Skip to content

ci/security/test: automated audit fixes for CryptoStrategies#49

Merged
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0443
Jul 1, 2026
Merged

ci/security/test: automated audit fixes for CryptoStrategies#49
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0443

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • harden Codex audit gate output to avoid echoing matched secret-like snippets
  • add regression coverage for gate redaction behavior
  • expand CI and local verification docs to include dependency checks and package build

Problems found

  • static gate findings could print matched secret-like fragments into workflow logs and summaries
  • CI did not validate dependency consistency or package buildability
  • CONTRIBUTING local verification command drifted from actual CI expectations

Fixes applied

  • redact hardcoded-secret findings to field=<redacted> in scripts/gate_codex_app_review.py
  • add tests/test_gate_codex_app_review.py regression coverage
  • add python -m pip check and python -m build to .github/workflows/ci.yml
  • align CONTRIBUTING.md verification commands with current CI flow

Security impact

  • lowers risk of leaking secret-like literals via gate diagnostics and PR summaries
  • no production credentials, broker settings, or runtime strategy permissions changed

Architecture impact

  • no public strategy API changes
  • keeps audit concerns within workflow/gate boundaries instead of strategy modules

Tests run

  • actionlint
  • python -m pip check
  • ruff check .
  • python -m pytest -q tests --cov --cov-report=term --cov-report=xml
  • python -m build
  • python -m pip_audit
  • git diff --check

Failed or skipped checks with reasons

  • none locally
  • ruff emits an existing config deprecation warning for top-level ignore; not changed in this PR

Deployment notes

  • no production deployment workflow triggered by this PR
  • repository changes affect CI/gate behavior and contributor verification only

Rollback plan

  • revert commit 923dc7a or close PR before merge

Manual follow-up checklist

  • migrate pyproject.toml Ruff config from top-level ignore to lint.ignore
  • review and merge after required checks pass

@Pigbibi Pigbibi added codex AI Codex operations github_actions Pull requests that update GitHub Actions code python Pull requests that update python code human-review-required Requires human review before merge labels Jul 1, 2026
@Pigbibi Pigbibi merged commit a2cc8e6 into main Jul 1, 2026
2 checks passed
@Pigbibi Pigbibi deleted the codex/audit-fix-20260702-0443 branch July 1, 2026 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

codex AI Codex operations github_actions Pull requests that update GitHub Actions code human-review-required Requires human review before merge python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant