summaryrefslogtreecommitdiff
path: root/docs/_include
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-11 01:13:44 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-11 01:13:44 +0300
commit8b5c867897bad4278b29b318b493f2ceee8015e0 (patch)
treecb5b0b34764694e6c4ba2ddc482e6917c86dfa56 /docs/_include
parent41967202c380114f5c042f410393f6a07e174109 (diff)
downloadvyos-documentation-8b5c867897bad4278b29b318b493f2ceee8015e0.tar.gz
vyos-documentation-8b5c867897bad4278b29b318b493f2ceee8015e0.zip
ci(ai-validation): address 4 CR findings — SHA pins, NUL guard, DB pin, drop id-token
Follow-up on the now-merged #1957 (ubuntu-latest switch). CodeRabbit raised these findings on the paired add-to-circinus PR #1959 (where the same file was being added to the circinus branch); since the file contents are byte-identical across rolling/circinus/sagitta, applying the same fixes here. 1. SHA-pin actions/checkout@v6 (x4), actions/upload-artifact@v4, actions/download-artifact@v4, anthropics/claude-code-action@v1. pull_request_target has secrets + repo write — GitHub security guidance recommends full commit SHAs as the only immutable release form. 2. Reject paths containing control characters (NUL/CR/LF) in changed-md.z and changed-rst.z before `tr '\0' '\n'` converts them to newline-delimited manifests. A fork PR committing `docs/foo<LF>bar.md` would otherwise split into two logical lines, masking the real file from line-based consumers. 3. Pin reference-DB download to `tag: ${{ env.REVIEWER_REF }}` (was `latest: true`). Aligns DB version with the pinned reviewer code; a future reviewer-v1.x.x release with a DB schema change can't be silently picked up. 4. Drop `id-token: write` from validate job permissions. No OIDC usage; copy-paste leftover. Paired PRs on release branches (byte-identical file contents): * circinus: #1959 (commit 025319ea) * sagitta: #1960 (commit e5506317)
Diffstat (limited to 'docs/_include')
0 files changed, 0 insertions, 0 deletions