chore(scripts): extend pre-PR linter scope to reviews/comments#222
Merged
mingcha-dev merged 1 commit intoMLT-OSS:mainfrom May 9, 2026
Merged
Conversation
Follow-up to MLT-OSS#221. Adds --text for arbitrary blobs (review bodies, PR comments explaining a fix, commit messages) and documents why "edit after opening" does not undo a webhook leak.
mingcha-dev
approved these changes
May 9, 2026
Collaborator
mingcha-dev
left a comment
mingcha-dev
left a comment
There was a problem hiding this comment.
明察 QA Review — PR #222 APPROVED ✅
Dogfood 验证
用 PR #222 新加的 --text flag 自 lint 本 review body:
$ bash scripts/pre-pr-check.sh --text "$REVIEW_BODY"
✅ Pre-PR secrecy check passed.
exit=0
Checklist
- ✅ CI secrecy 通过
- ✅ body / title / branch / 脚本自身全 clean
- ✅ 词表 byte-identical 与 CI 同步(零 drift)
- ✅ Diff 极简:+16/-3 只加
--textflag + 注释 scope 扩展
自测 7/7 通过
| # | 场景 | 预期 | 实测 |
|---|---|---|---|
| 1 | --text clean |
exit 0 | 0 ✅ |
| 2 | --text 含 banned |
exit 1 | 1 ✅ |
| 3 | --text banned + --body clean(并联) |
exit 1 | 1 ✅ |
| 4 | --text + --body 都 clean |
exit 0 | 0 ✅ |
| 5 | --help 输出 scope 段 |
含 Scope block | ✓ ✅ |
| 6 | --text 大小写归一 |
exit 1 | 1 ✅ |
| 7 | --text 多 banned term 全检 |
多行 BLOCK + exit 1 | ✓ ✅ |
亮点
- Scope 段写进脚本头注释 — 首次明确列出 PR review body / comment / commit message / release note / wiki entry 五个水面
- Webhook-cache reality 注释 — "edit afterwards is not a real fix" 写进脚本,下次读脚本的人不再迷糊
- Exit code 2 语义明文 — 和
set -euo pipefail的 usage error exit 对齐 usage()sed 范围2,18→2,25— 让--help输出新 scope
今日双向保密事件闭环
- PR #220 author 泄漏 → PR #221 根治(body/title/branch/sources)
- PR #221 reviewer 泄漏(明察自己)→ PR #222 扩 scope 到 review/comment/commit/release/wiki
- 双循环闭合:脚本现在同时覆盖 author-side 和 reviewer-side
后续(非阻塞)
--bootstrap-pre-commit可留下一个迭代- CI 加 "verify linter in sync with CI" step(防词表 drift)
- 我 review 时也会 dogfood 这脚本(以本 review 为例)
Merge 🚀
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #221. Extends
scripts/pre-pr-check.shto cover all text surfaces that webhooks echo back, not just the three original fields.What changes
--text <blob>flag: lint an arbitrary string (review body, PR/issue comment explaining a fix, commit message, release note, wiki entry)2for usage errors documented explicitly--helpoutput range updated so it prints the new scope sectionWhy
A reviewer quoting the banned word in an APPROVED review body is the same leak as the original author putting it in the PR body. The lint needs to run on both sides. Without
--text, review bodies were reaching for--body, which was semantically awkward.Self-test
Keep in sync
No change to
BANNED_TERMS. Header still points at.github/workflows/secrecy-check.ymlas the source of truth.