fix: harden mattermost auth bypass + labeler

2026-03-29 16:54:30 +00:00 · 2026-02-15 12:01:10 -05:00
parent b0d703158f
commit 4f99f0e663
3 changed files with 29 additions and 10 deletions
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -284,7 +284,12 @@ jobs:
                });
                isMaintainer = membership?.data?.state === "active";
              } catch (error) {
-                if (error?.status !== 404) {
+                // GITHUB_TOKEN may not have org/team read perms; treat permission errors as non-fatal.
+                if (error?.status === 404) {
+                  // ignore
+                } else if (error?.status === 403) {
+                  core.warning(`Skipping team membership check for ${login}; missing permissions.`);
+                } else {
                  throw error;
                }
              }
--- a/extensions/mattermost/src/mattermost/monitor.ts
+++ b/extensions/mattermost/src/mattermost/monitor.ts
@@ -300,15 +300,26 @@ export async function monitorMattermostProvider(opts: MonitorMattermostOpts = {}

      const allRegistered: import("./slash-commands.js").MattermostRegisteredCommand[] = [];

-      for (const team of teams) {
-        const registered = await registerSlashCommands({
+      try {
+        for (const team of teams) {
+          const registered = await registerSlashCommands({
+            client,
+            teamId: team.id,
+            callbackUrl,
+            commands: dedupedCommands,
+            log: (msg) => runtime.log?.(msg),
+          });
+          allRegistered.push(...registered);
+        }
+      } catch (err) {
+        // If we partially succeeded (some teams had commands created) but later failed,
+        // clean up the created commands so we don't strand registrations that will 503.
+        await cleanupSlashCommands({
          client,
-          teamId: team.id,
-          callbackUrl,
-          commands: dedupedCommands,
+          commands: allRegistered,
          log: (msg) => runtime.log?.(msg),
        });
-        allRegistered.push(...registered);
+        throw err;
      }

      // Build trigger→originalName map for accurate command name resolution
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -119,9 +119,12 @@ function resolveMattermostSlashCallbackPaths(

  const mmRaw = configSnapshot.channels?.mattermost as Record<string, unknown> | undefined;
  const addMmCommands = (raw: unknown) => {
-    const commands = raw as Record<string, unknown> | undefined;
-    callbackPaths.add(normalizeCallbackPath(commands?.callbackPath));
-    tryAddCallbackUrlPath(commands?.callbackUrl);
+    if (raw == null || typeof raw !== "object") {
+      return;
+    }
+    const commands = raw as Record<string, unknown>;
+    callbackPaths.add(normalizeCallbackPath(commands.callbackPath));
+    tryAddCallbackUrlPath(commands.callbackUrl);
  };

  addMmCommands(mmRaw?.commands);