feat(ci): add weekly ScanCode -> Provenant issue triage#1234
Open
mstykow wants to merge 1 commit into
Open
Conversation
Greptile SummaryThis PR adds a weekly ScanCode triage workflow for Provenant. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (4): Last reviewed commit: "feat(ci): add weekly ScanCode -> Provena..." | Re-trigger Greptile |
eebb67b to
a4da032
Compare
Owner
Author
|
Addressed all six Greptile findings (force-pushed). Since the automation processes attacker-controllable ScanCode issue text with an
Guards were unit-verified locally (flag/URL allowlists reject the injection cases; a legitimate GitHub fixture still scans). |
a4da032 to
02fbc5c
Compare
Automates the recurring task of checking upstream ScanCode Toolkit issues for ones that also affect Provenant and are worth fixing. Implemented as the `scancode-triage` xtask binary so it stays within the repo's Rust toolchain (no new language/ecosystem) and reuses already-vetted crates (reqwest blocking, serde_json, clap, anyhow, url, tempfile) — no new dependency enters the tree. The binary does the plumbing; a GitHub Models LLM does the judgment: - Fetches ScanCode issues from the last N days and drops the "New license request:" tickets (license-catalog data, not detection bugs). - For each remaining candidate, runs a small tool-loop where the model classifies the issue and, via a run_provenant tool, reproduces detection bugs with REAL scans and checks parser coverage. - Upserts a rolling tracking issue (label scancode-triage): latest run in the body, history in comments. Free and Claude-independent: GitHub Actions minutes are free on public repos, and GitHub Models inference is free via GITHUB_TOKEN with permissions: models:read. The model is required with no built-in default — set the SCANCODE_TRIAGE_MODEL repository variable (or pass --model). Weekly cron, Mondays 08:00 UTC. Untrusted-input hardening (the model is steered by attacker-controllable issue text under an issues:write token): fixture fetches are restricted to GitHub hosts with a size cap and no cross-host redirects; only read-only detection flags are allowed on the scanner; the dispatch input is passed via env, not interpolated into the shell; and the rolling issue is matched by exact title, not just label. The job builds from main rather than downloading a release: a published release can lag main, which would falsely flag already-fixed issues as live bugs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
02fbc5c to
888bb40
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scancode-triagextask binary (xtask/src/bin/scancode-triage.rs) so it stays inside the repo's Rust toolchain — no new language/ecosystem — and reuses only already-vetted crates (reqwestblocking,serde_json,clap,anyhow,url,tempfile); no new crate enters the tree.run_provenanttool that reproduces detection bugs with real scans and alist_parserstool for parser coverage.scancode-triage): latest run in the body, history in comments. Example from a local run: 🤖 Weekly ScanCode → Provenant triage #1233.Issues
Scope and exclusions
scancode-triagextask bin, its section inxtask/README.md, and a weekly workflow (.github/workflows/scancode-triage.yml, cron Mon 08:00 UTC + manual dispatch).New license request:tickets are filtered out (license-catalog data, a separate license-index lane), so the model is never asked to judge them; the count is reported.How to verify
provenant+ the triage bin, triages the last 8 days of ScanCode issues, and upserts thescancode-triagetracking issue.SCANCODE_TRIAGE_MODELrepository variable, or pass--model):cargo run --release -p provenant-xtask --bin scancode-triage -- --days 21 --max-issues 5 --binary target/release/provenant(token via
gh auth token). Observe realrun_provenantscans in stderr and a verdict table on stdout. Verified end-to-end, including the--post-toupsert path.Design notes
GITHUB_TOKENwithpermissions: models: read— no API key, no dependency on Claude.SCANCODE_TRIAGE_MODELrepository variable (or--model), so changing it needs no code edit and there is no stale default to forget.main, not a release: reproduction is only as good as the binary, and a published release can lagmain— a release-based run could report an already-fixed issue as a live bug.issues:writetoken): fixture fetches are restricted to GitHub hosts with a size cap and no cross-host redirects; only read-only detection flags are allowed on the scanner; the dispatch input is passed via env (not interpolated into the shell); and the rolling issue is matched by exact title, not just label.🤖 Generated with Claude Code