chore(ci): Fix detection of changes to include models #10

Merged

stack72 merged 1 commit from fx-detection into main 2026-05-28 00:41:08 +00:00

Conversation 2 Commits 1 Files changed 1 +2 -2

stack72 commented 2026-05-28 00:11:54 +00:00

Owner

Copy link

No description provided.

stack72 added 1 commit 2026-05-28 00:11:54 +00:00

chore(ci): Fix detection of changes to include models 5c4c2f2c23

stack72 commented 2026-05-28 00:39:44 +00:00

Author

Owner

Copy link

Code Review

Blocking Issues

None.

Suggestions

1. ssh-check and ssh-lockfile missing from claude-review needs (lines 649–676): The ssh-check and ssh-lockfile jobs are included in the merge-gate but are absent from claude-review's needs list. This means claude-review can run and post its comment before SSH job results are known. Since the merge gate captures all jobs, this doesn't allow a bypass — it's just a minor ordering inconsistency. Adding ssh-check and ssh-lockfile to claude-review's needs would keep the pattern consistent with how other check/lockfile pairs are handled.

2. CHANGED_FILES injected into shell prompt string (lines 718–726): The CHANGED_FILES variable (from git diff --name-only) is interpolated directly into a multi-line shell string passed as the -p argument to claude. If a branch contains a file with a name containing shell metacharacters or newlines, this could produce unexpected prompt content. The risk is low (filenames come from the repo's own git index), but wrapping the changed files section in a printf '%s' "$CHANGED_FILES" or using a temp file to compose the prompt would be more robust.

3. deps-audit runs unconditionally (lines 611–634): Unlike every other job, deps-audit has no needs: [changes] condition and no path filter — it runs on every PR regardless of what changed. This is intentional for security auditing, but it's worth confirming that the deno outdated scan across all lockfile directories (line 624) is fast enough not to slow down small PRs meaningfully.

## Code Review ### Blocking Issues None. ### Suggestions 1. **`ssh-check` and `ssh-lockfile` missing from `claude-review` needs** (lines 649–676): The `ssh-check` and `ssh-lockfile` jobs are included in the `merge-gate` but are absent from `claude-review`'s `needs` list. This means `claude-review` can run and post its comment before SSH job results are known. Since the merge gate captures all jobs, this doesn't allow a bypass — it's just a minor ordering inconsistency. Adding `ssh-check` and `ssh-lockfile` to `claude-review`'s needs would keep the pattern consistent with how other check/lockfile pairs are handled. 2. **`CHANGED_FILES` injected into shell prompt string** (lines 718–726): The `CHANGED_FILES` variable (from `git diff --name-only`) is interpolated directly into a multi-line shell string passed as the `-p` argument to claude. If a branch contains a file with a name containing shell metacharacters or newlines, this could produce unexpected prompt content. The risk is low (filenames come from the repo's own git index), but wrapping the changed files section in a `printf '%s' "$CHANGED_FILES"` or using a temp file to compose the prompt would be more robust. 3. **`deps-audit` runs unconditionally** (lines 611–634): Unlike every other job, `deps-audit` has no `needs: [changes]` condition and no path filter — it runs on every PR regardless of what changed. This is intentional for security auditing, but it's worth confirming that the `deno outdated` scan across all lockfile directories (line 624) is fast enough not to slow down small PRs meaningfully.

stack72 commented 2026-05-28 00:39:52 +00:00

Author

Owner

Copy link

CI Security Review

Summary of Changes

This PR modifies .forgejo/workflows/ci.yml with a two-line change: it removes | grep -v '^model/' from the changed-files computation in the claude-review (line 697) and claude-adversarial-review (line 814) jobs. This causes model/ files to be included in the list of changed files passed to the Claude Code review agents.

Analysis

1. Prompt Injection — No new risk introduced.

The changed lines affect which filenames are passed into the CHANGED_FILES variable that becomes part of the prompt. The filenames come from git diff --name-only origin/main..HEAD, which lists file paths from the repo's own git history — not from attacker-controlled event fields. The file contents are not interpolated into the prompt; only the file paths are listed, and the LLM reads file contents via tool calls. No new prompt injection surface.

Note: The existing workflow already interpolates CHANGED_FILES (a list of repo file paths) into the prompt string via shell variable expansion. This is acceptable because these are git-derived file paths from the checked-out repo, not attacker-controlled event metadata.

2. Expression Injection & Script Injection — No change.

The PR does not introduce or modify any Actions expression interpolations in run: blocks. The existing ${{ matrix.task }} interpolations throughout the file use values from a hardcoded matrix (e.g., [check, lint, fmt, test]), not from user input, so they are safe.

3. Dangerous Triggers — No change.

The workflow triggers on pull_request (not pull_request_target), which runs in the fork context without access to base repo secrets for external PRs. This is the safe pattern. No change in this PR.

4. Supply Chain — No change.

All actions used are from trusted publishers (actions/checkout@v6, denoland/setup-deno@v2). The Claude CLI binary is downloaded with a pinned version and verified via SHA-256 checksum — this is a good pattern. No changes to action references or supply chain in this PR.

5. Permissions — No change.

Workflow-level permissions are contents: read (line 9). The claude-review, claude-adversarial-review, and claude-ci-security-review jobs override with job-level permissions: { contents: read, pull-requests: write }, which is appropriately scoped. No changes to permissions in this PR.

6. Secret Exposure — No change.

ANTHROPIC_API_KEY and BOT_TOKEN are passed via env: to specific steps that need them, not globally. The Claude CLI receives the API key through the environment variable, not via command-line argument. No changes to secret handling in this PR.

7. Auto-merge & Trust Boundaries — No change.

The workflow does not auto-merge. The merge-gate job aggregates results but only fails/passes — it does not trigger merges. No changes to trust boundaries in this PR.

Verdict

PASS — The change is security-neutral. It broadens the set of files reviewed by the Claude agents to include model/ directory files, which is a review-scope expansion, not a security regression. No new injection vectors, permission escalations, or secret exposure risks are introduced.

## CI Security Review ### Summary of Changes This PR modifies `.forgejo/workflows/ci.yml` with a two-line change: it removes `| grep -v '^model/'` from the changed-files computation in the `claude-review` (line 697) and `claude-adversarial-review` (line 814) jobs. This causes `model/` files to be included in the list of changed files passed to the Claude Code review agents. ### Analysis **1. Prompt Injection** — No new risk introduced. The changed lines affect which filenames are passed into the `CHANGED_FILES` variable that becomes part of the prompt. The filenames come from `git diff --name-only origin/main..HEAD`, which lists file paths from the repo's own git history — not from attacker-controlled event fields. The file *contents* are not interpolated into the prompt; only the file paths are listed, and the LLM reads file contents via tool calls. No new prompt injection surface. Note: The existing workflow already interpolates `CHANGED_FILES` (a list of repo file paths) into the prompt string via shell variable expansion. This is acceptable because these are git-derived file paths from the checked-out repo, not attacker-controlled event metadata. **2. Expression Injection & Script Injection** — No change. The PR does not introduce or modify any Actions expression interpolations in `run:` blocks. The existing `${{ matrix.task }}` interpolations throughout the file use values from a hardcoded matrix (e.g., `[check, lint, fmt, test]`), not from user input, so they are safe. **3. Dangerous Triggers** — No change. The workflow triggers on `pull_request` (not `pull_request_target`), which runs in the fork context without access to base repo secrets for external PRs. This is the safe pattern. No change in this PR. **4. Supply Chain** — No change. All actions used are from trusted publishers (`actions/checkout@v6`, `denoland/setup-deno@v2`). The Claude CLI binary is downloaded with a pinned version and verified via SHA-256 checksum — this is a good pattern. No changes to action references or supply chain in this PR. **5. Permissions** — No change. Workflow-level permissions are `contents: read` (line 9). The `claude-review`, `claude-adversarial-review`, and `claude-ci-security-review` jobs override with job-level `permissions: { contents: read, pull-requests: write }`, which is appropriately scoped. No changes to permissions in this PR. **6. Secret Exposure** — No change. `ANTHROPIC_API_KEY` and `BOT_TOKEN` are passed via `env:` to specific steps that need them, not globally. The Claude CLI receives the API key through the environment variable, not via command-line argument. No changes to secret handling in this PR. **7. Auto-merge & Trust Boundaries** — No change. The workflow does not auto-merge. The `merge-gate` job aggregates results but only fails/passes — it does not trigger merges. No changes to trust boundaries in this PR. ### Verdict **PASS** — The change is security-neutral. It broadens the set of files reviewed by the Claude agents to include `model/` directory files, which is a review-scope expansion, not a security regression. No new injection vectors, permission escalations, or secret exposure risks are introduced.

stack72 merged commit 3eb551a247 into main 2026-05-28 00:41:08 +00:00

stack72 deleted branch fx-detection 2026-05-28 00:41:08 +00:00

stack72 referenced this pull request from a commit 2026-05-28 00:41:10 +00:00

chore(ci): Fix detection of changes to include models (#10)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

swamp-club/swamp-extensions!10

No description provided.