Skip to content

require-await-core-summary-write: tighten isCoreLikeIdentifier to exact alias set#43382

Merged
pelikhan merged 3 commits into
mainfrom
copilot/require-await-core-summary-write
Jul 4, 2026
Merged

require-await-core-summary-write: tighten isCoreLikeIdentifier to exact alias set#43382
pelikhan merged 3 commits into
mainfrom
copilot/require-await-core-summary-write

Conversation

Copilot AI commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

isCoreLikeIdentifier used /^core/i, which over-matches any identifier starting with corecoreCache, coreData, coreference, etc. — none of which are @actions/core bindings.

Changes

  • require-await-core-summary-write.ts: Replace the broad regex with an exact Set-based allow-list containing the two verified corpus aliases:

    // "core"    — conventional require("@actions/core") name in github-script steps
    // "coreObj" — alias used in parse_mcp_gateway_log.cjs
    const CORE_ALIASES = new Set(["core", "coreObj"]);
    
    function isCoreLikeIdentifier(name: string): boolean {
      return CORE_ALIASES.has(name);
    }

    Comment documents the decision and instructs maintainers where to add new aliases.

  • rootsSummary JSDoc: Updated coreObj.summary (any identifier alias)coreObj.summary (known @actions/core alias — see CORE_ALIASES).

  • require-await-core-summary-write.test.ts: New valid test block asserting coreCache, coreData, and coreference are not flagged, codifying the tightened boundary against future regressions.

Copilot AI and others added 2 commits July 4, 2026 12:46
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…wn alias set

Replace the broad `/^core/i` prefix heuristic with an exact allow-list
(CORE_ALIASES = new Set(["core", "coreObj"])) to prevent false positives
from unrelated objects like coreCache, coreData, or coreference.

Add a doc comment explaining the decision and listing the two verified
@actions/core binding names in the corpus. Update the rootsSummary JSDoc
to reference CORE_ALIASES instead of claiming "any identifier alias".

Add a valid test block asserting that coreCache, coreData, and coreference
are NOT flagged, codifying the tightened boundary.

Closes #43325

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix over-matching issue in require-await-core-summary-write require-await-core-summary-write: tighten isCoreLikeIdentifier to exact alias set Jul 4, 2026
Copilot AI requested a review from pelikhan July 4, 2026 12:49
@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Hey @Copilot 👋 — great fix on the isCoreLikeIdentifier over-matching bug! Replacing the broad /^core/i regex with an exact Set-based allow-list is exactly the right approach, and the new regression tests for coreCache, coreData, and coreference nicely codify the tightened boundary.

This looks clean and ready for review. ✅

Generated by ✅ Contribution Check · 172.3 AIC · ⌖ 15.7 AIC · ⊞ 6.3K ·

@pelikhan pelikhan marked this pull request as ready for review July 4, 2026 15:42
Copilot AI review requested due to automatic review settings July 4, 2026 15:42
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #43382 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens the require-await-core-summary-write ESLint rule’s detection of @actions/core summary chains by replacing a broad ^core prefix match with an exact allow-list of known aliases, preventing false positives on unrelated identifiers.

Changes:

  • Replace the isCoreLikeIdentifier /^core/i heuristic with a Set-based allow-list (CORE_ALIASES) for exact alias matching.
  • Update rule documentation to clarify the alias constraint.
  • Add tests ensuring coreCache, coreData, and coreference are not incorrectly flagged.
Show a summary per file
File Description
eslint-factory/src/rules/require-await-core-summary-write.ts Replaces prefix-based “core” matching with an exact allow-list for known @actions/core aliases.
eslint-factory/src/rules/require-await-core-summary-write.test.ts Adds regression coverage to ensure non-alias identifiers starting with core are not flagged.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions github-actions Bot mentioned this pull request Jul 4, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change is correct and well-executed. A few observations:\n\n- Regex → Set: swapping /^core/i for Set.has() eliminates the false-positive class cleanly. The implicit narrowing from case-insensitive to case-sensitive matching is intentional and safe (no real @actions/core binding uses mixed/uppercase).\n- Comment quality: the block comment above CORE_ALIASES documents corpus provenance and gives future maintainers a clear extension point — no guesswork needed.\n- Test coverage: the new valid block with coreCache, coreData, and coreference directly codifies the bug that was fixed and will catch regressions.\n\nNo actionable issues. 🟢

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 20.8 AIC · ⌖ 5.87 AIC · ⊞ 4.9K

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100 — Excellent

Analyzed 1 test(s): 1 design, 0 implementation, 0 violation(s).

📊 Metrics (1 test)
Metric Value
Analyzed 1 (Go: 0, JS/TS: 1)
✅ Design 1 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 1 (100%)
Duplicate clusters 0
Inflation No (test:prod ratio 9:12 = 0.75:1)
🚨 Violations 0
Test File Classification Issues
valid: identifiers outside CORE_ALIASES are not flagged even with .summary.write() chain require-await-core-summary-write.test.ts:101 design_test · high_value · behavioral_contract None

Verdict

Passed. 0% implementation tests (threshold: 30%). The new test directly codifies the behavioral contract of the tightened CORE_ALIASES exact-match set, providing a high-value regression guard against false positives on look-alike identifiers (e.g., coreCache, coreData, coreference). No violations detected.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 32.8 AIC · ⌖ 9.56 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. 0% implementation tests (threshold: 30%). The new test is a high-value behavioral contract guard for the tightened CORE_ALIASES exact-match set.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs and /tdd — two minor comments, no blocking issues.

📋 Key Themes & Highlights

Key Themes

  • Undocumented behaviour change: the regex-to-Set swap silently removes case-insensitivity (see inline comment on require-await-core-summary-write.ts:32). Worth a one-line note in the comment block so future maintainers know it was intentional.
  • Test description couples to internals: the new it("valid: identifiers outside CORE_ALIASES...") name references the constant rather than the observable behaviour (see inline comment on the test file).

Positive Highlights

  • ✅ Root cause properly addressed — the old prefix regex was the right thing to fix, not just the test expectations.
  • ✅ Regression test added alongside the fix — exactly the right TDD move.
  • ✅ Comment block is thorough and provides a clear extension point for new aliases.
  • ✅ Diff is surgical: only the matching heuristic and its JSDoc were touched; nothing else shifted.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 36 AIC · ⌖ 7 AIC · ⊞ 6.6K
Comment /matt to run again

// Known aliases (extend here when a new verified binding is introduced):
// "core" — conventional require("@actions/core") name in github-script steps
// "coreObj" — alias used in parse_mcp_gateway_log.cjs
const CORE_ALIASES = new Set(["core", "coreObj"]);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/diagnosing-bugs] The switch from /^core/i to CORE_ALIASES.has() silently drops case-insensitivity — Core.summary.write() and CORE.summary.write() were flagged before and are now silently passed. This is almost certainly the correct decision, but the comment block doesn't call it out, leaving a future maintainer to wonder if it was accidental.

💡 Suggested addition to the comment block
// Known aliases (extend here when a new verified binding is introduced):
//   "core"    — conventional require("`@actions/core`") name in github-script steps
//   "coreObj" — alias used in parse_mcp_gateway_log.cjs
//
// Note: matching is intentionally case-sensitive; no uppercase aliases are known
//       in the corpus, and the prior /^core/i was over-broad.
const CORE_ALIASES = new Set(["core", "coreObj"]);

@copilot please address this.

});
});

it("valid: identifiers outside CORE_ALIASES are not flagged even with .summary.write() chain", () => {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] The test name couples to the internal constant name CORE_ALIASES. If the constant is ever renamed, the test description becomes stale. Prefer a behaviour-description name that does not reference internals.

💡 Suggested rename
// Before:
it("valid: identifiers outside CORE_ALIASES are not flagged even with .summary.write() chain", ...

// After:
it("valid: identifiers that only start with 'core' but are not known `@actions/core` aliases are not flagged", ...

This reads as a specification — the reader understands the intent without needing to know the constant name.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking issues

This is a well-executed, surgical narrowing. The Set-based allow-list eliminates the false-positive class precisely, the block comment documents corpus provenance and gives a clear extension point, and the new valid test block codifies the regression boundary. The implicit case-sensitivity change (no longer matching Core, CORE) is intentional and safe — no real @actions/core binding uses mixed/uppercase.

Sub-agent and independent analysis both found no actionable issues.

🔎 Code quality review by PR Code Quality Reviewer · 103.5 AIC · ⌖ 6.29 AIC · ⊞ 5.4K
Comment /review to run again

@pelikhan pelikhan merged commit 6c40101 into main Jul 4, 2026
51 checks passed
@pelikhan pelikhan deleted the copilot/require-await-core-summary-write branch July 4, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

require-await-core-summary-write: /^core/i root heuristic over-matches unrelated objects

3 participants