Skip to content

ci/security/test: automated audit fixes for HkEquitySnapshotPipelines#40

Merged
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0523
Jul 3, 2026
Merged

ci/security/test: automated audit fixes for HkEquitySnapshotPipelines#40
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0523

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • harden Codex audit gate output to avoid echoing matched secret-like snippets
  • add regression coverage for gate redaction behavior
  • expand CI and contributor verification guidance with dependency, lint, and build checks

Problems found

  • static gate findings could print matched secret-like fragments into workflow logs and summaries
  • CI only ran pytest and did not validate lint, dependency consistency, or package buildability
  • CONTRIBUTING local verification instructions missed dependency, lint, and build checks

Fixes applied

  • redact hardcoded-secret findings to field=<redacted> in scripts/gate_codex_app_review.py
  • add tests/test_gate_codex_app_review.py regression coverage
  • add python -m pip check, ruff check ., and python -m build to .github/workflows/ci.yml
  • update CONTRIBUTING.md local verification commands to match the CI baseline

Security impact

  • lowers risk of leaking secret-like literals via gate diagnostics and PR summaries
  • no artifact contract values, publish paths, credentials, or runtime permissions changed

Architecture impact

  • no public artifact contract or builder API changes
  • keeps audit concerns isolated to workflow/gate boundaries and contributor guidance

Tests run

  • ruff check .
  • python -m pytest -q tests/test_gate_codex_app_review.py
  • python -m pip check
  • python -m pytest -q
  • python -m build
  • actionlint
  • python -m pip_audit
  • git diff --check

Failed or skipped checks with reasons

  • none locally

Deployment notes

  • no production deployment workflow triggered by this PR
  • changes affect CI, review gate behavior, and contributor guidance only

Rollback plan

  • revert commit c6c4b7b or close PR before merge

Manual follow-up checklist

  • review and merge after required checks pass

@Pigbibi Pigbibi added codex AI Codex operations github_actions Pull requests that update GitHub Actions python Python ecosystem human-review-required Requires human review before merge labels Jul 1, 2026
@Pigbibi Pigbibi merged commit 6238753 into main Jul 3, 2026
2 checks passed
@Pigbibi Pigbibi deleted the codex/audit-fix-20260702-0523 branch July 3, 2026 04:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

codex AI Codex operations github_actions Pull requests that update GitHub Actions human-review-required Requires human review before merge python Python ecosystem

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant