Skip to content

Use merge-base for git audit comparisons#21967

Merged
MikeMcQuaid merged 1 commit intomainfrom
audit-use-merge-base
Apr 10, 2026
Merged

Use merge-base for git audit comparisons#21967
MikeMcQuaid merged 1 commit intomainfrom
audit-use-merge-base

Conversation

@MikeMcQuaid
Copy link
Copy Markdown
Member

@MikeMcQuaid MikeMcQuaid commented Apr 9, 2026
edited
Loading

  • compare brew audit changes to the branch point, not contemporary origin/HEAD commits
  • avoid false positives when unrelated dependency bumps land after a branch is cut
  • cover changed_formulae_paths and committed_version_info with merge-base regression specs

Fixes #21861

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests (excluding integration tests) for your changes? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) with your changes locally?
  • AI was used to generate or assist with generating this PR. Please specify below how you used AI to help you, and what steps you have taken to manually verify the changes.

Used OpenAI Codex with manual review and feedback.

Copilot AI review requested due to automatic review settings April 9, 2026 14:37
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates brew audit’s git-based comparisons to use the merge-base between origin/HEAD and HEAD, so audits evaluate changes relative to the branch point rather than the moving tip of origin/HEAD (avoiding false positives from unrelated upstream commits).

Changes:

  • Switch changed_formulae_paths to diff from a merge-base SHA (with fallback to origin/HEAD).
  • Switch committed_version_info history traversal to start from the merge-base SHA.
  • Add regression specs covering merge-base behavior for both paths and version-history logic.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Library/Homebrew/formula_auditor.rb Introduces git_audit_base_ref and uses it for git diff/history lookups instead of origin/HEAD.
Library/Homebrew/test/formula_auditor_spec.rb Adds/adjusts specs to assert merge-base is used for diffs and history traversal.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MikeMcQuaid
Use merge-base for git audit comparisons
33cda80 
- compare `brew audit` changes to the branch point, not
  contemporary `origin/HEAD` commits
- avoid false positives when unrelated dependency bumps land
  after a branch is cut
- cover `changed_formulae_paths` and
  `committed_version_info` with merge-base regression specs
@MikeMcQuaid MikeMcQuaid force-pushed the audit-use-merge-base branch from e44b677 to 33cda80 Compare April 9, 2026 16:13
@MikeMcQuaid MikeMcQuaid enabled auto-merge April 9, 2026 16:22
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Apr 10, 2026
Merged via the queue into main with commit 6370ece Apr 10, 2026
38 checks passed
@MikeMcQuaid MikeMcQuaid deleted the audit-use-merge-base branch April 10, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ZhongRuoyu ZhongRuoyu ZhongRuoyu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Git audits should check against merge-base not HEAD

3 participants

@MikeMcQuaid @ZhongRuoyu