fix(ci): provision upstream policy parser#2
Conversation
|
Cursor (@cursor) review exact commit c5161b1. Please report every issue, including minor findings, or explicitly state zero issues. |
|
copilot-pull-request-reviewer review exact commit c5161b1. Please report every issue, including minor findings, or explicitly state zero issues. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the upstream-sync GitHub Actions workflow by provisioning a pinned YAML parser (yaml@2.8.4) into an isolated temp directory for lifecycle-contract verification, and by tightening when Git credentials are made available during the sync process.
Changes:
- Switch discover checkout to
persist-credentials: falseand add an isolated/tmp/upstream-verifierinstall+copy+run flow for contract verification. - In validate, run the verifier script + pinned parser from
/tmp/upstream-verifier, sourcing the verifier from trustedmain(_policy) instead of the untrusted candidate tree. - Authenticate Git only immediately before pushing (via
gh auth setup-git).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Install trusted verifier parser | ||
| run: | | ||
| mkdir -p /tmp/upstream-verifier | ||
| npm install --prefix /tmp/upstream-verifier --ignore-scripts --no-save --package-lock=false --no-audit --no-fund yaml@2.8.4 | ||
| cp _policy/scripts/verify-resource-cleanup-contract.mjs /tmp/upstream-verifier/verify.mjs |
| git commit -m "chore: record upstream ${upstream_sha:0:12}" | ||
| gh auth setup-git | ||
| git push --force-with-lease origin "$SYNC_BRANCH" |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit c5161b1. Configure here.
Summary
Root cause
The first post-merge acceptance dispatch ran the trusted verifier from a clean checkout without its yaml dependency. The repository also had Issues disabled; Issues are now enabled so fail-closed remediation can be recorded.
Verification
Note
Low Risk
Workflow-only hardening for verifier dependencies and Git credential timing; no application runtime or auth logic changes.
Overview
Upstream sync now runs the RC001–RC014 lifecycle verifier from a dedicated
/tmp/upstream-verifierinstall that pinsyaml@2.8.4withnpm install --ignore-scripts, instead of invokingnode scripts/verify-resource-cleanup-contract.mjsdirectly on a checkout that may lack that dependency.On discover, a new
verify_contracthelper wipes that temp dir, installs the parser, copies the verifier script, and runs it when fork main already matches upstream. Discover checkout setspersist-credentials: false, andgh auth setup-gitruns only immediately beforegit pushto the sync branch.On validate, a new step installs the same isolated parser and copies the verifier from
_policy(trusted main), then checks_candidatevianode /tmp/upstream-verifier/verify.mjsso policy script and YAML parser are not taken from the untrusted candidate tree.Reviewed by Cursor Bugbot for commit c5161b1. Bugbot is set up for automated code reviews on this repo. Configure here.