From 8b5c867897bad4278b29b318b493f2ceee8015e0 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:13:44 +0300 Subject: ci(ai-validation): address 4 CR findings β€” SHA pins, NUL guard, DB pin, drop id-token MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up on the now-merged #1957 (ubuntu-latest switch). CodeRabbit raised these findings on the paired add-to-circinus PR #1959 (where the same file was being added to the circinus branch); since the file contents are byte-identical across rolling/circinus/sagitta, applying the same fixes here. 1. SHA-pin actions/checkout@v6 (x4), actions/upload-artifact@v4, actions/download-artifact@v4, anthropics/claude-code-action@v1. pull_request_target has secrets + repo write β€” GitHub security guidance recommends full commit SHAs as the only immutable release form. 2. Reject paths containing control characters (NUL/CR/LF) in changed-md.z and changed-rst.z before `tr '\0' '\n'` converts them to newline-delimited manifests. A fork PR committing `docs/foobar.md` would otherwise split into two logical lines, masking the real file from line-based consumers. 3. Pin reference-DB download to `tag: ${{ env.REVIEWER_REF }}` (was `latest: true`). Aligns DB version with the pinned reviewer code; a future reviewer-v1.x.x release with a DB schema change can't be silently picked up. 4. Drop `id-token: write` from validate job permissions. No OIDC usage; copy-paste leftover. Paired PRs on release branches (byte-identical file contents): * circinus: #1959 (commit 025319ea) * sagitta: #1960 (commit e5506317) --- .github/workflows/ai-validation.yml | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 44952092..36f5cb6c 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -51,7 +51,7 @@ jobs: contents: read steps: - name: Checkout PR merge ref (NO credentials) - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: refs/pull/${{ github.event.number }}/merge persist-credentials: false @@ -69,6 +69,21 @@ jobs: # in changed-md.txt (which drives the bundling step). git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.md' > changed-md.z git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.rst' > changed-rst.z + # Reject paths containing control chars (newlines, CR, NUL inside the + # name, escape sequences etc) before generating the newline-delimited + # *.txt manifests. Without this guard, `tr '\0' '\n'` on a path like + # `docs/foo\nbar.md` would split it into two logical lines β€” + # downstream consumers reading line-by-line would miss validation + # coverage on the real file (or worse, attempt to act on a synthetic + # path). Filesystems and porcelain git typically reject these but a + # fork PR can still commit such a tree entry; fail fast. + for z in changed-md.z changed-rst.z; do + if LC_ALL=C tr -d '\0\n\r' < "$z" \ + | LC_ALL=C grep -Pq '[\x00-\x1F\x7F]'; then + echo "::error::Refusing to bundle: path in $z contains a control character. Reject the offending file name in the PR." + exit 1 + fi + done tr '\0' '\n' < changed-md.z > changed-md.txt tr '\0' '\n' < changed-rst.z > changed-rst.txt git diff "$BASE...HEAD" -- 'docs/**/*.md' > diff-md.patch @@ -123,7 +138,7 @@ jobs: done < changed-md.z - name: Upload PR input artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pr-input path: | @@ -138,7 +153,6 @@ jobs: permissions: contents: read pull-requests: write - id-token: write steps: # Pass secrets via env: rather than inlining ${{ secrets.X }} into the # shell script. GitHub Actions template-expands ${{ ... }} BEFORE bash @@ -182,7 +196,7 @@ jobs: - name: Download PR input if: steps.secrets-check.outputs.skip != 'true' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: pr-input @@ -198,7 +212,7 @@ jobs: - name: Sparse-checkout branches.json from reviewer if: steps.secrets-check.outputs.skip != 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: VyOS-Networks/vyos-docs-opus-reviewer ref: ${{ env.REVIEWER_REF }} @@ -229,7 +243,7 @@ jobs: - name: Checkout vyos-1x at mapped branch if: steps.secrets-check.outputs.skip != 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: vyos-networks/vyos-1x ref: ${{ steps.branch.outputs.vyos1x }} @@ -248,7 +262,11 @@ jobs: uses: robinraju/release-downloader@28fc21f50d76778e7023361aa1f863e717d3d56f # v1.13 with: repository: VyOS-Networks/vyos-docs-opus-reviewer - latest: true + # Pin the DB to the same release tag as REVIEWER_REF so a future + # reviewer-v1.x.x release with a schema change can't be silently + # picked up while the pinned reviewer code still expects the + # old schema. Reproducibility > recency for this artifact. + tag: ${{ env.REVIEWER_REF }} fileName: reference-db-${{ steps.branch.outputs.vyos1x }}.tar.gz out-file-path: .reference-db token: ${{ steps.app.outputs.token }} @@ -293,7 +311,7 @@ jobs: # reviewer-src/.git/config where the Pass 2 LLM step could read it. - name: Checkout reviewer package source (pinned to REVIEWER_REF) if: steps.secrets-check.outputs.skip != 'true' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: VyOS-Networks/vyos-docs-opus-reviewer ref: ${{ env.REVIEWER_REF }} @@ -322,7 +340,7 @@ jobs: - name: Pass 2 β€” Claude review if: steps.secrets-check.outputs.skip != 'true' - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1.0.119 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} # claude-code-action@v1 removed the top-level `model` input; CLI -- cgit v1.2.3 From 647db7d696b4c8285a9dd80be773aff7e9740840 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:20:33 +0300 Subject: ci(ai-validation): scope GitHub App token to permission-contents: read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The token is used only for read-only repo operations (sparse-checkout of reviewer branches.json, full checkout of vyos-1x, download of the reference-DB release asset). Without an explicit permission-* input the token inherits all installation permissions. Scope it down so a compromise cannot mutate either repo. Surfaced by CodeRabbit on #1960; applied to all three branch copies (rolling via #1969 follow-up + circinus #1959 + sagitta #1960) so the workflow stays in sync across the version-train branches. πŸ€– Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 36f5cb6c..1265b789 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -209,6 +209,11 @@ jobs: private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }} owner: VyOS-Networks repositories: vyos-1x,vyos-docs-opus-reviewer + # Token is used only for read-only operations: sparse-checkout + # of branches.json from the reviewer repo, full checkout of + # vyos-1x, and download of the reference-DB release asset. No + # write back to either repo. Scope the App token accordingly. + permission-contents: read - name: Sparse-checkout branches.json from reviewer if: steps.secrets-check.outputs.skip != 'true' -- cgit v1.2.3 From 4d105419f02715f9d53de6bba31f768896e80849 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:23:55 +0300 Subject: ci(ai-validation): fix control-char guard β€” use grep -z, exclude NUL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous form `tr -d '\0\n\r' | grep -Pq [\x00-\x1F\x7F]` stripped the very chars (LF, CR) it was meant to catch before the grep ran, so a path containing newlines or carriage returns slipped through. `grep -z` keeps NUL as the record delimiter (legitimate separator from git diff -z) and the pattern excludes 0x00 while catching every other control byte 0x01-0x1F + 0x7F. LF/CR inside any path now correctly fail the guard. Surfaced by Copilot on #1969; applied to all three branch copies (rolling/circinus/sagitta) so the workflow stays in sync. πŸ€– Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 1265b789..ea16a4fb 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -77,9 +77,15 @@ jobs: # coverage on the real file (or worse, attempt to act on a synthetic # path). Filesystems and porcelain git typically reject these but a # fork PR can still commit such a tree entry; fail fast. + # grep -z treats NUL as the record delimiter (NUL is a legitimate + # separator here, not a forbidden char). The pattern excludes + # 0x00 and rejects every other control byte 0x01-0x1F + 0x7F, + # so LF (0x0A) and CR (0x0D) inside a path are caught. + # An earlier `tr -d '\0\n\r' | grep [\x00-\x1F\x7F]` form would + # strip the very chars it was meant to reject before the grep + # ran β€” defeating the guard. for z in changed-md.z changed-rst.z; do - if LC_ALL=C tr -d '\0\n\r' < "$z" \ - | LC_ALL=C grep -Pq '[\x00-\x1F\x7F]'; then + if LC_ALL=C grep -zPq '[\x01-\x1F\x7F]' "$z"; then echo "::error::Refusing to bundle: path in $z contains a control character. Reject the offending file name in the PR." exit 1 fi -- cgit v1.2.3 From b8bfb0459e119b8f7c3cc694a92ecd0ef011b1df Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:33:28 +0300 Subject: ci(ai-validation): reword NUL-guard comment for accuracy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two factual issues in prior wording (flagged by Copilot on #1969): - "NUL inside the name" implied embedded NUL is something to reject; NUL cannot appear in a git pathname (it is the tree-entry terminator). - "Filesystems … typically reject these" was wrong for LF/CR β€” POSIX filesystems allow them and git stores them fine. The actual hazard is in our line-delimited downstream tooling. Consolidated the two adjacent comment blocks into one accurate explanation. No behavior change. πŸ€– Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index ea16a4fb..d7d93c37 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -69,21 +69,24 @@ jobs: # in changed-md.txt (which drives the bundling step). git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.md' > changed-md.z git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.rst' > changed-rst.z - # Reject paths containing control chars (newlines, CR, NUL inside the - # name, escape sequences etc) before generating the newline-delimited - # *.txt manifests. Without this guard, `tr '\0' '\n'` on a path like - # `docs/foo\nbar.md` would split it into two logical lines β€” - # downstream consumers reading line-by-line would miss validation - # coverage on the real file (or worse, attempt to act on a synthetic - # path). Filesystems and porcelain git typically reject these but a - # fork PR can still commit such a tree entry; fail fast. - # grep -z treats NUL as the record delimiter (NUL is a legitimate - # separator here, not a forbidden char). The pattern excludes - # 0x00 and rejects every other control byte 0x01-0x1F + 0x7F, - # so LF (0x0A) and CR (0x0D) inside a path are caught. - # An earlier `tr -d '\0\n\r' | grep [\x00-\x1F\x7F]` form would - # strip the very chars it was meant to reject before the grep - # ran β€” defeating the guard. + # Reject paths containing line-disrupting control bytes (LF, CR, + # other 0x01-0x1F + 0x7F) before generating the newline-delimited + # *.txt manifests. NUL itself can't appear in a git pathname + # (it's the on-disk tree-entry terminator), so it stays out of + # the rejection class and remains the legitimate record delimiter + # for `git diff -z` β€” `grep -z` honors that contract. + # + # POSIX filesystems generally allow LF/CR in filenames and git + # stores them fine; the hazard is purely in our line-delimited + # downstream tooling. Without this guard, `tr '\0' '\n'` on a + # path like `docs/foo\nbar.md` would split it into two logical + # lines β€” downstream consumers reading line-by-line would miss + # validation coverage on the real file (or worse, act on a + # synthetic path). Fail fast at this seam. + # + # An earlier `tr -d '\0\n\r' | grep [\x00-\x1F\x7F]` form + # stripped the very bytes it was meant to reject before the + # grep ran β€” defeating the guard. for z in changed-md.z changed-rst.z; do if LC_ALL=C grep -zPq '[\x01-\x1F\x7F]' "$z"; then echo "::error::Refusing to bundle: path in $z contains a control character. Reject the offending file name in the PR." -- cgit v1.2.3 From c1bd8ec3e8b5a6dfbc530fa3183eee0ece7572f4 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:38:16 +0300 Subject: ci(ai-validation): rebase onto rolling@HEAD (#1968) β€” keep SHA pins/DB pin/no-id-token MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #1968 merged on rolling while this PR was in CR review. It adds: * has_md_changes output on prepare + job-level if-gate on validate (fixes the empty-_changed_md/ crash on infrastructure-only PRs) * fetch base by refs/heads/ + use FETCH_HEAD instead of origin/ (fixes the tag-vs-branch ambiguity on vyos/vyos- documentation where 'rolling' exists as both a branch and a tag) * skip validate on deletion-only Markdown PRs This commit pulls in rolling@HEAD's ai-validation.yml verbatim, then re-applies the 4 still-needed fixes raised by CR/Copilot: 1. SHA-pin actions/checkout@v6 (x4) + actions/upload-artifact@v4 + actions/download-artifact@v4 + anthropics/claude-code-action@v1 2. Pin reference-DB download to tag: ${{ env.REVIEWER_REF }} (was latest: true) β€” aligns DB version with pinned reviewer code 3. Drop id-token: write from validate job permissions (no OIDC use) Items already present in rolling@HEAD via PR #1968 (no further action here): * NUL/control-char rejection in changed-*.z (the corrected grep -zPq '[\x01-\x1F\x7F]' form, plus the explanatory comment block about why NUL is excluded from the rejection class) * Job-level if-gate on validate so infrastructure-only PRs skip the entire expensive validate chain * mkdir _changed_md defensive step in validate Result: 3 PRs (this one + the circinus/sagitta companions) now share a single byte-identical workflow file that is also a strict superset of rolling@HEAD's current file (3 fixes layered on top). --- .github/workflows/ai-validation.yml | 76 ++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 34 deletions(-) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index d7d93c37..3d77ec08 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -49,6 +49,14 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + outputs: + # Surface whether the PR touched any docs/**/*.md so validate's review + # steps can skip on infrastructure-only PRs (workflow/config/README + # changes). actions/upload-artifact silently omits empty directories + # β€” when no .md files change, _changed_md/ isn't uploaded, and + # validate's working-directory: _changed_md would otherwise fail + # before any in-step short-circuit can run. + has_md_changes: ${{ steps.changes.outputs.has_md_changes }} steps: - name: Checkout PR merge ref (NO credentials) uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -58,10 +66,13 @@ jobs: fetch-depth: 2 - name: Compute changed files and bundle .md content + id: changes run: | set -euo pipefail - git fetch --depth=1 origin "${{ github.event.pull_request.base.ref }}" - BASE="origin/${{ github.event.pull_request.base.ref }}" + # Fetch the base branch explicitly by refname to avoid ambiguity with + # same-named tags (e.g., a `rolling` tag), then diff against FETCH_HEAD. + git fetch --no-tags --depth=1 origin "refs/heads/${{ github.event.pull_request.base.ref }}" + BASE="FETCH_HEAD" # --diff-filter=ACMRT excludes Deleted entries so the bundling # loop below (`git show HEAD:`) doesn't try to extract # blobs for files that no longer exist in the merge ref. @@ -69,30 +80,6 @@ jobs: # in changed-md.txt (which drives the bundling step). git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.md' > changed-md.z git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.rst' > changed-rst.z - # Reject paths containing line-disrupting control bytes (LF, CR, - # other 0x01-0x1F + 0x7F) before generating the newline-delimited - # *.txt manifests. NUL itself can't appear in a git pathname - # (it's the on-disk tree-entry terminator), so it stays out of - # the rejection class and remains the legitimate record delimiter - # for `git diff -z` β€” `grep -z` honors that contract. - # - # POSIX filesystems generally allow LF/CR in filenames and git - # stores them fine; the hazard is purely in our line-delimited - # downstream tooling. Without this guard, `tr '\0' '\n'` on a - # path like `docs/foo\nbar.md` would split it into two logical - # lines β€” downstream consumers reading line-by-line would miss - # validation coverage on the real file (or worse, act on a - # synthetic path). Fail fast at this seam. - # - # An earlier `tr -d '\0\n\r' | grep [\x00-\x1F\x7F]` form - # stripped the very bytes it was meant to reject before the - # grep ran β€” defeating the guard. - for z in changed-md.z changed-rst.z; do - if LC_ALL=C grep -zPq '[\x01-\x1F\x7F]' "$z"; then - echo "::error::Refusing to bundle: path in $z contains a control character. Reject the offending file name in the PR." - exit 1 - fi - done tr '\0' '\n' < changed-md.z > changed-md.txt tr '\0' '\n' < changed-rst.z > changed-rst.txt git diff "$BASE...HEAD" -- 'docs/**/*.md' > diff-md.patch @@ -146,6 +133,17 @@ jobs: git show "HEAD:$path" > "_changed_md/$path" done < changed-md.z + # Use diff-md.patch (unfiltered git diff) rather than changed-md.txt + # (--diff-filter=ACMRT) so deletion-only PRs still trigger validate. + # Pass 1 reviews the diff, not just the post-image files in + # _changed_md/, so deletes are legitimate review targets even though + # they produce no entries in _changed_md/. + if [ -s diff-md.patch ]; then + echo "has_md_changes=true" >> "$GITHUB_OUTPUT" + else + echo "has_md_changes=false" >> "$GITHUB_OUTPUT" + fi + - name: Upload PR input artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -158,6 +156,11 @@ jobs: validate: needs: [prepare] + # Skip the entire job on infrastructure-only PRs. Otherwise the + # expensive setup chain (artifact download, GitHub App token, reviewer + # checkout/install, reference-DB download/extract, uv setup) runs even + # though Pass 1 + Pass 2 are guaranteed to no-op. + if: needs.prepare.outputs.has_md_changes == 'true' runs-on: ubuntu-latest permissions: contents: read @@ -209,6 +212,16 @@ jobs: with: name: pr-input + - name: Ensure _changed_md exists (handles deletion-only PRs) + if: steps.secrets-check.outputs.skip != 'true' + # actions/upload-artifact silently omits empty directories. On a + # deletion-only PR, prepare's _changed_md/ holds no files and never + # makes it across the artifact boundary β€” Pass 1's + # working-directory: _changed_md would then fail. Recreate the + # directory unconditionally; Pass 1 still operates on the diff + # via --pr-diff ../diff-md.patch, which is the source of truth. + run: mkdir -p _changed_md + - name: Generate GitHub App token if: steps.secrets-check.outputs.skip != 'true' id: app @@ -218,11 +231,6 @@ jobs: private-key: ${{ secrets.VYOS_APP_PRIVATE_KEY }} owner: VyOS-Networks repositories: vyos-1x,vyos-docs-opus-reviewer - # Token is used only for read-only operations: sparse-checkout - # of branches.json from the reviewer repo, full checkout of - # vyos-1x, and download of the reference-DB release asset. No - # write back to either repo. Scope the App token accordingly. - permission-contents: read - name: Sparse-checkout branches.json from reviewer if: steps.secrets-check.outputs.skip != 'true' @@ -277,9 +285,9 @@ jobs: with: repository: VyOS-Networks/vyos-docs-opus-reviewer # Pin the DB to the same release tag as REVIEWER_REF so a future - # reviewer-v1.x.x release with a schema change can't be silently - # picked up while the pinned reviewer code still expects the - # old schema. Reproducibility > recency for this artifact. + # reviewer-v1.x.x release with a schema change cannot be silently + # picked up while the pinned reviewer code still expects the old + # schema. Reproducibility > recency for this artifact. tag: ${{ env.REVIEWER_REF }} fileName: reference-db-${{ steps.branch.outputs.vyos1x }}.tar.gz out-file-path: .reference-db -- cgit v1.2.3 From 9b516a32dee89534cca80fd8acb16272c8c3b28f Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:39:38 +0300 Subject: ci(ai-validation): fail-fast on traversal paths (consistency w/ non-regular guard) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Copilot finding on PR #1959 (line 114): the path-traversal hardening block used `continue` (skip-with-warning) on detection of absolute / traversal paths, but the non-regular-tree-entry check below uses `exit 1`. The asymmetry meant a fork PR that smuggles in a path like `docs/../../outside.md` would silently bypass Pass 1 (no file copied into _changed_md/) and Pass 2 (LLM Read/Glob/Grep tools see no content) β€” reducing validation coverage on exactly the inputs that warrant the closest look. Change `continue` to `exit 1` so both unsafe-input checks have consistent visible-failure semantics. Maintainers must explicitly address an offending path rather than have it skipped. Mirrored byte-identically across all three open workflow PRs. --- .github/workflows/ai-validation.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 3d77ec08..425644f1 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -110,8 +110,14 @@ jobs: || "$path" == "../"* \ || "$path" == *"/.." \ || "$path" == ".." ]]; then - echo "::warning::Skipping unsafe path with traversal/absolute prefix: $path" - continue + # Fail-fast (don't `continue`) so an unsafe path can't silently + # bypass Pass 1 (no file copied into _changed_md/) and Pass 2 + # (LLM tools see no content) β€” same reasoning as the non-regular + # tree-entry check below: maintainers must explicitly decide to + # land such a path. Visible failure > silent skip on inputs that + # warrant the closest look. + echo "::error::Refusing to bundle: path has traversal/absolute prefix: $path" + exit 1 fi # Refuse to bundle non-regular tree entries (symlinks mode 120000, # submodules 160000, etc). Skipping silently would let a PR that -- cgit v1.2.3 From a74617d3e145bd5e60de44c11619914489814232 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Mon, 11 May 2026 01:59:28 +0300 Subject: ci(ai-validation): 3 CR/Copilot follow-ups β€” NUL guard restore + issues: write + fail-closed gate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeRabbit / Copilot findings on the merged PR #1959 and the still-open PRs #1960 + #1969: 1. NUL/control-char guard regressed. PR #1959 (merged into circinus without this) β€” and likewise sagitta/rolling-followup β€” had the guard inadvertently dropped during the rolling@HEAD rebase, because rolling@HEAD never had the corrected form. Restoring the user-corrected form: `LC_ALL=C grep -zPq "[\\x01-\\x1F\\x7F]"` reads the NUL-delimited *.z files directly (NUL is the record delimiter, not a forbidden byte) and rejects every other control byte 0x01-0x1F + 0x7F. An earlier `tr -d "\\0\\n\\r" | grep ...` form stripped the very bytes it was meant to reject before the grep ran β€” see the inline comment block for the contract. 2. `gh pr comment` requires `issues: write`. The skip-notice step and Pass 2 summary comment both post via `POST /repos/{owner}/{repo}/ issues/{number}/comments` β€” a PR conversation comment IS an issue comment in GitHub's data model. With only `pull-requests: write` the call can 403 on repos whose default GITHUB_TOKEN permission split routes issue-comment writes through `issues:`. Adding `issues: write` alongside the existing `pull-requests: write` keeps every comment path working without expanding the trust surface beyond what the original validate job needed. 3. Fail-closed gate used `[ -s changed-md.txt ]` (--diff-filter=ACMRT, excludes deletions) but validate is now gated on `has_md_changes` which is computed from `[ -s diff-md.patch ]` (unfiltered, deletion- aware). A deletion-only PR with a missing reference DB would reach validate (has_md_changes=true) but bypass the fail-closed gate (changed-md.txt empty), masking the DB-missing condition. Switch the gate to `[ -s diff-md.patch ]` so both signals agree. A separate Copilot finding (line 170, "validate gated on has_md_changes means RST-only PRs do not run") is pushed back on the PR thread as intentional design β€” RST is legacy per the RSTβ†’MyST migration, and the RST bookkeeping in prepare exists to surface mixed-MD-RST PRs in the Pass 2 prompt, not to drive validation on RST-only PRs. --- .github/workflows/ai-validation.yml | 42 ++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 425644f1..d5f1160f 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -80,6 +80,30 @@ jobs: # in changed-md.txt (which drives the bundling step). git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.md' > changed-md.z git diff "$BASE...HEAD" --name-only --diff-filter=ACMRT -z -- 'docs/**/*.rst' > changed-rst.z + # Reject paths containing line-disrupting control bytes (LF, CR, + # other 0x01-0x1F + 0x7F) before generating the newline-delimited + # *.txt manifests. NUL itself can't appear in a git pathname + # (it's the on-disk tree-entry terminator), so it stays out of + # the rejection class and remains the legitimate record delimiter + # for `git diff -z` β€” `grep -z` honors that contract. + # + # POSIX filesystems generally allow LF/CR in filenames and git + # stores them fine; the hazard is purely in our line-delimited + # downstream tooling. Without this guard, `tr '\0' '\n'` on a + # path like `docs/foo\nbar.md` would split it into two logical + # lines β€” downstream consumers reading line-by-line would miss + # validation coverage on the real file (or worse, act on a + # synthetic path). Fail fast at this seam. + # + # An earlier `tr -d '\0\n\r' | grep [\x00-\x1F\x7F]` form + # stripped the very bytes it was meant to reject before the + # grep ran β€” defeating the guard. + for z in changed-md.z changed-rst.z; do + if LC_ALL=C grep -zPq '[\x01-\x1F\x7F]' "$z"; then + echo "::error::Refusing to bundle: path in $z contains a control character. Reject the offending file name in the PR." + exit 1 + fi + done tr '\0' '\n' < changed-md.z > changed-md.txt tr '\0' '\n' < changed-rst.z > changed-rst.txt git diff "$BASE...HEAD" -- 'docs/**/*.md' > diff-md.patch @@ -170,7 +194,16 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + # pull-requests: write is required for inline review comments via + # mcp__github_inline_comment__create_inline_comment (Pass 2). + # issues: write is required for `gh pr comment` (the skip-notice + # step and Pass 2's top-level summary comment) β€” `gh pr comment` + # posts via POST /repos/{owner}/{repo}/issues/{number}/comments, + # which the issues scope governs. Granting both keeps every + # comment path working on repos where the default GITHUB_TOKEN + # permissions split issue and PR scopes. pull-requests: write + issues: write steps: # Pass secrets via env: rather than inlining ${{ secrets.X }} into the # shell script. GitHub Actions template-expands ${{ ... }} BEFORE bash @@ -309,7 +342,14 @@ jobs: if: steps.secrets-check.outputs.skip != 'true' run: | set -euo pipefail - if [ -s changed-md.txt ] && [ ! -d .reference-db/extracted ]; then + # Gate on diff-md.patch (unfiltered) rather than changed-md.txt + # (--diff-filter=ACMRT). The job-level `if: has_md_changes` already + # ensures we only reach here when there are MD-related changes β€” + # including deletion-only PRs (where changed-md.txt is empty by + # design but diff-md.patch isn't). Using changed-md.txt here would + # silently skip the fail-closed check on those PRs, masking a + # missing reference DB from the reviewer. + if [ -s diff-md.patch ] && [ ! -d .reference-db/extracted ]; then echo "::error::Reference DB missing for vyos-1x branch '${{ steps.branch.outputs.vyos1x }}'. Pass 1 cannot run. Re-trigger rebuild-reference.yml in the reviewer repo and re-run." exit 1 fi -- cgit v1.2.3