ci(risk-paths): exclude .env.example/template/sample from blocked glob#74
ci(risk-paths): exclude .env.example/template/sample from blocked glob#74topcoder1 wants to merge 1 commit into
Conversation
Fleet rollout of the fix shipped in whois-api-llc/wxa-graph#155 on 2026-05-23. The blocked-glob **/.env* matched .env.example (a docs template), causing claude-author-automerge.yml to refuse PRs that added env-var documentation. Replaced with explicit secrets-bearing variants so .env.example, .env.sample, .env.template, .env.dist fall through to standard classification. Includes the .env.<env>.local framework variants (Vite, CRA, Next.js, Nuxt) per Claude review feedback on wxa-graph#155. Co-Authored-By: Claude Sonnet 4.7 <noreply@anthropic.com>
|
Coverage Floor — mode:
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| - '**/.env.local' | ||
| - '**/.env.development' | ||
| - '**/.env.development.local' | ||
| - '**/.env.production' | ||
| - '**/.env.production.local' | ||
| - '**/.env.staging' | ||
| - '**/.env.staging.local' | ||
| - '**/.env.test' | ||
| - '**/.env.test.local' | ||
| - '**/secrets*' |
There was a problem hiding this comment.
The explicit enumeration misses several common secrets-bearing variants that the old **/.env* glob caught. Real projects frequently use names like .env.prod, .env.dev, .env.ci, .env.qa, .env.uat, .env.preview, and .env.stg — files that are semantically secrets-bearing but spell out shorthand environment names rather than the full production/development/staging strings.
After this change, a PR that adds .env.prod with real credentials would classify as standard and could auto-merge, whereas before it would have been blocked.
Two options:
- Add the common shorthands to the list (
**/.env.prod,**/.env.dev,**/.env.ci,**/.env.qa,**/.env.uat,**/.env.stg,**/.env.preview). - Invert the logic in
classify.mjs: block**/.env*by default, then in the classifier explicitly unclassify known-safe suffixes (.example,.sample,.template,.dist) back tostandard. This is more robust but requires a code change to the script rather than just YAML.
Option 1 is the simpler fix for now, though it will always be an incomplete enumeration as new shorthand names appear. Option 2 closes the class of bypass permanently.
|
Flagged 1 issue inline: the explicit env variant enumeration misses common shorthands (prod, dev, ci, qa suffixes) that are secrets-bearing but do not match the listed full-name variants, creating a bypass path vs. the original broad glob. |
1 participant
Summary
Fleet rollout of the fix shipped in whois-api-llc/wxa-graph#155. The blocked-glob
**/.env*matched.env.example(a docs template), causingclaude-author-automerge.ymlto refuse PRs that added env-var documentation.Replaces with explicit secrets-bearing variants:
**/.env,**/.env.local,**/.env.development[.local],**/.env.production[.local],**/.env.staging[.local],**/.env.test[.local]Documentation templates (
.env.example,.env.sample,.env.template,.env.dist) now fall through tostandardclassification.Auto-merge rationale
This PR ITSELF touches
.github/risk-paths.ymlwhich is in the blocked list (intentional — classifier-config changes deserve maintainer review). Manual click-merge expected. The fix lands for FUTURE PRs once merged.Test plan
.env-style files still classified blocked (bare**/.envand named variants).env.exampleno longer matches blocked🤖 Generated with Claude Code