Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2,577 changes: 2,577 additions & 0 deletions .github/workflows/opencode-review.yml

Large diffs are not rendered by default.

103 changes: 103 additions & 0 deletions .github/workflows/pr-review-merge-scheduler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: PR Review Merge Scheduler

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 9: no topLevel permission defined
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help

on:
schedule:
- cron: "17 */2 * * *"
workflow_dispatch:
inputs:
dry_run:
description: Print planned actions without mutating PRs
required: false
default: false
type: boolean
max_prs:
description: Maximum open PRs to inspect
required: false
default: "100"
trigger_reviews:
description: Dispatch OpenCode Review for PR heads without current approval
required: false
default: false
type: boolean
enable_auto_merge:
description: Enable auto-merge for current-head approved PRs
required: false
default: true
type: boolean
update_branches:
description: Update outdated PR branches after OpenCode approval
required: false
default: true
type: boolean
stale_opencode_minutes:
description: Redispatch OpenCode Review when an in-progress OpenCode check is older than this many minutes
required: false
default: "45"

concurrency:
group: pr-review-merge-scheduler
cancel-in-progress: false

env:
GIT_CONFIG_COUNT: "1"
GIT_CONFIG_KEY_0: init.defaultBranch
GIT_CONFIG_VALUE_0: develop

jobs:
scan-pr-queue:
runs-on: ubuntu-latest
permissions:
checks: read
contents: write

Check failure

Code scanning / Scorecard

Token-Permissions High

score is 9: jobLevel 'contents' permission set to 'write'
Remediation tip: Visit https://app.stepsecurity.io/secureworkflow.
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead.
Click Remediation section below for further remediation help
issues: write
pull-requests: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run == true }}
MAX_PRS: ${{ inputs.max_prs || '100' }}
PROJECT_FLOW: ${{ vars.PROJECT_FLOW || 'git-flow' }}
TRIGGER_REVIEWS: ${{ github.event_name == 'workflow_dispatch' && inputs.trigger_reviews == true }}
ENABLE_AUTO_MERGE: ${{ github.event_name != 'workflow_dispatch' || inputs.enable_auto_merge == true }}
UPDATE_BRANCHES: ${{ github.event_name != 'workflow_dispatch' || inputs.update_branches == true }}
STALE_OPENCODE_MINUTES: ${{ inputs.stale_opencode_minutes || vars.STALE_OPENCODE_MINUTES || '45' }}
steps:
- name: Checkout trusted scheduler
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 1

- name: Self-test scheduler
run: python3 scripts/ci/pr_review_merge_scheduler.py --self-test

- name: Inspect PR review and merge queue
run: |
set -euo pipefail
args=(
--repo "$GITHUB_REPOSITORY"
--base-branch "$DEFAULT_BRANCH"
--max-prs "$MAX_PRS"
--project-flow "$PROJECT_FLOW"
--review-workflow "OpenCode Review"
--stale-opencode-minutes "$STALE_OPENCODE_MINUTES"
)
if [ "$DRY_RUN" = "true" ]; then
args+=(--dry-run)
fi
if [ "$TRIGGER_REVIEWS" = "true" ]; then
args+=(--trigger-reviews)
else
args+=(--no-trigger-reviews)
fi
if [ "$ENABLE_AUTO_MERGE" = "true" ]; then
args+=(--enable-auto-merge)
else
args+=(--no-enable-auto-merge)
fi
if [ "$UPDATE_BRANCHES" = "true" ]; then
args+=(--update-branches)
else
args+=(--no-update-branches)
fi
python3 scripts/ci/pr_review_merge_scheduler.py "${args[@]}"
4 changes: 4 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,7 @@
**Vulnerability:** CSV formula injection mitigation was naive, missing leading whitespace, tabs, and newlines.
**Learning:** Checking `/^[=+\-@]/` is not sufficient, as OWASP states that spaces and tabs before the formula triggers will also execute the formula in applications like Excel.
**Prevention:** Use a regex that allows leading whitespace (e.g. `/^[\s\uFEFF\xA0]*[=+\-@\t\r\n]/`) and include standalone tabs or new lines which are also injection vectors.
## 2026-06-27 - [Path Traversal in AudioStemSeparator File Loads]
**Vulnerability:** The local `AudioStemSeparator` accepted untrusted audio source paths and model profile path overrides without robust verification against path traversal. It used `Path.expanduser()` which implicitly resolves `~` but failed to sanitize relative directory traversal (`../`).
**Learning:** `Path.expanduser()` is risky for handling dynamic, untrusted paths, as it doesn't protect against walking back up a directory tree using `../`. Although `.resolve(strict=True)` helps ensure existence, it doesn't block directory traversal attacks leading to sensitive files (e.g. `../../../../etc/passwd`).
**Prevention:** Remove `Path.expanduser()` on input paths in backend services receiving untrusted local file paths, and explicitly raise an error when path traversal sequences (`..`) are detected in the given paths. Ensure 100% test coverage encompasses explicitly asserting this failure behavior.
Loading
Loading