Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 0 additions & 55 deletions .github/workflows/close-empty-pr.yml

This file was deleted.

124 changes: 0 additions & 124 deletions .github/workflows/codeql-pr.yml

This file was deleted.

16 changes: 8 additions & 8 deletions .github/workflows/opencode-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2007,10 +2007,10 @@ jobs:
},
"agent": {
"ci-review": {
"description": "Thorough read-only CI pull request reviewer",
"description": "Compact read-only CI pull request reviewer",
"mode": "primary",
"prompt": "{file:./ci-review-prompt.md}",
"steps": 100,
"steps": 4,
"reasoningEffort": "high",
"permission": {
"edit": "deny",
Expand All @@ -2030,7 +2030,7 @@ jobs:
"description": "Expanded read-only CI pull request reviewer fallback",
"mode": "primary",
"prompt": "{file:./ci-review-prompt.md}",
"steps": 150,
"steps": 12,
"reasoningEffort": "high",
"permission": {
"edit": "deny",
Expand All @@ -2050,7 +2050,7 @@ jobs:
"description": "Use this subagent immediately after code changes, before opening or merging a PR, or when asked to review a diff. Reviews only; never edits code. Focuses on correctness, security, maintainability, tests, and production risk.",
"mode": "subagent",
"prompt": "{file:./code-reviewer-prompt.md}",
"steps": 100,
"steps": 16,
"color": "#7c3aed",
"reasoningEffort": "high",
"permission": {
Expand Down Expand Up @@ -2272,17 +2272,17 @@ jobs:
- name: Run OpenCode PR Review model pool
id: opencode_review_model_pool
if: needs.coverage-evidence.result == 'success'
timeout-minutes: 350
timeout-minutes: 285
env:
STRIX_GITHUB_MODELS_TOKEN: ${{ secrets.STRIX_GITHUB_MODELS_TOKEN || github.token }}
GITHUB_TOKEN: ${{ secrets.STRIX_GITHUB_MODELS_TOKEN || github.token }}
USE_GITHUB_TOKEN: "true"
SHARE: "false"
NPM_CONFIG_IGNORE_SCRIPTS: "true"
NO_COLOR: "1"
OPENCODE_MODEL_CANDIDATES: "github-models/openai/gpt-5 github-models/openai/gpt-5-chat github-models/deepseek/deepseek-v3-0324 github-models/openai/o3 github-models/deepseek/deepseek-r1 github-models/openai/o4-mini github-models/openai/o3-mini github-models/openai/gpt-5-mini github-models/mistral-ai/mistral-medium-2505 github-models/openai/gpt-5-nano github-models/deepseek/deepseek-r1-0528 github-models/meta/llama-4-maverick-17b-128e-instruct-fp8 github-models/meta/llama-4-scout-17b-16e-instruct"
OPENCODE_MODEL_ATTEMPTS: "5"
OPENCODE_RUN_TIMEOUT_SECONDS: "20400"
OPENCODE_MODEL_CANDIDATES: "github-models/openai/o4-mini github-models/openai/o3-mini github-models/openai/gpt-5-mini github-models/openai/gpt-5-chat github-models/openai/o3 github-models/mistral-ai/mistral-medium-2505 github-models/openai/gpt-5-nano github-models/deepseek/deepseek-r1-0528 github-models/deepseek/deepseek-r1 github-models/deepseek/deepseek-v3-0324 github-models/meta/llama-4-maverick-17b-128e-instruct-fp8 github-models/meta/llama-4-scout-17b-16e-instruct"
OPENCODE_MODEL_ATTEMPTS: "1"
OPENCODE_RUN_TIMEOUT_SECONDS: "600"
OPENCODE_EXPORT_TIMEOUT_SECONDS: "120"
OPENCODE_TOTAL_RETRY_BUDGET_SECONDS: "0"
OPENCODE_BACKOFF_INITIAL_SECONDS: "30"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/osv-scanner-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ name: OSV-Scanner PR

on:
pull_request:
branches: [main, master, develop]
branches: [main]

permissions:
# Upload SARIF to Security > Code Scanning. See github/codeql-action#2117.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ name: Scorecard PR

on:
pull_request:
branches: [main, master, develop]
branches: [main]

permissions:
contents: read
Expand Down
111 changes: 0 additions & 111 deletions .github/workflows/security-scan.yml

This file was deleted.

3 changes: 0 additions & 3 deletions .jules/bolt.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,3 @@
## 2024-05-19 - Pre-compile Regex Patterns in Loop-called Functions
**Learning:** In `scripts/ci/pr_review_merge_scheduler.py`, the `scrub_sensitive_data` function was repeatedly compiling multiple regex patterns via `re.sub` for every log line or text scrubbed. This incurs measurable overhead due to cache lookups and object recreation in tightly looped string processing.
**Action:** When using multiple regex replacements inside functions that are called frequently or process large amounts of text, define and pre-compile the regex objects at the module level (e.g., `SENSITIVE_DATA_SCRUB_PATTERNS`) and iterate over them using `pattern.sub()`.
## 2026-07-02 - Credential Masking Security Hole in Subprocess Environments
**Learning:** Found a critical missing credential masking pattern in `scripts/ci/noema_review_gate.py`'s `scrub_sensitive_data` which didn't mask `Authorization: Basic` or `Proxy-Authorization: Basic` tokens unlike its analogous helper in `scripts/ci/pr_review_merge_scheduler.py`. This leaves exception messages and logs vulnerable to exposing sensitive credentials when HTTP operations fail.
**Action:** When implementing credential masking functions that sanitize tracebacks and log messages, ensure the masking scope includes all relevant headers, particularly `Authorization` and `Proxy-Authorization`. Ensure parity across masking helpers across CI scripts to prevent blind spots.
4 changes: 0 additions & 4 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,3 @@
**Vulnerability:** Server-Side Request Forgery (SSRF) / Local File Inclusion
**Learning:** Functions that fetch URLs provided via user inputs (e.g., `wait_for_url` fetching `--backend-ready-url` in CI scripts) can inadvertently read local files if they do not validate the scheme. Python's `urllib.request.urlopen` supports `file://` schemes, allowing attackers to access arbitrary file contents from the host machine or sandbox if they can control the URL parameter.
**Prevention:** Always validate URL inputs to restrict allowed schemes. Check that URLs explicitly start with `http://` or `https://` before fetching them with standard libraries like `urllib`.
## 2026-07-03 - Prevent SSRF via URL Scheme Validation
**Vulnerability:** Server-Side Request Forgery (SSRF) / Local File Inclusion
**Learning:** External URL fetching with `urllib.request.urlopen` (like API endpoints passed via environment variables) can accept schemes like `file://` implicitly, which could allow arbitrary file reading or internal network scanning if the environment is misconfigured or manipulated.
**Prevention:** Always validate that URLs explicitly start with `http://` or `https://` before using them in standard library requests. Append to suppress linter warnings only after verifying the input is validated.
Loading
Loading