Skip to content

Refine Actions secret encryption path in nacl/box usage#35496

Merged
pelikhan merged 9 commits into
mainfrom
copilot/go-fan-review-golangorg-x-crypto
May 28, 2026
Merged

Refine Actions secret encryption path in nacl/box usage#35496
pelikhan merged 9 commits into
mainfrom
copilot/go-fan-review-golangorg-x-crypto

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 28, 2026
edited
Loading

gh-aw uses golang.org/x/crypto only for repository secret encryption, and this issue called for two low-risk cleanups: remove an unnecessary key copy in production code and replace a test magic number with box’s exported overhead constant.

  • Production: eliminate redundant public-key copy

    • Updated encryptWithPublicKey to convert the validated decoded key bytes directly to *[32]byte for box.SealAnonymous, instead of copying into a temporary array.
    • Keeps existing strict length validation and behavior unchanged.

  • Tests: remove hardcoded ciphertext-size expectation

    • Replaced the fixed base64 length threshold for empty plaintext with base64.StdEncoding.EncodedLen(box.AnonymousOverhead).
    • Makes the assertion self-documenting and aligned with upstream nacl/box constants.
if len(raw) != publicKeySize {
	return "", fmt.Errorf("unexpected public key length: %d, expected %d", len(raw), publicKeySize)
}
pk := (*[publicKeySize]byte)(raw[:publicKeySize])
ciphertext, err := box.SealAnonymous(nil, []byte(plaintext), pk, rand.Reader)

// test
minBase64CiphertextLen := base64.StdEncoding.EncodedLen(box.AnonymousOverhead)

Copilot AI linked an issue May 28, 2026 that may be closed by this pull request
[go-fan] Go Module Review: golang.org/x/crypto #35444
Closed
Copilot AI and others added 6 commits May 28, 2026 15:30
@gh-aw-bot
Plan minimal x/crypto quick wins
3ccbc57 
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
Use idiomatic NaCl key conversion and overhead constant
26d733d 
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
Clarify safe key cast and test variable naming
2da7bf0 
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
Refine safety note and overhead length naming
63b40b8 
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
Apply reviewer-safe cast form and clearer test naming
f7a62fb 
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
Polish encrypted length variable naming
a0d7edc 
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Copilot AI changed the title [WIP] Review golang.org/x/crypto module for security and updates Refine Actions secret encryption path in nacl/box usage May 28, 2026
Copilot AI requested a review from gh-aw-bot May 28, 2026 15:40
@pelikhan pelikhan marked this pull request as ready for review May 28, 2026 15:58
Copilot AI review requested due to automatic review settings May 28, 2026 15:58
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Small cleanups in the Actions secret encryption code path: a redundant key-copy is removed in the production helper, and a hardcoded ciphertext-size magic number in tests is replaced with the upstream nacl/box constant. The remaining file changes are regenerated workflow lock files (linguist-generated artifacts) reflecting compiler/output updates unrelated to the encryption refactor.

Changes:

  • Convert decoded public-key bytes directly to *[32]byte via slice-to-array-pointer conversion in encryptWithPublicKey, avoiding a temporary array and copy.
  • Replace hardcoded 64 minimum base64 ciphertext length in TestEncryptWithPublicKeyEmptyPlaintext with base64.StdEncoding.EncodedLen(box.AnonymousOverhead).
  • Regenerated .github/workflows/*.lock.yml artifacts (new experiment outputs, AWF version bumps, setup action layout changes).
Show a summary per file
File Description
pkg/cli/secret_set_command.go Removes redundant 32-byte copy; uses slice-to-array-pointer cast for box.SealAnonymous.
pkg/cli/secret_set_command_test.go Replaces magic 64 with base64.StdEncoding.EncodedLen(box.AnonymousOverhead).
.github/workflows/daily-byok-ollama-test.lock.yml Regenerated: schema v4, AWF 0.25.56, inline ./actions/setup, model-multiplier step, etc.
.github/workflows/*.lock.yml (many) Regenerated artifacts adding individual pick-experiment outputs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 27/27 changed files
  • Comments generated: 0

This was referenced May 28, 2026
Closed
Closed
@pelikhan pelikhan merged commit 5325e30 into main May 28, 2026
26 checks passed
@pelikhan pelikhan deleted the copilot/go-fan-review-golangorg-x-crypto branch May 28, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gh-aw-bot gh-aw-bot Awaiting requested review from gh-aw-bot

Assignees

Copilot code review Copilot

@gh-aw-bot gh-aw-bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[go-fan] Go Module Review: golang.org/x/crypto

4 participants

@pelikhan @gh-aw-bot