summaryrefslogtreecommitdiff
path: root/docs/_static/css/datatables.css
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-10 22:08:48 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-10 22:08:48 +0300
commitedd903dcb59ab2669f7a96d74c118c897849dd92 (patch)
treee5f403e2436e0a83210a9375a63c26288802736f /docs/_static/css/datatables.css
parent678ba25dfdcdf31221bb333fb1b77deb24a4b71d (diff)
downloadvyos-documentation-edd903dcb59ab2669f7a96d74c118c897849dd92.tar.gz
vyos-documentation-edd903dcb59ab2669f7a96d74c118c897849dd92.zip
fix(ci): address Copilot review on PR #1947
Three Copilot findings on the AI Validation workflow: 1. line 46 (cp loop on deleted files): `git diff --name-only` with no filter includes Deleted entries, so the subsequent `xargs -0 ... cp --parents` would fail when a PR deletes (or renames) a `.md`/`.rst` file. Added `--diff-filter=ACMRT` to both name-only diffs so deletions are excluded from the cp source list. Deletions still appear in diff-md.patch (which uses the unfiltered full diff) so Pass 1's --pr-diff input still sees them via the patch hunk. 2. line 103 (reviewer sparse-checkout): The App token was being persisted into reviewer/.git/config as an http extraheader by default. The Pass 2 claude-code-action step has Read/Glob/Grep allowed, so a prompt-injection attempt could exfiltrate the token from the workspace. Added `persist-credentials: false`. The sparse-checkout fetched only branches.json which is a one-shot read, no further git ops needed in this job. 3. line 127 (vyos-1x checkout): Same persist-credentials concern. The vyos-1x clone is read by claude-code-action for Pass 2 source inspection — exactly the step where filesystem read tools are exposed to LLM-driven shell behavior. Added `persist-credentials: false`. The vyos-1x tree is only read after this checkout (`Read,Glob,Grep` over `.vyos-1x/`); we don't run any git commands against it that would need the token. Suppressed-by-Copilot finding (line 64, id-token: write): Pushback. claude-code-action@v1 uses OIDC internally (verified by commit b18a399c on the previously-deployed workflow). Removing this permission breaks the action. Keeping as-is. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/_static/css/datatables.css')
0 files changed, 0 insertions, 0 deletions