ci(trivy): fix sarif upload to github security dashboard#3523
Merged
Conversation
github-actions
Bot
added
ci
bug-ops
force-pushed
the
agent-ab08a210ac30e5d09
branch
from
cc9e361 to
8d8d5b3
Compare
bug-ops
added a commit
that referenced
this pull request
Apr 27, 2026
…summarization) (#3525) * refactor(context): relocate CompactionOutcome and BudgetHint to zeph-agent-context Move CompactionOutcome from zeph-core::agent::context (private) to zeph-agent-context::state (pub). Move BudgetHint from assembly.rs (private) to zeph-agent-context::helpers (pub) with full doc and tests. zeph-core now imports both types from zeph-agent-context — no local copies remain. Isolation invariant holds: `cargo tree -p zeph-agent-context | grep zeph-core` is empty. * refactor(context): expand MessageWindowView and migrate trivial mutators to ContextService Expand MessageWindowView with cached_prompt_tokens, token_counter, and completed_tool_ids fields (PR0b view expansion). Migrate 15 message-window mutator methods from Agent<C> assembly.rs to ContextService: clear_history, 13 remove_* methods, and trim_messages_to_budget. Each Agent<C> shim creates a ZST ContextService instance and delegates via message_window_view(). All original logic deleted from zeph-core. Move message prefix constants (CORRECTIONS_PREFIX, CODE_CONTEXT_PREFIX, SESSION_DIGEST_PREFIX, LSP_NOTE_PREFIX, DOCUMENT_RAG_PREFIX) to zeph-agent-context::helpers, updating all callers including test modules. 1345 tests pass. Isolation: zeph-agent-context has no dependency on zeph-core. * docs(changelog): record PR0a and PR0b+PR1 context migration steps * refactor(context): fix workspace compilation errors and clippy warnings from context migration Seven compilation errors in zeph-core caused by partially-migrated prepare_context: - Fix unresolved imports in retrieved.rs (prefix consts from zeph-agent-context::helpers) - Fix SECURITY_EVENT_CAP path (crate::metrics, not crate::agent::utils) - Fix sanitizer borrow (&ContentSanitizer, not Arc<...>) - Fix quarantine_summarizer: .as_ref() instead of .clone() (no Clone impl) - Fix channel_skills: .allowed field (&[String], not ChannelSkillsConfig) - Remove ref binding in Edition 2024 spawn_outgoing_digest pattern - Fix borrow conflict in prepare_context: snapshot cached_prompt_tokens and call self.providers() before constructing view struct literals with mutable borrows Twenty clippy warnings resolved: - zeph-agent-context: needless_borrow, clone_on_copy, doc_markdown (x4), ref pattern - zeph-core: unused imports, unexpected cfg (index feature absent in zeph-core), dead_code (14 test-only shims moved to #[cfg(test)] impl block), TxStatus removed, as_index_access removed, SESSION_DIGEST_PREFIX unused import, too_many_lines allow, items_after_statements (SecuritySink moved to module scope) Isolation invariant verified: cargo tree -p zeph-agent-context | grep zeph-core is empty. All 8998 unit tests pass. Closes #3523 (tasks #7 and #8) * refactor(context): expand ContextSummarizationView and migrate compaction types (PR0b) - Replace PhantomData placeholder in ContextSummarizationView with 20 real borrow-lens fields covering the message window, context manager, runtime handles, memory persistence, and compaction state - Move SubgoalRegistry, SubgoalExtractionResult, BlockScore, ContentDensity, SubgoalId, SubgoalState, and all scoring/compaction functions from zeph-core::agent::compaction_strategy to zeph-agent-context::compaction - Delete zeph-core/src/agent/compaction_strategy.rs; all callers updated to import from zeph_agent_context - Update CompressionState in zeph-core::agent::state to reference zeph_agent_context types - Migrate run_focus_auto_consolidation async tests to zeph-agent-context - Invariant holds: zeph-agent-context has no dependency on zeph-core * refactor(context): add summarization_view() shim on Agent<C> (PR2) - Add `summarization_view()` method on `Agent<C>` in `assembly.rs` that constructs a `ContextSummarizationView` borrow-lens from disjoint field projections: message window, context manager, runtime handles, memory persistence, and all compression-state fields - Expose `build_summarization_deps` as `pub(super)` so `assembly.rs` (in the same `context` module) can call it when building the view - The shim is the integration point for subsequent migration PRs (PR4 deferred summaries, PR7 proactive compression, PR8 compaction); suppressed with `#[allow(dead_code)]` until the first call site lands in PR4 * refactor(context): migrate summarization modules to ContextService Move all summarization logic from zeph-core to zeph-agent-context/src/summarization/: - compaction.rs: LLM-based compact_context engine (partition → summarize → drain → reinsert) - deferred.rs: tool-pair deferred summarization (count, find, apply, flush, maybe_apply) - pruning.rs: five-strategy tool-output eviction (Reactive, TaskAware, MIG, Subgoal, SubgoalMIG) - scheduling.rs: Soft/Hard/mid-iteration compaction dispatch + background goal/subgoal extraction Implement all service.rs stubs: maybe_compact, maybe_summarize_tool_pair, apply_deferred_summaries, flush_deferred_summaries, maybe_apply_deferred_summaries, maybe_soft_compact_mid_iteration, maybe_proactive_compress, maybe_refresh_task_goal, maybe_refresh_subgoal, reset_conversation. Isolation invariant holds: cargo tree -p zeph-agent-context | grep zeph-core produces no output. 44 unit tests pass, 8658 workspace tests pass. * refactor(context): wire Agent<C> summarization delegation to ContextService Replace old Agent<C> summarization implementations in zeph-core/summarization/ with thin delegation shims to ContextService: - scheduling.rs: replace maybe_compact (~400 LOC), do_soft_compaction, do_hard_compaction, maybe_proactive_compress, maybe_soft_compact_mid_iteration with service delegations. Add CollectStatusSink to bridge service status emissions to channel.send_status. Track context_compactions and compaction_hard_count metrics post-delegation since MetricsCallback is not available in ContextSummarizationView. - deferred.rs: replace maybe_summarize_tool_pair, apply_deferred_summaries, flush_deferred_summaries, maybe_apply_deferred_summaries with service delegations. Move test-only helpers (count_unsummarized_pairs, find_oldest_unsummarized_pair, count_deferred_summaries) to cfg(test) impl block. - pruning.rs: mark all Agent<C> pruning methods as test-only (dead_code allowed). Production pruning now goes through ContextService via ContextSummarizationView. - compaction.rs: add test-only compact_context_with_budget delegation shim for integration tests exercising orphan-pair detection and tool-pair boundary adjustment. Isolation invariant holds: cargo tree -p zeph-agent-context | grep zeph-core is empty. 8653/8653 workspace tests pass. * refactor(context): move dead pruning methods to cfg(test) and document compact_context blocker pruning.rs: remove #[allow(dead_code)] from the impl block that mixed live and dead methods. Move the test-only Agent<C> pruning methods (prune_tool_outputs, prune_tool_outputs_oldest_first, prune_tool_outputs_scored, prune_tool_outputs_mig, prune_tool_outputs_subgoal, prune_tool_outputs_subgoal_mig, evict_sorted_blocks, prune_protection_boundary) into a #[cfg(test)] impl block so the compiler enforces their test-only status. Keep prune_stale_tool_outputs in the production impl (called from native.rs). Gate dump_pruning_scores and dump_subgoal_registry in DebugDumper with #[cfg(test)] since they are now only called from the test-only pruning impl. compaction.rs: add TODO(review) comment on compact_context explaining why the simple ContextService::compact_context delegation is not yet possible — the service lacks probe validation, tool output archiving, Qdrant session-summary write, and returns usize instead of CompactionOutcome. The existing full implementation is kept intact. compact_context_command already delegates to compact_context and needs no changes. * docs(context): fix broken intra-doc link in state.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
continue-on-error: trueto the Trivy scan step so the job does not enter a failed state when vulnerabilities are foundif: always()guard from the SARIF upload stepRoot cause
The Trivy scan step was configured with
exit-code: '1', which exits non-zero when vulnerabilities are found. GitHub Actions marks the job as failed when any step fails withoutcontinue-on-error. Thegithub/codeql-action/upload-sarifaction silently drops SARIF uploads from failed jobs, so no findings ever reached the Security dashboard — even though the upload step itself ran viaif: always().Fix
Setting
continue-on-error: trueon the scan step keeps the job green. The upload step runs on a healthy job and the SARIF results are accepted by the GitHub Security API.Test plan