Skip to content

chore: update all repo URLs to codecoradev/cora-cli#137

Merged
ajianaz merged 4 commits into
developfrom
chore/repo-url-migration
Jun 2, 2026
Merged

chore: update all repo URLs to codecoradev/cora-cli#137
ajianaz merged 4 commits into
developfrom
chore/repo-url-migration

Conversation

@ajianaz
Copy link
Copy Markdown
Collaborator

@ajianaz ajianaz commented Jun 2, 2026

Post-migration URL update

Update all references to after repo transfer.

Files changed: 11 (Cargo.toml, README, CHANGELOG, CONTRIBUTING, AGENT.md, init.rs, release.yml, cora-review actions, website docs)

No functional changes — URL string replacements only.

Closes #123

chore: update all repo URLs from ajianaz/cora-cli to codecoradev/cora…
46088d8 
…-cli

Post-migration branding update across all files.
No functional changes — URL references only.

Closes #123
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 2, 2026
edited
Loading

🔍 Cora AI Code Review

Blocked — critical issues found.

🔴 Error (3)

  • .github/actions/cora-review/action.yml:106 — The cora-api-key is declared as an inputs field. GitHub Actions inputs are visible in workflow run logs and can be exposed through debug logging, step annotations, or when the workflow is re-run with debug enabled. The previous Infisical OIDC approach kept secrets out of GitHub entirely. Now the API key flows through inputsenv which is a less secure pattern. Consider using GitHub Secrets directly mapped to environment variables instead of passing through action inputs.
  • .github/actions/cora-review/action.yml:106 — The cora-review-simple action downloads a binary via curl | tar xz -C /usr/local/bin without any checksum verification. While the cora-review action does attempt checksum verification, the simple variant pipes directly from curl into tar, which is vulnerable to MITI (man-in-the-middle) attacks. A compromised download could execute arbitrary code in the CI environment.
  • .github/workflows/release.yml:97 — The line cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} --allow-dirty passes the secret directly as a command argument. While GitHub masks secrets in logs, if the command fails or is run with certain debug options, the token could appear in error messages or process listings. The previous pattern of using an environment variable was safer.

Review powered by cora-cli · BYOK · MIT

CTO Hermes added 3 commits June 2, 2026 14:21
fix: add Infisical fallback to org secrets for CI
1bdb28f 
Infisical OIDC subject not configured for codecoradev org yet.
This adds continue-on-error + fallback to org secrets
(CORA_API_KEY, CORA_BASE_URL, CORA_MODEL).

Closes #124
refactor: remove Infisical OIDC — use org secrets directly
dd681f7 
All CI workflows now read secrets directly from GitHub org secrets
(CORA_API_KEY, CORA_BASE_URL, CORA_MODEL, CARGO_REGISTRY_TOKEN,
CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID).

Infisical OIDC removed from:
- .github/actions/cora-review/action.yml (replaced with secrets.*)
- .github/workflows/cora-review.yml (removed infisical-identity-id)
- .github/workflows/release.yml (CARGO_REGISTRY_TOKEN direct)
- .github/workflows/deploy-website.yml (CF token direct)

Note: CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID need to be
added as org or repo secrets in codecoradev.
fix: pass org secrets as inputs to composite action
86fa984 
Composite actions cannot access secrets.* context.
Pass CORA_API_KEY, CORA_BASE_URL, CORA_MODEL as inputs from
workflow caller (which can access secrets.*).
@ajianaz ajianaz merged commit f38b403 into develop Jun 2, 2026
7 checks passed
This was referenced Jun 2, 2026
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Task 1.2: Update all branding URLs (Cargo.toml, README, CHANGELOG, website)

1 participant

@ajianaz