perf(update): full cross-category parallelism for version detection#26
perf(update): full cross-category parallelism for version detection#26
Conversation
…llelism Replace per-category sequential ThreadPoolExecutor with a single global executor for all regular tools. Previously each category was processed sequentially with its own executor, creating an unnecessary bottleneck where slow tools in one category blocked all subsequent categories. Also simplify guide.sh tool sorting to plain alphabetical within groups, replacing the complex runtime-first/multi-version-descending sort. Changes: - audit.py: single ThreadPoolExecutor for all regular tools - audit.py: add category label [cat] to progress output - audit.py: add grouped summary with per-category status counts - audit.py: handle CONFLICT/UNKNOWN statuses in summary - audit.py: guard against empty regular_tools (max_workers=0) - audit.py: fix KeyboardInterrupt to cancel futures before with-block exit - audit.py: remove redundant ToolCatalog construction in result loop - guide.sh: replace sort_tools_runtime_first with sort_tools_by_name Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Summary of ChangesHello @CybotTM, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly boosts the performance of the tool version detection process by implementing full parallelism across all tools, rather than processing them sequentially by category. It also streamlines the tool display logic in the Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
The pull request modifies the audit process to improve parallelism and output formatting. It changes the audit process to submit all tools to a single executor for maximum parallelism, and adds a summary by category. ANSI colors are added for all platforms. The tool sorting in guide.sh was changed to sort alphabetically by name within a category. Reviewers noted a vulnerability where version information from external sources is printed without sanitization, potentially allowing terminal manipulation. They also suggested improving the efficiency of grouping results by category using Counter from the collections module, and simplifying the sort_tools_by_name function in guide.sh using printf.
- Sanitize externally-sourced version strings before terminal output to prevent escape sequence injection from malicious upstream tags - Replace O(categories × results) summary loop with single-pass Counter - Simplify sort_tools_by_name to printf + sort Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
## Summary Closes the actionable gaps flagged by `/automated-assessment` across the `agent-rules`, `git-workflow`, `github-project`, and `enterprise-readiness` skill checkpoints. Starting state: 28 pass / 59 fail (7 errors, 45 warnings). After this PR: **66 pass / 31 fail** (4 errors, 11 warnings, 16 info). Remaining failures are all either checker false positives (script bugs — AG-13 double-escaped regex, GH-24/26 multi-line regex, GH-30/31 command-whitelist rejections), PHP-centric checks that don't apply to this Python project (ER-02 `composer audit`), external-registration dependent (ER-05 OpenSSF Best Practices badge), or info-level optional sections. ## What changed | Commit | What | |---|---| | [`139e9bf`](139e9bf) | Governance files: `SECURITY.md`, `CHANGELOG.md`, `.github/CODEOWNERS`, `.github/PULL_REQUEST_TEMPLATE.md` | | [`304dddd`](304dddd) | Supply-chain workflows: `codeql.yml` (security-extended + security-and-quality), `scorecard.yml`, `dependency-review.yml` | | [`5c006ab`](5c006ab) | `.pre-commit-config.yaml`: flake8, black, isort, shellcheck, hygiene hooks | | [`28654fa`](28654fa) | README badges: CI, CodeQL, Codecov, OpenSSF Scorecard, License | | [`e427278`](e427278) | AGENTS.md: canonical sections (Setup / Development / Testing / Architecture / Commands) + `Last verified` footer | | [`a593745`](a593745) | `security.yml` (pip-audit + bandit + CycloneDX SBOM) + `vendor/` in `.gitignore` | | [`a616933`](a616933) | `step-security/harden-runner` in CodeQL, Scorecard, dependency-review workflows (audit mode) | All GitHub Actions SHA-pinned. YAML + bash syntax validated. Full test suite: 546 passed. ## Checkpoints covered Errors: ER-22, GH-11, ER-01, ER-03, GH-19 (+2 false-positive multi-line regex errors remain: GH-24 / GH-26). Warnings: GW-03, GW-05, GW-06, GW-14, GH-3, GH-5, GH-10, GH-12, ER-04, ER-19, ER-20, ER-21, ER-23, ER-27, ER-44, AG-03 through AG-07, AG-18. ## Not in scope - **ER-05** (bestpractices.dev badge) — requires external registration at [openssf.org/bestpractices](https://www.bestpractices.dev/), not a code change. - **PHP/TYPO3-specific checks** (ER-70/71/72/73 Infection mutation targets, ER-31 phpstan baseline, ER-02 `composer audit`) — false positives for a Python project. - **Script-whitelist rejections** (GW-15, GH-6, GH-23, GH-30, GH-31, ER-43) — the checkpoint runner's allowed-command whitelist is overly restrictive; re-check manually if needed. - **AG-13** (`Commands (verified…)` heading regex) — checker's YAML parser double-escapes backslashes, making the regex uncompilable. Unfixable content-side. - **AG-12, AG-14–17, AG-26** — info-level optional AGENTS.md sections. ## Test plan - [x] `uv run pytest` — 546 passed, 1 skipped - [x] `python3 -c "import yaml; yaml.safe_load(open(f))"` on every new/modified workflow - [x] `/automated-assessment` re-run: 66 pass / 31 fail (was 28/59) - [ ] CI run on this branch to confirm the three new workflows execute and pass on push/PR. - [ ] Monitor first Scorecard weekly run; publish badge to the badges row if score is reasonable.
1 participant
Summary
ThreadPoolExecutorwith a single global executor for all regular tools — removes the bottleneck where slow tools in one category blocked all subsequent categoriesguide.shtool sorting to plain alphabetical within groups (was: runtime-first → multi-version descending → others)Details
audit.py:
ThreadPoolExecutor(max_workers=min(MAX_WORKERS, len(regular_tools)))for all tools[cat]in progress output for context without per-category headerswith-block exitregular_toolslist (avoidsmax_workers=0ValueError)ToolCatalog()construction inside result loop (reuse outer scope)guide.sh:
sort_tools_runtime_first()with 4-linesort_tools_by_name()(plain alphabetical sort)Test plan