Leverage author_association to authorize PR comment-triggered workflows

[issuetopr-dev]

Summary

• Enforces a conservative authorization model for PR comment–triggered workflows using GitHub’s author_association signal.
• Only allows privileged actions when author_association === "OWNER".
• For non-OWNER commenters attempting to trigger a workflow, the app posts a helpful reply explaining the restriction.
• Keeps execution and billing tied cleanly to the repository’s linked GitHub App installation.

Key changes

1. Webhook schema

• Extended IssueCommentPayloadSchema to include:
  • comment.author_association (string)
  • comment.body (string)
  • issue.pull_request (presence indicates PR comment)

2. New handler

• lib/webhook/github/handlers/pullRequest/comment.authorizeWorkflow.handler.ts
  • handlePullRequestCommentAuthorize enforces the authorization gate.
  • Detects explicit command-style comments ("/i2pr" or "i2pr:") to avoid noisy replies.
  • If commenter is not an OWNER, posts a reply via the GitHub App installation context.
  • If commenter is an OWNER, logs authorization (actual workflow dispatch to be wired in follow-ups).

3. Webhook routing

• app/api/webhook/github/route.ts now routes issue_comment events through the new handler.
• Uses runWithInstallationId to ensure replies are authenticated with the repository installation token.

Why this approach

• Uses GitHub’s signed webhook + author_association as a trusted signal, avoiding per-user auth.
• Aligns with common ecosystem patterns for protecting resource-intensive workflows in public repos.
• Ties execution and billing to the repo-linked account.

Non-goals in this PR

• This PR does not add new comment commands nor kick off specific workflows. It puts the authorization scaffolding in place and provides UX feedback for unauthorized attempts.

Notes

• Linting/Type checks: next lint and tsc pass locally. Prettier check prints warnings (as in current project setup), but does not block CI here.

Follow-ups

• Wire specific comment commands to concrete workflows (e.g., analyze PR, resolve conflicts) under this authorization model.
• Expand the allowed associations if needed (e.g., MEMBER/COLLABORATOR) behind settings.

Closes #1462

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}