}`,
+          };
+        }
+        const repoValidation = validateTargetRepo(threadRepo, defaultTargetRepo, allowedRepos);
+        if (!repoValidation.valid) {
+          core.warning(`Thread ${threadId} belongs to repo ${threadRepo}, which is not in the allowed repos`);
+          return {
+            success: false,
+            error: repoValidation.error,
+          };
         }
 
         // Determine target PR number based on target config
diff --git a/actions/setup/js/resolve_pr_review_thread.test.cjs b/actions/setup/js/resolve_pr_review_thread.test.cjs
@@ -464,6 +464,99 @@ describe("resolve_pr_review_thread - cross-repo support", () => {
     expect(result.success).toBe(false);
     expect(result.error).toContain("pull request context");
   });
+
+  it("should allow resolving when allowed_repos uses '*' wildcard", async () => {
+    mockGraphqlForThread(10, "any-owner/any-repo");
+
+    const { main } = require("./resolve_pr_review_thread.cjs");
+    const freshHandler = await main({
+      max: 10,
+      "target-repo": "default-owner/default-repo",
+      allowed_repos: ["*"],
+      target: "*",
+    });
+
+    const message = {
+      type: "resolve_pull_request_review_thread",
+      thread_id: "PRRT_kwDOWildcard",
+    };
+
+    const result = await freshHandler(message, {});
+
+    expect(result.success).toBe(true);
+  });
+
+  it("should allow resolving when allowed_repos uses org/* pattern", async () => {
+    mockGraphqlForThread(10, "other-owner/specific-repo");
+
+    const { main } = require("./resolve_pr_review_thread.cjs");
+    const freshHandler = await main({
+      max: 10,
+      "target-repo": "default-owner/default-repo",
+      allowed_repos: ["other-owner/*"],
+      target: "*",
+    });
+
+    const message = {
+      type: "resolve_pull_request_review_thread",
+      thread_id: "PRRT_kwDOOrgWildcard",
+    };
+
+    const result = await freshHandler(message, {});
+
+    expect(result.success).toBe(true);
+  });
+
+  it("should reject resolving when org/* pattern does not match", async () => {
+    mockGraphqlForThread(10, "wrong-owner/specific-repo");
+
+    const { main } = require("./resolve_pr_review_thread.cjs");
+    const freshHandler = await main({
+      max: 10,
+      "target-repo": "default-owner/default-repo",
+      allowed_repos: ["other-owner/*"],
+      target: "*",
+    });
+
+    const message = {
+      type: "resolve_pull_request_review_thread",
+      thread_id: "PRRT_kwDOOrgWildcard",
+    };
+
+    const result = await freshHandler(message, {});
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("not in the allowed-repos list");
+  });
+
+  it("should fail closed when threadRepo is null in cross-repo mode", async () => {
+    // Simulate GraphQL returning a thread with no repository info
+    mockGraphql.mockImplementation(query => {
+      if (query.includes("resolveReviewThread")) {
+        return Promise.resolve({ resolveReviewThread: { thread: { id: "PRRT_x", isResolved: true } } });
+      }
+      return Promise.resolve({
+        node: { pullRequest: { number: 10, repository: null } },
+      });
+    });
+
+    const { main } = require("./resolve_pr_review_thread.cjs");
+    const freshHandler = await main({
+      max: 10,
+      "target-repo": "other-owner/other-repo",
+      target: "*",
+    });
+
+    const message = {
+      type: "resolve_pull_request_review_thread",
+      thread_id: "PRRT_kwDONoRepo",
+    };
+
+    const result = await freshHandler(message, {});
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("Could not determine");
+  });
 });
 
 describe("getPRNumber (shared helper in update_context_helpers)", () => {
diff --git a/pkg/workflow/resolve_pr_review_thread.go b/pkg/workflow/resolve_pr_review_thread.go
@@ -26,14 +26,11 @@ func (c *Compiler) parseResolvePullRequestReviewThreadConfig(outputMap map[strin
 			// Parse common base fields with default max of 10
 			c.parseBaseSafeOutputConfig(configMap, &config.BaseSafeOutputConfig, 10)
 
-			// Parse target config (target, target-repo, allowed-repos) with validation
-			targetConfig, isInvalid := ParseTargetConfig(configMap)
-			if isInvalid {
-				return nil // Invalid configuration (e.g., wildcard target-repo), return nil to cause validation error
-			}
+			// Parse target config (target, target-repo, allowed-repos)
+			targetConfig, _ := ParseTargetConfig(configMap)
 			config.SafeOutputTargetConfig = targetConfig
 
-			resolvePRReviewThreadLog.Printf("Parsed resolve-pull-request-review-thread config: max=%d, target_repo=%s", config.Max, config.TargetRepoSlug)
+			resolvePRReviewThreadLog.Printf("Parsed resolve-pull-request-review-thread config: max=%d, target_repo=%s", templatableIntValue(config.Max), config.TargetRepoSlug)
 		} else {
 			// If configData is nil or not a map, still set the default max
 			config.Max = defaultIntStr(10)
