47bd02647c
## Thinking Path > - Paperclip is the open source app people use to manage AI agents for work > - The commitperclip review workflow runs a security gate as part of CI on every PR > - The security script's header promises it always exits 0 and stays silent/informational, but PRs that triggered a flag were failing with a 5-minute timeout > - Two compounding bugs: `findExistingDraftAdvisory` paginated without an upper bound, and the workflow step did not have `continue-on-error: true`, so any hang inside the script turned into a hard `review` check failure that blocked merge > - This pull request caps the advisory pagination at 20 pages and adds `continue-on-error: true` to the workflow step, aligning runtime behavior with the script's documented "always exit 0" contract > - The benefit is that future PRs flagged by the security gate no longer block merge on a 5-minute timeout, and the gate stays silent/informational as intended ## Linked Issues or Issue Description Fixes: #7849 ## What Changed - `.github/workflows/commitperclip-review.yml`: added `continue-on-error: true` to the `Run security gates` step so a hang or non-zero exit cannot fail the `review` check (matches the script's documented "always exit 0" contract). - `.github/scripts/check-pr-security.mjs`: capped `findExistingDraftAdvisory` pagination at 20 pages (= 2000 advisories) and short-circuited with a `console.warn` when the cap is hit; if no match is found within the cap, callers will simply create a new draft instead of hanging forever. - `.github/scripts/tests/check-pr-security.test.mjs`: added a test asserting the pagination cap is enforced. ## Verification - `node .github/scripts/tests/check-pr-security.test.mjs` — 31/31 pass, including the new cap test. - Step-level guarantee: `continue-on-error: true` makes the `Run security gates` step non-blocking for the job, so even an unexpected hang/timeout in this step can no longer fail the `review` check. ## Risks - Low risk. Pagination cap is a defensive bound; the worst case is a duplicate draft advisory (acceptable — the workflow continues). `continue-on-error: true` is exactly what the script header already promised; the workflow now matches its stated contract. ## Model Used - Claude (claude-opus-4-7), extended thinking, tool use ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have searched GitHub for duplicate or related PRs and linked them above - [x] I have either (a) linked existing issues with `Fixes: #` / `Closes #` / `Refs #` OR (b) described the issue in-PR following the relevant issue template - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [ ] All Paperclip CI gates are green - [ ] Greptile is 5/5 with no open P2s, recommendations, or follow-ups - [ ] I will address all Greptile and reviewer comments before requesting merge Co-authored-by: Paperclip <noreply@paperclip.ing>
75 lines
2.4 KiB
YAML
75 lines
2.4 KiB
YAML
name: commitperclip PR Review
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
# Always runs from base branch context — never executes PR code.
|
|
# pull_request_target gives access to secrets for untrusted fork PRs.
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
security-events: write
|
|
checks: write
|
|
contents: read
|
|
|
|
jobs:
|
|
review:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- name: Checkout base branch (never PR code)
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
ref: master
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
|
|
with:
|
|
base-ref: ${{ github.event.pull_request.base.sha }}
|
|
head-ref: ${{ github.event.pull_request.head.sha }}
|
|
|
|
- name: Set up Node
|
|
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: '20'
|
|
|
|
- name: Generate commitperclip token
|
|
id: token
|
|
run: |
|
|
TOKEN=$(node .github/scripts/get-bot-token.mjs)
|
|
echo "::add-mask::$TOKEN"
|
|
echo "value=$TOKEN" >> $GITHUB_OUTPUT
|
|
env:
|
|
COMMITPERCLIP_KEY: ${{ secrets.COMMITPERCLIP_KEY }}
|
|
|
|
- name: Run quality gates
|
|
id: quality
|
|
if: github.event.pull_request.user.login != 'dependabot[bot]'
|
|
run: node .github/scripts/run-quality-gates.mjs
|
|
continue-on-error: true
|
|
env:
|
|
GH_TOKEN: ${{ steps.token.outputs.value }}
|
|
GH_REPO: ${{ github.repository }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
|
|
PR_BRANCH: ${{ github.event.pull_request.head.ref }}
|
|
|
|
- name: Run security gates
|
|
run: node .github/scripts/check-pr-security.mjs
|
|
continue-on-error: true
|
|
timeout-minutes: 3
|
|
env:
|
|
GH_TOKEN: ${{ steps.token.outputs.value }}
|
|
GH_REPO: ${{ github.repository }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
|
|
|
|
- name: Fail if quality gates failed
|
|
if: >-
|
|
github.event.pull_request.user.login != 'dependabot[bot]' &&
|
|
steps.quality.outcome == 'failure'
|
|
run: |
|
|
echo "One or more quality gates failed. See commitperclip comment on the PR for details."
|
|
exit 1
|