ci: narrow codeql guard org sweep query#30
Conversation
PR SummaryLow Risk Overview Adds explicit filtering of the sweep results to ignore the Reviewed by Cursor Bugbot for commit 4ca6284. Bugbot is set up for automated code reviews on this repo. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Narrowed query still self-matches via embedded search string
- The org sweep now filters out
evalops/.github's owncodeql-guard.ymlresult from the GitHub code search response, preventing the self-match from tripping drift detection.
- The org sweep now filters out
Preview (cbd699eefb)
diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml
--- a/.github/workflows/codeql-guard.yml
+++ b/.github/workflows/codeql-guard.yml
@@ -58,7 +58,7 @@
GH_TOKEN: ${{ github.token }}
ORG_CODE_SEARCH_TOKEN: ${{ secrets.EVALOPS_ORG_READ_TOKEN }}
steps:
- - name: Search org for github/codeql-action references
+ - name: Search org for github/codeql-action uses
shell: bash
run: |
set -euo pipefail
@@ -68,19 +68,30 @@
fi
response="$(
GH_TOKEN="${ORG_CODE_SEARCH_TOKEN}" gh api -X GET search/code \
- -f q='org:evalops "github/codeql-action" path:.github/workflows' \
- --jq '.items[] | "\(.repository.full_name)\t\(.path)"' \
+ -f q='org:evalops "uses: github/codeql-action" path:.github/workflows' \
+ --jq '.items[]
+ | select(.repository.full_name != "evalops/.github" or .path != ".github/workflows/codeql-guard.yml")
+ | "\(.repository.full_name)\t\(.path)"' \
)"
- if [ -z "${response}" ]; then
+ hits=()
+ while IFS=$'\t' read -r repo path; do
+ if [ -z "${repo}" ]; then
+ continue
+ fi
+ if [ "${repo}" = "evalops/.github" ] && [ "${path}" = ".github/workflows/codeql-guard.yml" ]; then
+ continue
+ fi
+ hits+=("${repo}"$'\t'"${path}")
+ done <<< "${response}"
+ if [ "${#hits[@]}" -eq 0 ]; then
echo "ok: no CodeQL workflow files found in any evalops repo"
exit 0
fi
- mapfile -t hits <<< "${response}"
{
echo "## codeql-guard tripped"
echo
echo "EvalOps does not run GitHub CodeQL (see \`SECURITY.md\` and the Blacksmith"
- echo "code security configuration). The following workflow files reference"
+ echo "code security configuration). The following workflow files use"
echo "\`github/codeql-action\` and need to be removed or the policy amended:"
echo
for h in "${hits[@]}"; doYou can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit c155cca. Configure here.
haasonsaas
force-pushed
the
codex/codeql-guard-sweep-filter
branch
from
c155cca to
4ca6284
Compare
2 participants
Summary
uses: github/codeql-actionworkflow entriesTest plan
ruby -e 'require "yaml"; YAML.load_file(".github/workflows/codeql-guard.yml"); puts "yaml ok"'\n-ruby -Itest -e 'ARGV.each { |path| require "./#{path}" }' test/**/*_test.rb\n-git diff --check\n-gh api -X GET search/code -f q='org:evalops "uses: github/codeql-action" path:.github/workflows' --jq '.items[] | "\\(.repository.full_name)\\t\\(.path)"'\n\nFollow-up after re-reviewing merged ci: codeql-guard to keep CodeQL out of evalops/* #29: the broader search matched this guard workflow and a Platform explanatory comment; the refined query keeps only real workflowuses:hits.