diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 01:13:44 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-11 01:13:44 +0300 |
| commit | 8b5c867897bad4278b29b318b493f2ceee8015e0 (patch) | |
| tree | cb5b0b34764694e6c4ba2ddc482e6917c86dfa56 /docs/_include | |
| parent | 41967202c380114f5c042f410393f6a07e174109 (diff) | |
| download | vyos-documentation-8b5c867897bad4278b29b318b493f2ceee8015e0.tar.gz vyos-documentation-8b5c867897bad4278b29b318b493f2ceee8015e0.zip | |
ci(ai-validation): address 4 CR findings — SHA pins, NUL guard, DB pin, drop id-token
Follow-up on the now-merged #1957 (ubuntu-latest switch). CodeRabbit
raised these findings on the paired add-to-circinus PR #1959 (where
the same file was being added to the circinus branch); since the file
contents are byte-identical across rolling/circinus/sagitta, applying
the same fixes here.
1. SHA-pin actions/checkout@v6 (x4), actions/upload-artifact@v4,
actions/download-artifact@v4, anthropics/claude-code-action@v1.
pull_request_target has secrets + repo write — GitHub security
guidance recommends full commit SHAs as the only immutable
release form.
2. Reject paths containing control characters (NUL/CR/LF) in
changed-md.z and changed-rst.z before `tr '\0' '\n'` converts
them to newline-delimited manifests. A fork PR committing
`docs/foo<LF>bar.md` would otherwise split into two logical
lines, masking the real file from line-based consumers.
3. Pin reference-DB download to `tag: ${{ env.REVIEWER_REF }}`
(was `latest: true`). Aligns DB version with the pinned
reviewer code; a future reviewer-v1.x.x release with a DB schema
change can't be silently picked up.
4. Drop `id-token: write` from validate job permissions. No OIDC
usage; copy-paste leftover.
Paired PRs on release branches (byte-identical file contents):
* circinus: #1959 (commit 025319ea)
* sagitta: #1960 (commit e5506317)
Diffstat (limited to 'docs/_include')
0 files changed, 0 insertions, 0 deletions
