[repository-quality] π― Quality Report 2026-06-30: Unauthenticated API Fallback β Context, Timeout & Linter Blindspot #42486
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-07-01T13:39:44.218Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
π― Repository Quality Improvement Report - Unauthenticated API Fallback Call Chain
Analysis Date: 2026-06-30
Focus Area: Unauthenticated API Fallback Call Chain: Missing Context, Timeout & Linter Blindspot
Strategy Type: Custom
Custom Area: Yes β High-risk latency-sensitive area unique to this repo's compilation model
Executive Summary
Three unauthenticated GitHub API fallback functions bypass the established context/timeout patterns.
resolveRefToSHAViaPublicAPIandfetchPublicGitHubContentsAPI(both inpkg/parser/remote_fetch.go) accept nocontext.Context, construct requests viahttp.NewRequest, and dispatch viahttp.DefaultClientβ which has no timeout. A slowapi.github.comsilently hangs the calling goroutine indefinitely during compilation.fetchPublicGitHubAPI(pkg/cli/update_workflows.go) correctly usesNewRequestWithContextbut still useshttp.DefaultClient; if the caller passescontext.Background()with no deadline the socket can still block.All three gaps are invisible to
httpnoctxbecause it only intercepts.Get/.Head/.Post/.PostFormβ nothttp.NewRequest + client.Dopatterns.Full Analysis Report
Current State Assessment
http.DefaultClient(no timeout)context.Contextparameterhttp.NewRequest(notNewRequestWithContext) callshttpnoctxcoverage ofNewRequest + .Do()Timeoutconstants.DefaultHTTPClientTimeout(30s) definedFindings
Strengths: 7 HTTP clients already use
constants.DefaultHTTPClientTimeout;httpnoctxlinter active; established fix pattern inlogs_download.goandmcp_logs_guardrail.go.Critical Issues:
resolveRefToSHAViaPublicAPI(remote_fetch.go:562) β no ctx,http.NewRequest,http.DefaultClient; third-tier fallback during compilation; can hang indefinitelyfetchPublicGitHubContentsAPI(remote_fetch.go:1314) β same triple failure; called bydownloadFileViaPublicAPI(line 984),listDirAllFilesViaPublicAPI(line 1177), and a third caller (line 1436), all context-freefetchPublicGitHubAPI(update_workflows.go:367) β context attached buthttp.DefaultClientresidual riskhttpnoctxlinter does not flaghttp.NewRequestin context-aware functionsπ€ Tasks for Copilot Agent
NOTE TO PLANNER AGENT: Split the following tasks into individual work items.
Improvement Tasks
Task 1: Add Context and Timeout to
resolveRefToSHAViaPublicAPIPriority: High
Estimated Effort: Small
Focus Area: Unauthenticated API Fallback Hardening
Description: Add
ctx context.Contextas first parameter toresolveRefToSHAViaPublicAPIinpkg/parser/remote_fetch.go. Replacehttp.NewRequestwithhttp.NewRequestWithContext(ctx, ...)andhttp.DefaultClientwith&http.Client{Timeout: constants.DefaultHTTPClientTimeout}. Update the caller at line ~530 to pass context.Acceptance Criteria:
ctx context.Contextas first parameterhttp.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil)http.DefaultClientreplaced with&http.Client{Timeout: constants.DefaultHTTPClientTimeout}make lintandmake testpassCode Region:
pkg/parser/remote_fetch.go(functionresolveRefToSHAViaPublicAPI~line 562)Task 2: Add Context and Timeout to
fetchPublicGitHubContentsAPICall ChainPriority: High
Estimated Effort: Medium
Focus Area: Unauthenticated API Fallback Hardening
Description:
fetchPublicGitHubContentsAPIand its three callers (downloadFileViaPublicAPI,listDirAllFilesViaPublicAPI, and a third caller near line 1436) all lack context. Addctx context.Contextas first parameter throughout, usehttp.NewRequestWithContext, and replacehttp.DefaultClientwith a timeout-bearing client. A package-levelvar fallbackAPIClient = &http.Client{Timeout: constants.DefaultHTTPClientTimeout}avoids repeated allocations.Acceptance Criteria:
ctx context.Contextas first parameterhttp.NewRequestWithContext(ctx, ...)used infetchPublicGitHubContentsAPIhttp.DefaultClientreplaced withfallbackAPIClient(or equivalent)make lintandmake testpassCode Region:
pkg/parser/remote_fetch.go(lines ~984β1450, four functions)Task 3: Replace
http.DefaultClientinfetchPublicGitHubAPIPriority: Medium
Estimated Effort: Small
Focus Area: HTTP Client Timeout Hygiene
Description:
fetchPublicGitHubAPI(pkg/cli/update_workflows.go:367) useshttp.NewRequestWithContextcorrectly but dispatches viahttp.DefaultClient(no timeout). Replace with&http.Client{Timeout: constants.DefaultHTTPClientTimeout}or a file-level variable.Acceptance Criteria:
http.DefaultClientreplaced with a timeout-bearing clientmake lintandmake testpassCode Region:
pkg/cli/update_workflows.go(functionfetchPublicGitHubAPI~line 367)Task 4: Extend
httpnoctxto Flaghttp.NewRequestin Context-Aware FunctionsPriority: Medium
Estimated Effort: Medium
Focus Area: Linter Coverage Gap
Description:
httpnoctxmisseshttp.NewRequest+client.Dowhen context is present in the enclosing function. Add a rule that flagshttp.NewRequest(...)calls inside functions that already have acontext.Contextparameter, recommendinghttp.NewRequestWithContext. Add testdata and updatepkg/linters/doc.go.Acceptance Criteria:
httpnoctxreportshttp.NewRequestcalls inside context-aware functionspkg/linters/httpnoctx/testdata/covers true-positive and false-positive casespkg/linters/doc.goupdated;make lintandmake testpassCode Region:
pkg/linters/httpnoctx/andpkg/linters/doc.goπ Historical Context
Previous Focus Areas (last 5)
π― Recommendations
Immediate Actions (This Week)
resolveRefToSHAViaPublicAPI(Task 1) β Priority: HighfetchPublicGitHubContentsAPIcall chain (Task 2) β Priority: HighShort-term Actions (This Month)
http.DefaultClientinfetchPublicGitHubAPI(Task 3) β Priority: Mediumhttpnoctxlinter (Task 4) β Priority: MediumLong-term Actions (This Quarter)
http.DefaultClientusage when adding new unauthenticated fallback pathsπ Success Metrics
http.DefaultClientuses in production code: 3 β 0httpnoctxcoverage (convenience +NewRequestin ctx fns): 50% β 100%Next Steps
References:
Beta Was this translation helpful? Give feedback.
All reactions