Files
2026-07-13 13:09:14 +08:00

42 lines
2.0 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Spam Comment Guard
on:
issue_comment:
types: [created]
# 用 PROJECT_AUTOMATION_TOKENowner PAT)调 DELETEGITHUB_TOKEN 本身无需写权限
permissions:
contents: read
jobs:
delete-malicious-link:
runs-on: ubuntu-latest
# 跳过机器人与仓库 owner,避免误删维护者的正当评论
if: ${{ github.event.comment.user.type != 'Bot' && github.event.comment.user.login != github.repository_owner }}
env:
# owner PATGITHUB_TOKEN 非 admin 删不掉别人的评论,必须用 owner 令牌
GH_TOKEN: ${{ secrets.PROJECT_AUTOMATION_TOKEN }}
COMMENT_ID: ${{ github.event.comment.id }}
COMMENT_BODY: ${{ github.event.comment.body }}
COMMENT_USER: ${{ github.event.comment.user.login }}
ISSUE_URL: ${{ github.event.issue.html_url }}
REPO: ${{ github.repository }}
steps:
- name: Delete comment containing malicious attachment link
run: |
set -euo pipefail
# 命中外部恶意附件链接即删除评论。两条分支:
# 1) 外部 http(s) 直链 .zip(排除 GitHub 自有域名的 release/archive/raw/attachments
# 2) markdown 链接文本以 .zip/.exe/.scr/.7z 结尾且指向外部域名——
# 规避手法常把 .zip 放链接文本、URL 用 // 协议相对或 %2E 编码域名
# 如需扩展扩展名,修改下方两处列表即可。
if ! printf '%s' "$COMMENT_BODY" | grep -qiP 'https?://(?!(?:github\.com|[^/]*\.githubusercontent\.com)/)[^[:space:]<>"]+\.zip([?#][^[:space:]<>"]*)?|\[[^\]]*\.(zip|7z|exe|scr)\]\((?!(?:https?:)?//(?:github\.com|[^/]*\.githubusercontent\.com)/)[^)]*\)'; then
echo "No malicious attachment link detected, skipping"
exit 0
fi
echo "Detected malicious attachment link in comment by @$COMMENT_USER on $ISSUE_URL — deleting"
# 物理删除评论,内容对所有人不可见。DELETE 返回 204 无响应体。
gh api -X DELETE "repos/${REPO}/issues/comments/${COMMENT_ID}"