From 3e30f1a56a91f46ba7981bf594c1f4f4821279ba Mon Sep 17 00:00:00 2001 From: ECC Test Date: Tue, 9 Jun 2026 21:20:17 -0400 Subject: [PATCH] ci: harden workflows and sponsor code review config --- .coderabbit.yaml | 36 +++++++++++++ .github/copilot-instructions.md | 4 +- .github/prompts/code-review.prompt.md | 56 --------------------- .github/workflows/ci.yml | 10 ++++ .github/workflows/reusable-test.yml | 2 + .github/workflows/reusable-validate.yml | 2 + greptile.json | 67 +++++++++++++++++++++++++ 7 files changed, 119 insertions(+), 58 deletions(-) create mode 100644 .coderabbit.yaml delete mode 100644 .github/prompts/code-review.prompt.md create mode 100644 greptile.json diff --git a/.coderabbit.yaml b/.coderabbit.yaml new file mode 100644 index 00000000..c32bd034 --- /dev/null +++ b/.coderabbit.yaml @@ -0,0 +1,36 @@ +# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json +language: "en-US" +early_access: false +tone_instructions: "Be direct, concise, and evidence-led. Prioritize actionable findings over praise." + +reviews: + profile: "assertive" + request_changes_workflow: false + high_level_summary: true + high_level_summary_in_walkthrough: true + review_status: true + review_details: true + commit_status: true + fail_commit_status: true + auto_review: + enabled: true + drafts: false + path_instructions: + - path: ".github/workflows/**" + instructions: | + Treat workflow changes as security-sensitive. Flag unpinned third-party actions, broad write permissions, persisted checkout credentials in write-token jobs, pull_request_target misuse, and untrusted GitHub context interpolated into shell commands. + - path: "{scripts,bin}/**" + instructions: | + Focus on command injection, unsafe subprocess usage, path traversal, SSRF, secret exposure, and missing tests for new CLI behavior. + - path: "skills/**/scripts/**" + instructions: | + Review generated or imported scripts as untrusted-input tooling. Flag RCE, path traversal, network fetches without validation, and writes outside the expected workspace. + - path: "{skills,commands,agents,rules}/**" + instructions: | + Focus on prompt-injection resilience, tool-permission scope, destructive action guards, and secret exfiltration risks. + - path: "{SECURITY.md,docs/security/**}" + instructions: | + Check that official distribution surfaces, disclosure guidance, and supply-chain rules stay accurate and do not endorse unofficial packages. + +chat: + auto_reply: true diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index a6a1ee13..02002d06 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -83,10 +83,11 @@ Use AAA structure (Arrange / Act / Assert) and descriptive test names that expla Types: `feat`, `fix`, `refactor`, `docs`, `test`, `chore`, `perf`, `ci` -PR checklist before requesting review: +PR checklist before requesting sponsored review: - CI passing, merge conflicts resolved, branch up to date with target - Full diff reviewed (`git diff [base-branch]...HEAD`) - Test plan included in PR description +- Code review is handled by CodeRabbit and Greptile. Do not add or route PR code review through Copilot, Claude, Codex, or other reviewer bots. ## Code Quality Checklist @@ -107,7 +108,6 @@ Use these prompts in Copilot Chat for deeper workflows: |--------|-------------|---------| | `/plan` | Complex feature | Phased implementation plan | | `/tdd` | New feature or bug fix | Test-driven development cycle | -| `/code-review` | After writing code | Quality and security review | | `/security-review` | Before a release | Deep security analysis | | `/build-fix` | Build/CI failure | Systematic error resolution | | `/refactor` | Code maintenance | Dead code cleanup and simplification | diff --git a/.github/prompts/code-review.prompt.md b/.github/prompts/code-review.prompt.md deleted file mode 100644 index 2704ba86..00000000 --- a/.github/prompts/code-review.prompt.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -agent: agent -description: Comprehensive code quality and security review of the selected code or recent changes ---- - -# Code Review - -Review the selected code (or the current diff if nothing is selected) across four dimensions. Only report issues you are **confident about** — flag uncertainty explicitly rather than guessing. - -## Dimensions - -### 1. Security (CRITICAL — block ship if found) -- Hardcoded secrets, tokens, API keys, passwords -- Missing input validation or sanitization at system boundaries -- SQL/NoSQL injection risk (string interpolation in queries) -- XSS risk (unsanitized HTML output) -- Auth/authz checks missing or client-side only -- Sensitive data in logs or error messages exposed to clients -- Missing rate limiting on public endpoints - -### 2. Code Quality (HIGH) -- Mutation of existing state instead of creating new objects -- Functions over 50 lines or files over 800 lines -- Nesting deeper than 4 levels -- Duplicated logic that should be extracted -- Misleading or non-descriptive names - -### 3. Error Handling (HIGH) -- Silently swallowed errors (`catch {}`, empty catch blocks) -- Missing error handling at async boundaries -- Errors returned but not checked by callers -- User-facing error messages leaking internal details - -### 4. Test Coverage (MEDIUM) -- Missing tests for new logic -- Tests that only test happy paths (missing error/edge cases) -- Assertions that always pass - -## Output Format - -For each issue found: - -``` -**[CRITICAL|HIGH|MEDIUM|LOW]** — [File:Line if known] -Issue: [What is wrong] -Fix: [Concrete suggestion] -``` - -End with a summary: -``` -## Summary -- Critical: N -- High: N -- Medium: N -- Approved to ship: yes / no (fix CRITICAL and HIGH first) -``` diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64320a18..be6a451f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js ${{ matrix.node }} uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -114,6 +116,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -175,6 +179,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -200,6 +206,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -227,6 +235,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index 71e33996..745c707c 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/reusable-validate.yml b/.github/workflows/reusable-validate.yml index c82aa013..a12b8fcb 100644 --- a/.github/workflows/reusable-validate.yml +++ b/.github/workflows/reusable-validate.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/greptile.json b/greptile.json new file mode 100644 index 00000000..3e77e149 --- /dev/null +++ b/greptile.json @@ -0,0 +1,67 @@ +{ + "strictness": 2, + "commentTypes": ["logic", "syntax", "style"], + "triggerOnUpdates": true, + "triggerOnDrafts": false, + "shouldUpdateDescription": false, + "updateExistingSummaryComment": true, + "statusCheck": true, + "statusCommentsEnabled": true, + "disabledLabels": ["no-review", "skip-review", "wip"], + "excludeBranches": ["dependabot/**"], + "fileChangeLimit": 80, + "ignoreKeywords": "no-review\nskip-review\nmechanical-format-only", + "ignorePatterns": "node_modules/**\ndist/**\nbuild/**\ncoverage/**\n.vite/**\n.next/**\n.cache/**\n*.lock\npackage-lock.json\nyarn.lock\npnpm-lock.yaml\nassets/**/*.png\nassets/**/*.jpg\nassets/**/*.jpeg\nassets/**/*.gif\nassets/**/*.webp\n**/*.generated.*", + "summarySection": { + "included": true, + "collapsible": true, + "defaultOpen": true + }, + "issuesTableSection": { + "included": true, + "collapsible": false, + "defaultOpen": true + }, + "confidenceScoreSection": { + "included": true, + "collapsible": true, + "defaultOpen": false + }, + "sequenceDiagramSection": { + "included": true, + "collapsible": true, + "defaultOpen": false + }, + "customContext": { + "rules": [ + { + "scope": [".github/workflows/**"], + "rule": "Flag unpinned third-party GitHub Actions, broad write permissions, persisted checkout credentials in write-token jobs, pull_request_target misuse, and untrusted GitHub context inside shell commands." + }, + { + "scope": ["scripts/**", "bin/**", "skills/**/scripts/**"], + "rule": "Treat CLI inputs, URLs, file paths, and subprocess arguments as untrusted. Flag RCE, SSRF, path traversal, unsafe shell usage, and missing regression tests." + }, + { + "scope": ["skills/**", "commands/**", "agents/**", "rules/**"], + "rule": "Review for prompt injection, tool-permission creep, destructive-action ambiguity, hidden persistence, and secret exfiltration risks." + }, + { + "scope": ["SECURITY.md", "docs/security/**", "README.md"], + "rule": "Ensure package and distribution claims only list official ECC surfaces. Flag unofficial npm packages, stale historical repo paths, and misleading install instructions." + } + ], + "files": [ + { + "scope": ["**/*"], + "path": "SECURITY.md", + "description": "ECC disclosure policy, official package surfaces, out-of-scope rules, and supply-chain guardrails." + }, + { + "scope": ["**/*"], + "path": "AGENTS.md", + "description": "Workspace-level agent routing and operating constraints." + } + ] + } +}