chore(BytePort): workflow hardening -- ubuntu-24.04, SHA pins#138
chore(BytePort): workflow hardening -- ubuntu-24.04, SHA pins#138KooshaPari wants to merge 7 commits into
Conversation
- Add explicit permissions blocks (contents: read, actions: read minimum) - Add timeout-minutes to all jobs (test/build: 30, lint: 10, security: 20, deploy: 15) - Pin all actions to commit SHAs instead of @vx tags Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add explicit `permissions:` blocks with minimum scope to all workflows - Add `timeout-minutes:` to every job (test/build: 30, lint: 10, security: 20, deploy: 15) - Pin floating @vx action tags to full commit SHAs - Fix scorecard.yml YAML structure with misplaced timeout-minutes Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Remove unused OTel imports that blocked BytePort backend validation. Validation: git diff --check; rg -n "AI Slop Inside|sladge" README.md docs/sessions/20260507-byteport-sladge-main-current; git lfs status; env GOTOOLCHAIN=local GOCACHE=/tmp/byteport-go-build-cache-main-current /opt/homebrew/bin/go test -v ./...; env GOTOOLCHAIN=local GOCACHE=/tmp/byteport-go-build-cache-main-current /opt/homebrew/bin/go vet ./...; env GOTOOLCHAIN=local GOCACHE=/tmp/byteport-go-build-cache-main-current /opt/homebrew/bin/go build -buildvcs=false ./... from backend/byteport. Blocked: backend/nvms go test still fails on pre-existing import cycles, provider redeclarations, and spin-go-sdk export comment drift. Co-authored-by: Codex <noreply@openai.com>
- Pin all actions to specific SHA commits (no @v4/@main floating refs) - Replace ubuntu-latest with ubuntu-24.04 for reproducibility - Ensure minimal permissions blocks present on all workflows - SHA-pinned: checkout, setup-go, golangci-lint, codeql-action, scorecard, cargo-deny, cargo-machete, cargo-semver-checks, rustsec/audit-check, trufflehog, codecov, release, scorecard Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
codeant-ai
Bot
added
the
size:L
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| permissions: | ||
| contents: read | ||
| actions: read |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The Release Drafter workflow now sets the GITHUB_TOKEN to read-only (permissions: contents: read, actions: read) and does not override this at the job level, so the release-drafter step cannot create or update release drafts as intended.
Suggestion: Grant the update_release_draft job the minimal required write scope (e.g., permissions: { contents: write }), mirroring .github/workflows/release.yml:15-16, so the Release Drafter action can perform its release-draft mutations while keeping other workflows read-only.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/release-drafter.yml
**Line:** 10:12
**Comment:**
*CRITICAL: The Release Drafter workflow now sets the GITHUB_TOKEN to read-only (`permissions: contents: read, actions: read`) and does not override this at the job level, so the `release-drafter` step cannot create or update release drafts as intended.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 5 potential issues.
Bugbot Autofix prepared fixes for all 5 issues found in the latest run.
- ✅ Fixed: Release drafter permissions block breaks draft creation
- Added contents:write and pull-requests:read permissions to the workflow-level permissions block.
- ✅ Fixed: Vet job still uses
ubuntu-latestrunner- Changed runs-on from ubuntu-latest to ubuntu-24.04 for consistency with other jobs.
- ✅ Fixed: Release drafter still uses
ubuntu-latestrunner- Changed runs-on from ubuntu-latest to ubuntu-24.04 to complete the ubuntu-latest removal.
- ✅ Fixed: Cargo resolver changed from "2" to "3" unexpectedly
- Reverted resolver from '3' back to '2' as this behavioral change was unrelated to the PR scope.
- ✅ Fixed: Cargo audit missing
checks: writepermission breaks annotations- Added checks:write permission to enable the audit-check action to create check run annotations.
Or push these changes by commenting:
@cursor push f4786ef6b0
Preview (f4786ef6b0)
diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
--- a/.github/workflows/cargo-audit.yml
+++ b/.github/workflows/cargo-audit.yml
@@ -17,6 +17,7 @@
permissions:
contents: read
actions: read
+ checks: write
jobs:
audit:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,7 @@
jobs:
vet:
name: Go Vet
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
timeout-minutes: 10
permissions:
contents: read
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -8,12 +8,13 @@
workflow_dispatch:
permissions:
- contents: read
+ contents: write
+ pull-requests: read
actions: read
jobs:
update_release_draft:
timeout-minutes: 15
- runs-on: ubuntu-latest
+ runs-on: ubuntu-24.04
steps:
- uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7
env:
diff --git a/Cargo.toml b/Cargo.toml
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,5 +1,5 @@
[workspace]
-resolver = "3"
+resolver = "2"
members = [
"frontend/web/src-tauri",
]You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 770ea7b. Configure here.
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read |
There was a problem hiding this comment.
Release drafter permissions block breaks draft creation
High Severity
The newly added top-level permissions block grants only contents: read and actions: read, but the release-drafter action requires contents: write to create/update draft releases and pull-requests: read to categorize PRs. Since no job-level permissions override exists (unlike release.yml which correctly has a job-level contents: write), the token will lack write access and the action will silently fail to create draft releases.
Reviewed by Cursor Bugbot for commit 770ea7b. Configure here.
| vet: | ||
| name: Go Vet | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 |
There was a problem hiding this comment.
Vet job still uses ubuntu-latest runner
Low Severity
The vet job in ci.yml still uses runs-on: ubuntu-latest while the build and fmt jobs in the same file were converted to ubuntu-24.04. The PR description states "Replace ubuntu-latest with ubuntu-24.04 for reproducibility" and the test plan requires confirming no ubuntu-latest refs remain in workflows.
Reviewed by Cursor Bugbot for commit 770ea7b. Configure here.
| actions: read | ||
| jobs: | ||
| update_release_draft: | ||
| timeout-minutes: 15 |
There was a problem hiding this comment.
Release drafter still uses ubuntu-latest runner
Low Severity
The release-drafter.yml workflow still uses runs-on: ubuntu-latest despite other changes being made to this file (adding permissions and timeout-minutes). The PR's test plan explicitly requires confirming no ubuntu-latest refs remain in .github/workflows/.
Reviewed by Cursor Bugbot for commit 770ea7b. Configure here.
| @@ -1,5 +1,5 @@ | |||
| [workspace] | |||
| resolver = "2" | |||
| resolver = "3" | |||
There was a problem hiding this comment.
Cargo resolver changed from "2" to "3" unexpectedly
Medium Severity
The workspace resolver was changed from "2" to "3", which enables MSRV-aware dependency resolution. This is a behavioral change unrelated to the PR's stated scope of workflow hardening. The sole workspace member (frontend/web/src-tauri) declares rust-version = "1.77.2", so resolver 3 may select different (potentially older) dependency versions to satisfy that constraint, potentially causing build failures or behavioral changes.
Reviewed by Cursor Bugbot for commit 770ea7b. Configure here.
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read |
There was a problem hiding this comment.
Cargo audit missing checks: write permission breaks annotations
High Severity
The newly added top-level permissions block grants only contents: read and actions: read, but the rustsec/audit-check action requires checks: write to post check-run results and annotations via the GitHub API. Previously, no explicit permissions block existed, so the default token permissions (which include checks: write) applied. Now the action will fail with a "Resource not accessible by integration" error when it tries to create the check run.
Reviewed by Cursor Bugbot for commit 770ea7b. Configure here.
User description
Summary
Test plan
🤖 Generated with Claude Code
Note
Low Risk
Changes are mostly CI supply-chain and runner pinning plus a no-op Go import cleanup; remaining
ubuntu-latestjobs are a minor consistency gap, not runtime risk.Overview
CI and security workflows are tightened across
.github/workflows/: most jobs move fromubuntu-latesttoubuntu-24.04,timeout-minutesare added per job, workflow-levelpermissionsnow includeactions: readwhere missing, and common steps (notablyactions/checkout,setup-go, Scorecard/CodeQL upload actions) are pinned to full commit SHAs with version comments instead of floating@v4/@mainrefs. OpenSSF Scorecard gains properconcurrency, job-level timeout, updated action SHAs, and removes a misplaced top-level timeout underon:.Non-CI changes: README adds the Sladge badge;
backend/byteport/main.godrops unused OpenTelemetry imports sogo vet/build pass without behavior change; rootCargo.tomlworkspaceresolvergoes from2to3; newdocs/sessions/20260507-byteport-sladge-main-current/records the Sladge refresh and validation notes.Incomplete hardening:
ci.ymlvetandrelease-drafter.ymlstill useubuntu-latest; some workflows (e.g.go-ci,trufflehog) still use tag-less or partially unpinned checkout/setup refs.Reviewed by Cursor Bugbot for commit 770ea7b. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Harden CI checks and add the Sladge badge to BytePort
What Changed
ubuntu-24.04, use job timeouts, and request only the minimum access they needImpact
✅ Fewer flaky CI runs✅ Safer workflow updates✅ Clearer project branding💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.