Skip to content

CI: block AI commits#3973

Open
patrickelectric wants to merge 1 commit into
bluerobotics:masterfrom
patrickelectric:check-ai
Open

CI: block AI commits#3973
patrickelectric wants to merge 1 commit into
bluerobotics:masterfrom
patrickelectric:check-ai

Conversation

@patrickelectric

@patrickelectric patrickelectric commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary by Sourcery

CI:

  • Introduce a GitHub Actions workflow that scans pull request commits for known AI tool author or co-author email signatures and fails the workflow if any are detected.

Signed-off-by: Patrick José Pereira <patrickelectric@gmail.com>

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues

Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path=".github/workflows/block-ai-commits.yml" line_range="19" />
<code_context>
+      pull-requests: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
</code_context>
<issue_to_address>
**issue (bug_risk):** Use a currently available checkout action version to avoid workflow failures

`actions/checkout` only provides stable major versions up to `v4`. Using `actions/checkout@v6` will cause this workflow to fail at runtime. Please update to a supported version such as `actions/checkout@v4` to keep the workflow working across runners.
</issue_to_address>

### Comment 2
<location path=".github/workflows/block-ai-commits.yml" line_range="42-44" />
<code_context>
+          )
+          pattern="$(IFS='|'; echo "${signatures[*]}")"
+
+          if git log --no-merges \
+               --format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
+               "${BASE_SHA}..${HEAD_SHA}" | grep -iE "$pattern"; then
+            echo "::error::This pull request contains commits authored or co-authored by AI tools."
+            exit 1
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Avoid leaking matching email addresses in logs by using grep -q

The current `grep -iE "$pattern"` prints matched lines, including abbreviated commit hashes and author/committer emails, into workflow logs, which is a privacy concern. Use `grep -qiE "$pattern"` (or add `-q`) so the check still blocks offending commits but only the error message is logged, not the matched line content.

```suggestion
          if git log --no-merges \
               --format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
               "${BASE_SHA}..${HEAD_SHA}" | grep -qiE "$pattern"; then
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/block-ai-commits.yml
Comment on lines +42 to +44
if git log --no-merges \
--format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
"${BASE_SHA}..${HEAD_SHA}" | grep -iE "$pattern"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Avoid leaking matching email addresses in logs by using grep -q

The current grep -iE "$pattern" prints matched lines, including abbreviated commit hashes and author/committer emails, into workflow logs, which is a privacy concern. Use grep -qiE "$pattern" (or add -q) so the check still blocks offending commits but only the error message is logged, not the matched line content.

Suggested change
if git log --no-merges \
--format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
"${BASE_SHA}..${HEAD_SHA}" | grep -iE "$pattern"; then
if git log --no-merges \
--format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
"${BASE_SHA}..${HEAD_SHA}" | grep -qiE "$pattern"; then

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Automated PR Review

0. Summary

  • Verdict: MINOR SUGGESTIONS ✏️

Adds .github/workflows/block-ai-commits.yml, a pull_request-triggered workflow that greps the PR's commit range for known AI-tool author/committer emails and Co-authored-by trailers, failing the job when any are found.

1. Correctness & Implementation Bugs

  • 1.1 [minor] .github/workflows/block-ai-commits.yml:44-50 — with set -euo pipefail, an if <pipeline> uses the pipeline's exit status as the condition, and pipefail propagates a failure from the left side of the pipe. If git log fails (e.g. shallow clone edge case, missing SHA, rebased/force-pushed head that momentarily desyncs), the pipeline exits non-zero, the if is false, and the script falls through to echo "No AI-authored or AI-co-authored commits found." — a real failure is silently treated as a clean result. Consider running git log … > /tmp/commits.txt first (so set -e catches its failure) and then if grep -iE "$pattern" /tmp/commits.txt, or explicitly branching on grep's exit code with || rc=$?.

6. Code Quality & Style

  • 6.1 [nit] .github/workflows/block-ai-commits.yml:38 — the escapes in the array entries (cursor\.com, anthropic\.com, …) only matter when the string is used as a regex. Since the joined pattern is fed to grep -iE, the \. correctly matches a literal dot, but this is worth a short comment above the array explaining that these entries are ERE patterns, not plain strings — the two users\.noreply\.github\.com/github\.com entries would otherwise read as regular email addresses. One line of context prevents a future contributor from adding a plain-string entry that unintentionally matches too broadly.
  • 6.2 [nit] .github/workflows/block-ai-commits.yml:14group: block-ai-commits-${{ github.event.pull_request.number }} is fine; for consistency with other workflows in this repo you could also include ${{ github.workflow }}-${{ github.ref }}, but the current form is unambiguous per-PR, so this is optional.

9. Nitpicks / Optional

  • 9.1 [nit] The workflow blocks any commit whose author/committer email or Co-authored-by trailer matches an AI tool signature, but does not detect AI usage that goes through a human-authored commit (e.g. the author strips the Co-authored-by trailer). Worth documenting in the workflow's top-of-file comment so reviewers know the enforcement scope, and so future maintainers don't over-trust the check.
  • 9.2 [nit] .github/workflows/block-ai-commits.yml:29 — the step name "Check commits for AI authorship" is clear; consider surfacing the offending commit hash(es) in the ::error:: annotation (e.g. git log … | grep -iE "$pattern" captured into a variable, then echoed inside the error) so PR authors immediately see which commit tripped the rule instead of having to re-run the grep locally.

Generated by PR Review Bot. This is advisory, a human reviewer must still approve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant