summaryrefslogtreecommitdiff
path: root/docs/vpp
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-05-10 22:47:03 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-05-10 22:47:03 +0300
commit112f9594594b7081860be0cc86471ae7c7e2a5a4 (patch)
tree9e0642bab8608328a8340408ab95f54ef9524063 /docs/vpp
parentb6f7e82b882caa1ffa9558492cc99b04f1ace3a3 (diff)
downloadvyos-documentation-112f9594594b7081860be0cc86471ae7c7e2a5a4.tar.gz
vyos-documentation-112f9594594b7081860be0cc86471ae7c7e2a5a4.zip
fix(ci): idempotent _changed_md + remove App token from process argv
Two new findings on PR #1947: 1. Copilot — line 59, mkdir collision after cancellation: `mkdir _changed_md` fails with EEXIST if the directory was left behind by a previous run that concurrency.cancel-in-progress killed before the post-job cleanup step could execute. On a busy PR with rapid synchronize events this is a real non-determinism. Replaced with `rm -rf _changed_md && mkdir -p` so the bundling step is idempotent. 2. CodeRabbit — Major, scripts/ai-validation.yml:244 (mirrored here on the deployed copy): `uv pip install "git+https://x-access-token:${TOKEN}@..."` puts the App token in process argv. On a self-hosted runner anyone able to read /proc/<pid>/cmdline (any user with the same UID, any root tool, any LSM audit log) sees the secret while uv/git is running. This undercuts the persist-credentials:false hardening on the surrounding checkouts. Replaced the install with a two-step checkout + local-path install: - actions/checkout@v6 with persist-credentials:false fetches the reviewer source into ./reviewer-src using the App token as a transient http extraheader (not argv). - `uv pip install ./reviewer-src` then installs from the local path — no token anywhere on the command line. Net trust boundary: same security posture as the existing sparse-checkout of branches.json (line 100-110); no new attack surface. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/vpp')
0 files changed, 0 insertions, 0 deletions