diff --git a/.github/scripts/check-pr-security.mjs b/.github/scripts/check-pr-security.mjs index dd2ea53f..2361b2bf 100644 --- a/.github/scripts/check-pr-security.mjs +++ b/.github/scripts/check-pr-security.mjs @@ -243,10 +243,14 @@ export async function syncDraftAdvisory(fetchImpl, token, repo, prNumber, prTitl }); } +// Cap pagination so a large backlog of unrelated draft advisories cannot stall +// the security gate (it runs inside a 5-minute workflow timeout). +const MAX_DRAFT_ADVISORY_PAGES = 20; + export async function findExistingDraftAdvisory(fetchImpl, token, repo, prNumber) { const prMarker = `PR #${prNumber}`; - for (let page = 1; ; page += 1) { + for (let page = 1; page <= MAX_DRAFT_ADVISORY_PAGES; page += 1) { const advisories = await fetchImpl( `/repos/${repo}/security-advisories?state=draft&per_page=100&page=${page}`, token, @@ -261,6 +265,12 @@ export async function findExistingDraftAdvisory(fetchImpl, token, repo, prNumber if (advisories.length < 100) return null; } + + console.warn( + `[security] findExistingDraftAdvisory: hit ${MAX_DRAFT_ADVISORY_PAGES}-page cap without finding PR #${prNumber}; ` + + 'treating as new advisory. A duplicate draft may be created.', + ); + return null; } export async function postSecurityCheckRun(fetchImpl, token, repo, headSha, hasFlags) { @@ -296,7 +306,29 @@ export async function postSecurityCheckRun(fetchImpl, token, repo, headSha, hasF // ── Main ────────────────────────────────────────────────────────────────────── +// Wall-clock budget for the whole script. The workflow job has a 5-minute +// timeout-minutes, and `continue-on-error: true` on a step does NOT override +// a job-level timeout — it only suppresses step failures. So if any API call +// (e.g. security-advisories POST/PATCH) hangs, the whole job is cancelled, +// failing the `review` check. This watchdog enforces the script's documented +// "always exit 0" contract regardless of API behaviour. +export const SCRIPT_WATCHDOG_MS = 90_000; + +export function startScriptWatchdog(timeoutMs = SCRIPT_WATCHDOG_MS, exit = process.exit) { + const timer = setTimeout(() => { + console.warn( + `[security] script exceeded ${timeoutMs}ms wall-clock budget; exiting 0 per always-exit-0 contract` + ); + exit(0); + }, timeoutMs); + // Don't keep the event loop alive solely for the watchdog. + timer.unref?.(); + return timer; +} + async function main() { + const watchdog = startScriptWatchdog(); + const { GH_TOKEN, GH_REPO, PR_NUMBER } = process.env; if (!GH_TOKEN || !GH_REPO || !PR_NUMBER) { @@ -352,6 +384,7 @@ async function main() { } // Always exit 0 — security flags are silent, never block the PR publicly + clearTimeout(watchdog); process.exit(0); } diff --git a/.github/scripts/get-bot-token.mjs b/.github/scripts/get-bot-token.mjs index 7c6ac05c..52bf9f9b 100644 --- a/.github/scripts/get-bot-token.mjs +++ b/.github/scripts/get-bot-token.mjs @@ -25,19 +25,38 @@ export function generateJWT(privateKey) { return `${data}.${sig}`; } +// Per-call timeout so a single slow/hung GitHub endpoint cannot eat the entire +// workflow budget. Overridable via options.timeoutMs for callers that need +// different bounds. +export const GH_FETCH_DEFAULT_TIMEOUT_MS = 15_000; + export async function ghFetch(path, token, options = {}) { - const res = await fetch(`https://api.github.com${path}`, { - ...options, - headers: { - Authorization: `Bearer ${token}`, - Accept: 'application/vnd.github+json', - 'X-GitHub-Api-Version': '2022-11-28', - ...options.headers, - }, - }); - const text = await res.text(); - if (!res.ok) throw new Error(`GitHub API ${options.method ?? 'GET'} ${path} → ${res.status}: ${text}`); - return JSON.parse(text); + const { timeoutMs = GH_FETCH_DEFAULT_TIMEOUT_MS, signal: externalSignal, ...fetchOptions } = options; + const controller = new AbortController(); + const timer = setTimeout(() => controller.abort(new Error(`ghFetch timeout after ${timeoutMs}ms: ${path}`)), timeoutMs); + const abortOnExternal = () => controller.abort(externalSignal?.reason); + if (externalSignal) { + if (externalSignal.aborted) abortOnExternal(); + else externalSignal.addEventListener('abort', abortOnExternal, { once: true }); + } + try { + const res = await fetch(`https://api.github.com${path}`, { + ...fetchOptions, + signal: controller.signal, + headers: { + Authorization: `Bearer ${token}`, + Accept: 'application/vnd.github+json', + 'X-GitHub-Api-Version': '2022-11-28', + ...fetchOptions.headers, + }, + }); + const text = await res.text(); + if (!res.ok) throw new Error(`GitHub API ${fetchOptions.method ?? 'GET'} ${path} → ${res.status}: ${text}`); + return JSON.parse(text); + } finally { + clearTimeout(timer); + if (externalSignal) externalSignal.removeEventListener('abort', abortOnExternal); + } } export async function resolveInstallationId(fetchInstallation, token, repo, owner) { diff --git a/.github/scripts/tests/check-pr-security.test.mjs b/.github/scripts/tests/check-pr-security.test.mjs index 26667750..637e2c50 100644 --- a/.github/scripts/tests/check-pr-security.test.mjs +++ b/.github/scripts/tests/check-pr-security.test.mjs @@ -10,9 +10,11 @@ import { scanSupplyChain, scanTestPatterns, scanSensitivePaths, + startScriptWatchdog, syncDraftAdvisory, validateSensitivePaths, } from '../check-pr-security.mjs'; +import { ghFetch } from '../get-bot-token.mjs'; // ── scanSecrets ────────────────────────────────────────────────────────────── @@ -143,6 +145,19 @@ test('findExistingDraftAdvisory: returns null when no matching draft advisory ex assert.equal(advisory, null); }); +test('findExistingDraftAdvisory: bails out at the page cap so a large backlog cannot hang the workflow', async () => { + let pageCount = 0; + const fakeFetch = async () => { + pageCount += 1; + return Array.from({ length: 100 }, (_, i) => ({ summary: `Unrelated advisory ${pageCount}-${i}` })); + }; + + const advisory = await findExistingDraftAdvisory(fakeFetch, 'token', 'paperclipai/paperclip', 6469); + + assert.equal(advisory, null); + assert.equal(pageCount, 20, `expected pagination to run exactly 20 pages (the cap), got ${pageCount}`); +}); + test('syncDraftAdvisory: patches an existing advisory with the latest flags', async () => { const calls = []; const flags = [ @@ -318,3 +333,48 @@ test('scanSensitivePaths: ignores removed files even on sensitive paths', () => const files = [{ filename: 'server/src/routes/agents.ts', status: 'removed' }]; assert.equal(scanSensitivePaths(files).length, 0); }); + +// ── startScriptWatchdog ────────────────────────────────────────────────────── + +test('startScriptWatchdog: fires exit(0) when the wall-clock budget is exceeded', async () => { + let exitCode = null; + const fakeExit = (code) => { exitCode = code; }; + startScriptWatchdog(20, fakeExit); + await new Promise((resolve) => setTimeout(resolve, 60)); + assert.equal(exitCode, 0, 'watchdog should have exited with code 0 by now'); +}); + +test('startScriptWatchdog: cleared timer never fires', async () => { + let exitCode = null; + const fakeExit = (code) => { exitCode = code; }; + const timer = startScriptWatchdog(20, fakeExit); + clearTimeout(timer); + await new Promise((resolve) => setTimeout(resolve, 60)); + assert.equal(exitCode, null, 'cleared watchdog must not call exit'); +}); + +// ── ghFetch timeout ────────────────────────────────────────────────────────── + +test('ghFetch: aborts the request when the per-call timeout elapses', async () => { + const originalFetch = globalThis.fetch; + // Replace global fetch with one that respects the AbortSignal but never resolves on its own. + globalThis.fetch = (_url, init) => new Promise((_resolve, reject) => { + init?.signal?.addEventListener('abort', () => { + const err = new Error('aborted'); + err.name = 'AbortError'; + reject(err); + }, { once: true }); + }); + + try { + const start = Date.now(); + await assert.rejects( + ghFetch('/repos/example/example/security-advisories', 'token', { timeoutMs: 30 }), + /aborted|abort/i, + ); + const elapsed = Date.now() - start; + assert.ok(elapsed < 500, `ghFetch should abort within the timeout, took ${elapsed}ms`); + } finally { + globalThis.fetch = originalFetch; + } +}); diff --git a/.github/workflows/commitperclip-review.yml b/.github/workflows/commitperclip-review.yml index 222f75ea..c24205ff 100644 --- a/.github/workflows/commitperclip-review.yml +++ b/.github/workflows/commitperclip-review.yml @@ -57,6 +57,8 @@ jobs: - name: Run security gates run: node .github/scripts/check-pr-security.mjs + continue-on-error: true + timeout-minutes: 3 env: GH_TOKEN: ${{ steps.token.outputs.value }} GH_REPO: ${{ github.repository }}