fix(ci): backport canonical bypass-audit v1.21.2 hardening#52
Conversation
|
Warning Review limit reached
More reviews will be available in 37 minutes and 59 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![codescene-delta-analysis[bot]](https://avatars.githubusercontent.com/in/53921?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 497771f134
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| COMMIT_MSG: ${{ github.event.head_commit.message }} | ||
| RUN_ID: ${{ github.run_id }} | ||
| HEAD_SHA: ${{ github.sha }} | ||
| COMMITS_JSON: ${{ toJSON(github.event.commits) }} |
There was a problem hiding this comment.
For pushes with many commits or unusually large commit messages, toJSON(github.event.commits) can exceed the per-environment-string limit on Ubuntu runners before this bash step even starts, so none of the new loop, MAX_AUDIT failure, or issue creation logic runs. This is especially likely because the workflow now tries to handle up to 256 commits and each commit object includes message, author, URLs, and file lists; read the commits from $GITHUB_EVENT_PATH inside the script instead of materializing the entire array as one env var.
Useful? React with 👍 / 👎.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Bring helmet's bypass-audit.yml from v1.21.0 to the canonical v1.21.1 the fleet now runs: audit every pushed commit, count only PRs merged into main, fail-on-indeterminate, exact-label check, separated stderr, contents:read for private repos, one Markdown-safe summary issue, pipefail-safe pipes. Keeps helmet (the drift-check CANON source) in sync with the propagated standard. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
chris-yyau
force-pushed
the
ci/backport-bypass-audit-v1.21.1
branch
from
497771f to
7d22ddd
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
toJSON(github.event.commits) materialized the whole push payload (up to 2048 commits, each with message + file lists + URLs) into a single env var. With a large push that can exceed the runner's env/ARG_MAX limit (~2 MB), making the audit step fail to exec before any logic runs — silently suppressing the very bypass this workflow exists to detect. Read commit ids and messages from $GITHUB_EVENT_PATH with jq instead (file data, never shell-interpolated), and fail the run when the payload is unreadable, not JSON, or .commits is not an array (indeterminate), so a multi-commit bypass cannot slip through a silent HEAD-only fallback. A valid but empty commit list still legitimately falls back to HEAD. Bumps the helmet-pipeline stamp v1.21.1 -> v1.21.2. Flagged independently by codex and cubic on the converged fleet PRs. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
chris-yyau
changed the title
## [1.22.1](v1.22.0...v1.22.1) (2026-06-05) ### Bug Fixes * **ci:** backport canonical bypass-audit v1.21.2 hardening ([#52](#52)) ([43b73aa](43b73aa))
1 participant
Backports the canonical bypass-audit hardening (pipeline
v1.21.1) to helmet's ownmain, which was atv1.21.0after #51. Keeps helmet — the drift-checkCANONsource (scripts/check-pipeline-drift.shreads helmet's own stamp) — in sync with the standard now propagated across the fleet (busdriver #181, perch #52, chrisyau.me #137, jikdak #172, growth-engine #72).What changes (v1.21.0 → v1.21.1)
merged_at != null && base.ref == main) — a commit merely contained in an open/non-main PR can't mask a direct push.contents: readfor/commits/{sha}/pullson private repos; separated stderr (no false red-X); exact-label existence check; pipefail-safe pipes; commit subjects sanitized + inline-code-wrapped (no Markdown injection); audit-trail comments made org/user-accurate.Validation
litmus PASS + security review CLEAN on the byte-identical canonical (reference PR chris-yyau/busdriver#181).
Follow-up: the SKILL.md embedded bypass-audit template excerpt still shows the v1.21.0 design and should be refreshed so onboarding generates v1.21.1.
🤖 Generated with Claude Code
Summary by cubic
Backports the canonical bypass-audit v1.21.2 to harden detection of direct pushes and prevent silent gaps. Keeps helmet (drift-check
CANON) aligned with the fleet standard.New Features
HEAD.Bug Fixes
main.$GITHUB_EVENT_PATHwithjq; fail-closed if payload is unreadable or.commitsis not an array (no silent HEAD-only fallback).contents: read; separategh apistderr; make pipes pipefail-safe; increase timeout to 10 minutes.admin-bypasslabel check with fallback create.Written for commit da00a92. Summary will update on new commits.