CI: block AI commits#3973
Conversation
Signed-off-by: Patrick José Pereira <patrickelectric@gmail.com>
There was a problem hiding this comment.
Hey - I've found 2 issues
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path=".github/workflows/block-ai-commits.yml" line_range="19" />
<code_context>
+ pull-requests: read
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v6
+ with:
+ fetch-depth: 0
</code_context>
<issue_to_address>
**issue (bug_risk):** Use a currently available checkout action version to avoid workflow failures
`actions/checkout` only provides stable major versions up to `v4`. Using `actions/checkout@v6` will cause this workflow to fail at runtime. Please update to a supported version such as `actions/checkout@v4` to keep the workflow working across runners.
</issue_to_address>
### Comment 2
<location path=".github/workflows/block-ai-commits.yml" line_range="42-44" />
<code_context>
+ )
+ pattern="$(IFS='|'; echo "${signatures[*]}")"
+
+ if git log --no-merges \
+ --format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
+ "${BASE_SHA}..${HEAD_SHA}" | grep -iE "$pattern"; then
+ echo "::error::This pull request contains commits authored or co-authored by AI tools."
+ exit 1
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Avoid leaking matching email addresses in logs by using grep -q
The current `grep -iE "$pattern"` prints matched lines, including abbreviated commit hashes and author/committer emails, into workflow logs, which is a privacy concern. Use `grep -qiE "$pattern"` (or add `-q`) so the check still blocks offending commits but only the error message is logged, not the matched line content.
```suggestion
if git log --no-merges \
--format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \
"${BASE_SHA}..${HEAD_SHA}" | grep -qiE "$pattern"; then
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| if git log --no-merges \ | ||
| --format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \ | ||
| "${BASE_SHA}..${HEAD_SHA}" | grep -iE "$pattern"; then |
There was a problem hiding this comment.
🚨 suggestion (security): Avoid leaking matching email addresses in logs by using grep -q
The current grep -iE "$pattern" prints matched lines, including abbreviated commit hashes and author/committer emails, into workflow logs, which is a privacy concern. Use grep -qiE "$pattern" (or add -q) so the check still blocks offending commits but only the error message is logged, not the matched line content.
| if git log --no-merges \ | |
| --format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \ | |
| "${BASE_SHA}..${HEAD_SHA}" | grep -iE "$pattern"; then | |
| if git log --no-merges \ | |
| --format='%h %ae %ce %(trailers:key=Co-authored-by,valueonly,unfold)' \ | |
| "${BASE_SHA}..${HEAD_SHA}" | grep -qiE "$pattern"; then |
Automated PR Review0. Summary
Adds 1. Correctness & Implementation Bugs
6. Code Quality & Style
9. Nitpicks / Optional
Generated by PR Review Bot. This is advisory, a human reviewer must still approve. |
Summary by Sourcery
CI: