sarman/tftsr-devops_investigation
1
0
Fork 0
Code Issues 1 Pull Requests Actions 34 Packages Projects 3 Releases 9 Wiki Activity

fix: harden pr-review workflow — secret redaction, log safety, auth header
All checks were successful
Test / frontend-typecheck (pull_request) Successful in 1m12s
Details
Test / rust-tests (pull_request) Successful in 27m19s
Details
Test / rust-fmt-check (pull_request) Successful in 2m35s
Details
PR Review Automation / review (pull_request) Successful in 3m45s
Details
Test / rust-clippy (pull_request) Successful in 25m55s
Details
Test / frontend-tests (pull_request) Successful in 1m10s
Details

Browse Source 
- Replace flawed sed-based redaction with grep -v line-removal covering
  JS/YAML assignments, Authorization headers, AWS keys (AKIA…), Slack
  tokens (xox…), GitHub tokens (gh[opsu]_…), URLs with embedded
  credentials, and long Base64 strings
- Add -c flag to jq -n when building Ollama request body (compact JSON)
- Remove jq . full response dump to prevent LLM-echoed secrets in logs
- Change Gitea API Authorization header from `token` to `Bearer`
This commit is contained in:
Shaun Arman 2026-04-12 18:03:17 -05:00
parent 144a4551f2
commit 181b9ef734
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitea/workflows/pr-review.yml
View File

@ -58,9 +58,10 @@ jobs:
echo "WARNING: Binary file changes detected — they will be excluded from analysis"
fi
DIFF_CONTENT=$(head -n 500 /tmp/pr_diff.txt \
| sed -E 's/(password|token|secret|api_key|private_key)[[:space:]]*[=:][[:space:]]+([^$[:space:]][^[:space:]]*)/\1=[REDACTED]/gi')
| grep -v -E '^[+-].*(password[[:space:]]*[=:"'"'"']|token[[:space:]]*[=:"'"'"']|secret[[:space:]]*[=:"'"'"']|api_key[[:space:]]*[=:"'"'"']|private_key[[:space:]]*[=:"'"'"']|Authorization:[[:space:]]|AKIA[A-Z0-9]{16}|xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}|gh[opsu]_[A-Za-z0-9_]{36,}|https?://[^@[:space:]]+:[^@[:space:]]+@)' \
| grep -v -E '^[+-].*[A-Za-z0-9+/]{40,}={0,2}([^A-Za-z0-9+/=]|$)')
PROMPT="Analyze the following code changes for correctness, security issues, and best practices. PR Title: ${PR_TITLE}\n\nDiff:\n${DIFF_CONTENT}\n\nProvide a review with: 1) Summary, 2) Bugs/errors, 3) Security issues, 4) Best practices. Give specific comments with suggested fixes."
BODY=$(jq -n \
BODY=$(jq -cn \
--arg model "qwen3-coder-next:latest" \
--arg content "$PROMPT" \
'{model: $model, messages: [{role: "user", content: $content}], stream: false}')
@ -84,7 +85,6 @@ jobs:
cat /tmp/ollama_response.json
exit 1
fi
jq . /tmp/ollama_response.json
REVIEW=$(jq -r '.choices[0].message.content // empty' /tmp/ollama_response.json)
if [ -z "$REVIEW" ]; then
echo "ERROR: No content in Ollama response"
@ -118,7 +118,7 @@ jobs:
HTTP_CODE=$(curl -s --max-time 30 --connect-timeout 10 \
-o /tmp/review_post_response.json -w "%{http_code}" \
-X POST "https://gogs.tftsr.com/api/v1/repos/${REPOSITORY}/pulls/${PR_NUMBER}/reviews" \
-H "Authorization: token $TF_TOKEN" \
-H "Authorization: Bearer $TF_TOKEN" \
-H "Content-Type: application/json" \
-d "$BODY")
echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"