fix(github): guard nil response and cap comment pagination in ACL checks

chmouel · claude · chmouel · commit b8d1c5e91812 · 2026-04-09T09:11:03.000+02:00
Guard against nil HTTP response dereference in CheckPolicyAllowing when the API call fails at the transport level (fixes #2661). Cap GetStringPullRequestComment pagination to 10 pages (1000 comments) to prevent rate-limit exhaustion from comment flooding on PRs when RememberOKToTest is enabled (fixes #2662). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/pkg/provider/github/acl.go b/pkg/provider/github/acl.go
@@ -25,7 +25,7 @@ func (v *Provider) CheckPolicyAllowing(ctx context.Context, event *info.Event, a
 			members, resp, err := wrapAPI(v, "list_team_members_by_slug", func() ([]*github.User, *github.Response, error) {
 				return v.Client().Teams.ListTeamMembersBySlug(ctx, event.Organization, team, &github.TeamListTeamMembersOptions{ListOptions: opt})
 			})
-			if resp.StatusCode == http.StatusNotFound {
+			if resp != nil && resp.StatusCode == http.StatusNotFound {
 				// we explicitly disallow the policy when the team is not found
 				// maybe we should ignore it instead? i'd rather keep this explicit
 				// and conservative since being security related.
@@ -321,7 +321,7 @@ func (v *Provider) GetStringPullRequestComment(ctx context.Context, runevent *in
 
 	gitOpsCommentPrefix := provider.GetGitOpsCommentPrefix(v.repo)
 
-	for {
+	for page := 0; page < maxCommentPages; page++ {
 		comments, resp, err := wrapAPI(v, "list_issue_comments", func() ([]*github.IssueComment, *github.Response, error) {
 			return v.Client().Issues.ListComments(ctx, runevent.Organization, runevent.Repository,
 				prNumber, opt)
diff --git a/pkg/provider/github/github.go b/pkg/provider/github/github.go
@@ -41,6 +41,11 @@ const (
 	publicRawURLHost = "raw.githubusercontent.com"
 
 	defaultPaginedNumber = 100
+	// maxCommentPages caps the number of pages fetched when scanning PR
+	// comments (e.g. for /ok-to-test). With defaultPaginedNumber=100 this
+	// allows up to 1000 comments, which is generous for legitimate use while
+	// preventing rate-limit exhaustion from comment flooding.
+	maxCommentPages = 10
 )
 
 var _ provider.Interface = (*Provider)(nil)
