Allow trusted bot comments via trusted_appIDs (#2554)

Allow a list of AppIDs whoe comments will not be ignored
Allow comments from all bot accounts with the digger:allowbot PR label

Refs #2553

Author: dannysauer

backend/controllers/github.go

@@ -113,11 +113,6 @@ func (d DiggerController) GithubAppWebHook(c *gin.Context) {
 			"issueNumber", *event.Issue.Number,
 		)
 
-		if event.Sender.Type != nil && *event.Sender.Type == "Bot" {
-			slog.Debug("Ignoring bot comment", "senderType", *event.Sender.Type)
-			c.String(http.StatusOK, "OK")
-			return
-		}
 		go func(ctx context.Context) {
 			defer logging.InheritRequestLogger(ctx)()
 			handleIssueCommentEvent(gh, event, d.CiBackendProvider, appId64, d.GithubWebhookPostIssueCommentHooks)

backend/controllers/github_comment.go

@@ -173,6 +173,27 @@ func handleIssueCommentEvent(gh utils.GithubClientProvider, payload *github.Issu
 		return fmt.Errorf("error getting digger config")
 	}
 
+	if payload.Sender.GetType() == "Bot" {
+		if lo.Contains(prLabelsStr, "digger:allowbot") {
+			slog.Info("Allowing bot comment due to label override",
+				"issueNumber", issueNumber,
+				"label", "digger:allowbot",
+			)
+		} else {
+			commentUserID := payload.GetComment().GetUser().GetID()
+			if commentUserID == 0 {
+				commentUserID = payload.GetSender().GetID()
+			}
+			if !lo.Contains(config.TrustedAppIDs, commentUserID) {
+				slog.Info("Ignoring bot comment from untrusted app",
+					"issueNumber", issueNumber,
+					"commentUserId", commentUserID,
+				)
+				return nil
+			}
+		}
+	}
+
 	if config.DisableDiggerApplyComment && strings.HasPrefix(cleanedComment, "digger apply") {
 		slog.Info("Digger configured to disable apply comment in PRs, ignoring comment", "DisableDiggerApplyComment", config.DisableDiggerApplyComment)
 		if os.Getenv("DIGGER_REPORT_BEFORE_LOADING_CONFIG") == "1" {

docs/ce/reference/digger.yml.mdx

@@ -35,6 +35,8 @@ report_terraform_outputs: true
 mention_drifted_projects_in_pr: false
 disable_digger_apply_comment: false
 disable_digger_apply_status_check: false
+trusted_appIDs:
+  - 41898282
 respect_layers: false
 reporting:
   ai_summary: false
@@ -201,6 +203,10 @@ workflows:
   Disable the status check that verifies apply was executed.
 </ParamField>
 
+<ParamField path="trusted_appIDs" type="array" default="[]">
+  Allow bot comments from these GitHub user IDs. Example: `trusted_appIDs: [41898282]` for GitHub Actions.
+</ParamField>
+
 <ParamField path="comment_render_mode" type="string" default="basic">
   How to render plan output in comments. Options: `basic`, `detailed`.
 </ParamField>

libs/digger_config/config.go

@@ -25,6 +25,7 @@ type DiggerConfig struct {
 	AutoMerge                     bool
 	AutoMergeStrategy             AutomergeStrategy
 	Telemetry                     bool
+	TrustedAppIDs                 []int64
 	Workflows                     map[string]Workflow
 	MentionDriftedProjectsInPR    bool
 	TraverseToNestedProjects      bool

libs/digger_config/converters.go

@@ -280,6 +280,12 @@ func ConvertDiggerYamlToConfig(diggerYaml *DiggerConfigYaml) (*DiggerConfig, gra
 		diggerConfig.CommentRenderMode = CommentRenderModeBasic
 	}
 
+	if diggerYaml.TrustedAppIDs != nil {
+		diggerConfig.TrustedAppIDs = append([]int64(nil), diggerYaml.TrustedAppIDs...)
+	} else {
+		diggerConfig.TrustedAppIDs = []int64{}
+	}
+
 	if diggerYaml.MentionDriftedProjectsInPR != nil {
 		diggerConfig.MentionDriftedProjectsInPR = *diggerYaml.MentionDriftedProjectsInPR
 	} else {

libs/digger_config/yaml.go

@@ -19,6 +19,7 @@ type DiggerConfigYaml struct {
 	Projects                      []*ProjectYaml               `yaml:"projects"`
 	AutoMerge                     *bool                        `yaml:"auto_merge"`
 	AutoMergeStrategy             *string                      `yaml:"auto_merge_strategy"`
+	TrustedAppIDs                 []int64                      `yaml:"trusted_appIDs,omitempty"`
 	CommentRenderMode             *string                      `yaml:"comment_render_mode"`
 	Workflows                     map[string]*WorkflowYaml     `yaml:"workflows"`
 	Telemetry                     *bool                        `yaml:"telemetry,omitempty"`