- Replace CONTAINS with ~ operator (correct WIQL syntax for text matching)
- Remove escaping of ~, *, ? which are valid WIQL wildcards
- Update tests to reflect correct escape_wiql behavior
- Add missing CQL escaping for &, |, +, - characters
- Improve escape_wiql() to escape more dangerous characters: ", \, (, ), ~, *, ?, ;, =
- Sanitize HTML in excerpts using strip_html_tags() to prevent XSS
- Add unit tests for escape_wiql, escape_cql, canonicalize_url functions
- Document expand_query() behavior (always returns at least original query)
- All tests pass (158/158), cargo fmt and clippy pass
- Use MAX_EXPANDED_QUERIES constant in confluence_search.rs instead of hardcoded 3
- Improve escape_wiql() to escape more dangerous characters: ", \, (, ), ~, *, ?, ;, =
- Fix logging to show expanded_query instead of search_url in confluence_search.rs
All tests pass (142/142), cargo fmt and clippy pass.
- Add query_expansion.rs module with product synonyms and keyword extraction
- Update confluence_search.rs to use expanded queries
- Update servicenow_search.rs to use expanded queries
- Update azuredevops_search.rs to use expanded queries
- Update webview_fetch.rs to use expanded queries
- Fix extract_keywords infinite loop bug for non-alphanumeric endings
All 142 tests pass.
- Update CHANGELOG to include releases v0.2.54 through v0.2.61
- Add 'nsis' to bundle targets in tauri.conf.json for Windows builds
- This fixes Windows artifact upload failures by enabling .exe/.msi generation
The Windows build was failing because tauri.conf.json only had Linux bundle
targets (['deb', 'rpm']). Without nsis target, no Windows installers were
produced, causing the upload step to fail with 'No Windows amd64 artifacts
were found'.
- Fix linuxdeploy AppImage extraction using --appimage-extract
- Remove 'has no column named' from duplicate column error handling
- Use strftime instead of datetime for created_at default format
- Add -L flag to curl for linuxdeploy redirects
- Split migration 015 into 015_add_use_datastore_upload and 016_add_created_at
- Use separate execute calls for ALTER TABLE statements
- Add idempotency test for migration 015
- Use bool type for use_datastore_upload instead of i64
- set -euo pipefail (was -eu; pipefail catches silent pipe failures)
- Validate TAG against ^v[0-9]+\.[0-9]+\.[0-9]+$ before use in commit
message and JSON payload — prevents shell injection
- Tolerate 404 on SHA fetch (new file): curl 2>/dev/null or true keeps
CURRENT_SHA empty rather than causing jq to abort
- Use jq -n to build JSON payload — conditionally omits sha field when
file does not exist yet; eliminates manual string escaping
- Check HTTP status of PUT; print response body and exit 1 on non-2xx
- Add Accept: application/json header to SHA fetch request
git push origin HEAD:master fails when master advances between the job's
fetch and its push. Replace with PUT /repos/.../contents/CHANGELOG.md
which atomically updates the file on master regardless of HEAD position.
- Add cliff.toml with Tera template: feat/fix/perf/docs/refactor included;
ci/chore/build/test/style excluded
- Bootstrap CHANGELOG.md from all existing semver tags (v0.1.0–v0.2.49)
- Add changelog job to auto-tag.yml: runs after autotag in parallel with
build jobs; installs git-cliff v2.7.0 musl binary, generates CHANGELOG.md,
PATCHes Gitea release body with per-release notes, commits CHANGELOG.md
to master with [skip ci] to prevent re-trigger, uploads as release asset
- Add set -eu to all changelog job steps
- Null-check RELEASE_ID before API calls; create release if missing
(race-condition fix: changelog finishes before build jobs create release)
- Add Changelog Generation section to docs/wiki/CICD-Pipeline.md
linuxdeploy is itself an AppImage. Running it inside a Docker container
requires APPIMAGE_EXTRACT_AND_RUN=1 so it extracts and runs its payload
directly rather than relying on FUSE (unavailable in containers).
Already set on build-linux-arm64 — missing from the amd64 job.
Dockerfiles:
- Remove || true from rustup component add in all three Linux images;
rust:1.88-slim default profile already includes both components so the
command is a clean no-op, not a failure risk — silencing errors served
no purpose and only hid potential toolchain issues
- Add ca-certificates explicitly to Dockerfile.linux-amd64 and
Dockerfile.windows-cross (rust:1.88-slim includes it, but being
explicit is consistent with the arm64 fix and future-proofs against
base image changes)
Workflows:
- Upgrade actions/cache@v3 → @v4 across test.yml and auto-tag.yml
(v3 deprecated; v4 has parallel uploads and better large-cache support)
- Add linux-amd64 suffix to cargo cache keys in test.yml Rust jobs and
auto-tag.yml build-linux-amd64 job; all four jobs target the same
architecture and now share a cache, benefiting from cross-job hits
(registry cache is source tarballs, not compiled artifacts — no
pollution risk between targets)
Not changed:
- alpine:latest + docker-cli in build-images.yml is correct; the reviewer
confused DinD with socket passthrough — docker:24-cli also has no daemon,
both use the host socket; the builds already proved alpine works
- curl|bash for rustup is the official install method; rustup.rs publishes
no checksums for the installer script itself
Cargo.lock:
- Commit the pre-existing version bump (0.1.0 → 0.2.50) so cargo
--locked does not fail in CI; Cargo.toml already at 0.2.50
releaseWorkflowCrossPlatformArtifacts.test.ts:
- Update test that previously checked for ubuntu:22.04 / ports mirror
inline in auto-tag.yml; that setup moved to the pre-baked
trcaa-linux-arm64 image so the test now verifies the image reference
and cross-compile env vars instead
ciDockerBuilders.test.ts:
- Update test that checked for docker:24-cli; changed to alpine:latest
+ docker-cli to avoid act_runner v0.3.1 duplicate socket mount bug;
negative assertion on docker:24-cli retained
ubuntu:22.04 minimal does not guarantee ca-certificates is present
before the multiarch apt operations in Step 2. curl in Step 3 then
fails with error 77 (CURLE_SSL_CACERT_BADFILE) when fetching the
nodesource setup script over HTTPS.
act_runner v0.3.1 has special-case handling for images named docker:*:
it automatically adds /var/run/docker.sock to the container's bind
mounts. The runner's own global config already mounts the socket, so
the two entries collide and the container fails to start with
"Duplicate mount point: /var/run/docker.sock".
Fix: use alpine:latest (no special handling) and install docker-cli
via apk alongside git in each Checkout step. The docker socket is
still available via the runner's global bind — we just stop triggering
the duplicate.
Dockerfiles:
- Merge rustup target add and component add into one chained RUN with
|| true guard, making it safe if rustfmt/clippy are already present
in the base image's default toolchain profile (rust:1.88-slim default
profile includes both; the guard is belt-and-suspenders)
test.yml:
- Add --locked to cargo clippy and cargo test to enforce Cargo.lock
during CI, preventing silent dependency upgrades
Not addressed (accepted/out of scope):
- git in images: already installed in all three Dockerfiles (lines 19,
13, 15 respectively) — reviewer finding was incorrect
- HTTP registry: accepted risk for air-gapped self-hosted infrastructure
- Image signing (Cosign): no infrastructure in place yet
- Hardcoded registry IP: consistent with project-wide pattern
Switch all test and release build jobs from raw base images to the
pre-baked images already defined in .docker/ and pushed to the local
Gitea registry. Add actions/cache@v3 for Cargo registry and npm to
eliminate redundant downloads on subsequent runs.
Changes:
- Dockerfile.linux-amd64/arm64: bake in rustfmt and clippy components
- test.yml: rust jobs → trcaa-linux-amd64:rust1.88-node22; drop inline
apt-get and rustup component-add steps; add cargo cache
- test.yml: frontend jobs → add npm cache
- auto-tag.yml: build-linux-amd64 → trcaa-linux-amd64; drop Install
dependencies step and rustup target add
- auto-tag.yml: build-windows-amd64 → trcaa-windows-cross; drop Install
dependencies step and rustup target add
- auto-tag.yml: build-linux-arm64 → trcaa-linux-arm64 (ubuntu:22.04-based);
drop ~40-line Install dependencies step, . "$HOME/.cargo/env", and
rustup target add (all pre-baked in image ENV PATH)
- All build jobs: add cargo and npm cache steps
- docs/wiki/CICD-Pipeline.md: document pre-baked images, cache keys,
and insecure-registries daemon prerequisite
Expected savings: ~70% faster PR test suite (~1.5 min vs ~5 min),
~72% faster release builds (~7 min vs ~25 min) after cache warms up.
NOTE: Trigger build-images.yml via workflow_dispatch before merging
to ensure images contain rustfmt/clippy before workflow changes land.
- Replace flawed sed-based redaction with grep -v line-removal covering
JS/YAML assignments, Authorization headers, AWS keys (AKIA…), Slack
tokens (xox…), GitHub tokens (gh[opsu]_…), URLs with embedded
credentials, and long Base64 strings
- Add -c flag to jq -n when building Ollama request body (compact JSON)
- Remove jq . full response dump to prevent LLM-echoed secrets in logs
- Change Gitea API Authorization header from `token` to `Bearer`
Root cause of false-positive "critical" errors:
- sed pattern was matching api_key/token within YAML variable names
(e.g. OLLAMA_API_KEY:) and redacting the ${{ secrets.X }} value,
producing mangled syntax that confused the AI reviewer
- Fix: use [^$[:space:]] to skip values starting with $ (template
expressions and shell variable references)
Other fixes:
- Replace --retry-all-errors with --retry-connrefused --retry-max-time 120
to avoid wasting retries on unrecoverable 4xx errors
- Check HTTP_CODE before jq validation so error messages are meaningful
- Add permissions: pull-requests: write to job
- Add edited to pull_request.types so title changes trigger re-review
- Change git diff .. to git diff ... (three-dot merge-base diff)
- Replace hardcoded server/repo URLs with github.server_url and
github.repository context variables (portability)
- Log review length before posting to detect truncation
Security:
- Replace http://172.0.0.29:3000 git remote with https://gogs.tftsr.com
- Replace http://172.0.0.29:3000 Gitea API URL with https://gogs.tftsr.com
- Remove internal 172.0.0.29 from container DNS (keep 8.8.8.8, 1.1.1.1)
- Move PR_TITLE and PR_NUMBER to env vars to prevent shell injection
Correctness:
- Fix diff_size comparison from lexicographic > '0' to != '0'
- Strip leading whitespace from wc -l output via tr -d ' '
- Switch diff truncation from head -c 20000 to head -n 500 (line-safe)
- Add jq empty validation before parsing Ollama response
Reliability:
- Add --connect-timeout 30 and --retry 3 --retry-delay 5 to Ollama curl
- Add --connect-timeout 10 to review POST curl
- Change Post review comment to if: always() so it runs on analysis failure
- Post explicit failure comment when analysis produces no output
