Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/strix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -545,7 +545,7 @@ jobs:
STRIX_LLM_MAX_RETRIES: 1
STRIX_TRANSIENT_RETRY_PER_MODEL: 2
STRIX_TRANSIENT_RETRY_BACKOFF_SECONDS: 60
STRIX_FALLBACK_MODELS: ${{ steps.gate.outputs.provider_mode == 'github_models' && 'github_models/openai/gpt-5-chat github_models/openai/o3 github_models/deepseek/deepseek-v3-0324 github_models/deepseek/deepseek-r1-0528 github_models/deepseek/deepseek-r1' || '' }}
STRIX_FALLBACK_MODELS: ${{ steps.gate.outputs.provider_mode == 'github_models' && 'github_models/openai/o3 github_models/openai/gpt-5-chat' || '' }}
STRIX_FAIL_ON_PROVIDER_SIGNAL: "1"
STRIX_VERTEX_FALLBACK_MODELS: ""
NPM_CONFIG_IGNORE_SCRIPTS: "true"
Expand Down
4 changes: 2 additions & 2 deletions scripts/ci/emit_opencode_failed_check_fallback_findings.sh
Original file line number Diff line number Diff line change
Expand Up @@ -639,8 +639,8 @@ emit_strix_provider_failure_finding() {
if grep -Eq "api\\.deepseek\\.com|401 Unauthorized|Authentication Fails|DeepseekException" "$strix_evidence_file"; then
printf -- '- Problem: Strix failed before producing vulnerability reports. The failed log reported `RateLimitError` / `Too many requests` for the primary `openai/gpt-5` attempt, then fallback attempts reached direct DeepSeek (`api.deepseek.com`) and failed with `401 Unauthorized` or `Authentication Fails`, ending with `Configured model and fallback models were unavailable`.\n'
printf -- '- Root cause: The fallback model names were not routed through the GitHub Models endpoint for this failed PR check, so a GitHub Models token was used against direct DeepSeek instead of `https://models.github.ai/inference`; no Strix Vulnerability Report window was produced.\n'
printf -- '- Fix: Do not approve from this failed scan. Keep %s:%s using the GitHub Models-qualified fallback list (`github_models/deepseek/deepseek-v3-0324 github_models/deepseek/deepseek-r1-0528`) and keep the Strix gate mapping those values to `openai/deepseek/...` for the GitHub Models API base, then rerun the failed PR Strix check.\n' "$path" "$line"
printf -- '- Suggested edit: `%s:%s` must use `STRIX_FALLBACK_MODELS: ${{ steps.gate.outputs.provider_mode == '\''github_models'\'' && '\''github_models/deepseek/deepseek-v3-0324 github_models/deepseek/deepseek-r1-0528'\'' || '\'''\'' }}` instead of unqualified `deepseek/...` values that route to `api.deepseek.com`.\n' "$path" "$line"
printf -- '- Fix: Do not approve from this failed scan. Keep %s:%s on the approved GitHub Models fallback list (`github_models/openai/o3 github_models/openai/gpt-5-chat`) and remove direct DeepSeek fallback routing from the workflow before rerunning the failed PR Strix check.\n' "$path" "$line"
printf -- '- Suggested edit: `%s:%s` must use `STRIX_FALLBACK_MODELS: ${{ steps.gate.outputs.provider_mode == '\''github_models'\'' && '\''github_models/openai/o3 github_models/openai/gpt-5-chat'\'' || '\'''\'' }}` instead of unqualified `deepseek/...` values that route to `api.deepseek.com`.\n' "$path" "$line"
else
printf -- '- Problem: Strix failed before producing vulnerability reports. The failed log reported LLM CONNECTION FAILED, RateLimitError or Too many requests for the primary model, provider/budget output for fallback models, and Configured model and fallback models were unavailable.\n'
printf -- '- Root cause: The configured GitHub Models primary/fallback provider capacity or provider route failed for this run; no Strix Vulnerability Report window was produced, so there is no application source line to patch from this evidence.\n'
Expand Down
83 changes: 66 additions & 17 deletions scripts/ci/strix_quick_gate.sh
Original file line number Diff line number Diff line change
Expand Up @@ -594,7 +594,7 @@ is_preexisting_report_dir() {
is_github_models_model() {
case "$1" in
openai/openai/* | github_models/* | \
openai/gpt-5* | openai/gpt-[6-9]* | openai/gpt-[1-9][0-9]* | \
openai/o3 | openai/gpt-5* | openai/gpt-[6-9]* | openai/gpt-[1-9][0-9]* | \
openai/deepseek/* | openai/meta/* | openai/mistral-ai/* | \
deepseek/* | meta/* | mistral-ai/*)
return 0
Expand All @@ -608,7 +608,7 @@ is_github_models_model() {
is_github_models_api_compatible_model() {
case "$1" in
openai/openai/* | github_models/* | \
openai/gpt-5* | openai/gpt-[6-9]* | openai/gpt-[1-9][0-9]* | \
openai/o3 | openai/gpt-5* | openai/gpt-[6-9]* | openai/gpt-[1-9][0-9]* | \
openai/deepseek/* | openai/meta/* | openai/mistral-ai/* | \
deepseek/* | meta/* | mistral-ai/*)
return 0
Expand Down Expand Up @@ -1872,27 +1872,45 @@ vulnerability_record_intersects_changed_file() {
if [ "${diff_rc:-0}" -ne 0 ]; then
diff_output="$(git diff --unified=0 "$base_sha..$head_sha" -- "$changed_file" 2>/dev/null)" || return 0
fi
DIFF_OUTPUT="$diff_output" python3 - "$start_line" "$end_line" <<'PY'
import os
local diff_output_file
diff_output_file="$(mktemp "${TMPDIR:-/tmp}/strix-diff.XXXXXX")" || {
echo "ERROR: unable to create temporary diff file for changed-line evaluation." >&2
return 1
}
trap 'rm -f -- "$diff_output_file"' RETURN
printf '%s' "$diff_output" >"$diff_output_file"
local intersects_rc
if python3 - "$diff_output_file" "$start_line" "$end_line" <<'PY'
Comment on lines +1880 to +1883
import re
import sys

target_start = int(sys.argv[1])
target_end = int(sys.argv[2])
diff_output_path = sys.argv[1]
target_start = int(sys.argv[2])
target_end = int(sys.argv[3])
hunk_re = re.compile(r"^@@ -\d+(?:,\d+)? \+(\d+)(?:,(\d+))? @@")
for line in os.environ.get("DIFF_OUTPUT", "").splitlines():
match = hunk_re.match(line)
if not match:
continue
start = int(match.group(1))
count = int(match.group(2) or "1")
if count == 0:
continue
end = start + count - 1
if start <= target_end and target_start <= end:
raise SystemExit(0)
with open(diff_output_path, "r", encoding="utf-8") as handle:
for raw_line in handle:
line = raw_line.rstrip("\n")
match = hunk_re.match(line)
if not match:
continue
start = int(match.group(1))
count = int(match.group(2) or "1")
if count == 0:
continue
end = start + count - 1
if start <= target_end and target_start <= end:
raise SystemExit(0)
raise SystemExit(1)
PY
then
intersects_rc=0
else
intersects_rc=$?
fi
rm -f -- "$diff_output_file"
trap - RETURN
return "$intersects_rc"
Comment on lines +1906 to +1913
}

extract_first_severity_rank() {
Expand Down Expand Up @@ -2576,6 +2594,32 @@ is_vertex_not_found_error() {
return 1
}

github_models_api_base_is_active() {
if [ -z "$LLM_API_BASE_FILE" ]; then
return 1
fi

local resolved_llm_api_base_file
if ! resolved_llm_api_base_file="$(resolve_trusted_input_file "LLM_API_BASE_FILE" "$LLM_API_BASE_FILE" 2>/dev/null)"; then
return 1
fi

local llm_api_base_value
llm_api_base_value="$(cat -- "$resolved_llm_api_base_file" 2>/dev/null)" || return 1
llm_api_base_value="${llm_api_base_value%%/generateContent*}"
llm_api_base_value="${llm_api_base_value%%:generateContent*}"
llm_api_base_value="$(trim_whitespace "$llm_api_base_value")"
is_github_models_api_base "$llm_api_base_value"
}

strix_log_has_github_models_context() {
if grep -Eiq '(models\.github\.ai|GitHub Models|github_models)' "$STRIX_LOG"; then
return 0
fi

github_models_api_base_is_active
}

is_github_models_unavailable_model_error() {
if grep -Eiq 'Unavailable model:[[:space:]]*[^[:space:]]+' "$STRIX_LOG" &&
grep -Eiq '(litellm\.BadRequestError|OpenAIException|LLM CONNECTION FAILED|Could not establish connection to the language model|models\.github\.ai|GitHub Models|openai)' "$STRIX_LOG"; then
Expand All @@ -2588,6 +2632,11 @@ is_github_models_unavailable_model_error() {
return 0
fi

if grep -Eiq '(UnsupportedToolUse|tool use\. Using tool is not supported by this model|Using tool is not supported by this model)' "$STRIX_LOG" &&
strix_log_has_github_models_context; then
return 0
fi

return 1
}

Expand Down
Loading
Loading