Skip to content

feat(ci): add weekly ScanCode -> Provenant issue triage#1234

Open
mstykow wants to merge 1 commit into
mainfrom
feat/scancode-weekly-triage
Open

feat(ci): add weekly ScanCode -> Provenant issue triage#1234
mstykow wants to merge 1 commit into
mainfrom
feat/scancode-weekly-triage

Conversation

@mstykow

@mstykow mstykow commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds a free, Claude-independent weekly automation that triages upstream ScanCode Toolkit issues for relevance to Provenant — the recurring task done manually earlier in this stack.
  • Implemented as the scancode-triage xtask binary (xtask/src/bin/scancode-triage.rs) so it stays inside the repo's Rust toolchain — no new language/ecosystem — and reuses only already-vetted crates (reqwest blocking, serde_json, clap, anyhow, url, tempfile); no new crate enters the tree.
  • The binary does the plumbing; GitHub Models does the judgment via a small tool-loop with a run_provenant tool that reproduces detection bugs with real scans and a list_parsers tool for parser coverage.
  • Results land in a rolling tracking issue (label scancode-triage): latest run in the body, history in comments. Example from a local run: 🤖 Weekly ScanCode → Provenant triage #1233.

Issues

  • Covers: the "triage recent ScanCode issues for Provenant" workflow.

Scope and exclusions

  • Included: the scancode-triage xtask bin, its section in xtask/README.md, and a weekly workflow (.github/workflows/scancode-triage.yml, cron Mon 08:00 UTC + manual dispatch).
  • Explicit exclusions: New license request: tickets are filtered out (license-catalog data, a separate license-index lane), so the model is never asked to judge them; the count is reported.

How to verify

  • Manually dispatch the ScanCode weekly triage workflow (or wait for Monday). It builds provenant + the triage bin, triages the last 8 days of ScanCode issues, and upserts the scancode-triage tracking issue.
  • Locally (requires the SCANCODE_TRIAGE_MODEL repository variable, or pass --model):
    cargo run --release -p provenant-xtask --bin scancode-triage -- --days 21 --max-issues 5 --binary target/release/provenant
    (token via gh auth token). Observe real run_provenant scans in stderr and a verdict table on stdout. Verified end-to-end, including the --post-to upsert path.

Design notes

  • Free & Claude-independent: Actions minutes are free on public repos; GitHub Models inference is free via the built-in GITHUB_TOKEN with permissions: models: read — no API key, no dependency on Claude.
  • Model config is external and required: no built-in default; the model comes only from the SCANCODE_TRIAGE_MODEL repository variable (or --model), so changing it needs no code edit and there is no stale default to forget.
  • Builds from main, not a release: reproduction is only as good as the binary, and a published release can lag main — a release-based run could report an already-fixed issue as a live bug.
  • Untrusted-input hardening (the model is steered by attacker-controllable issue text under an issues:write token): fixture fetches are restricted to GitHub hosts with a size cap and no cross-host redirects; only read-only detection flags are allowed on the scanner; the dispatch input is passed via env (not interpolated into the shell); and the rolling issue is matched by exact title, not just label.

🤖 Generated with Claude Code

@greptile-apps

greptile-apps Bot commented Jul 7, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds a weekly ScanCode triage workflow for Provenant. The main changes are:

  • A new scancode-triage xtask binary for fetching and classifying recent ScanCode issues.
  • A scheduled GitHub Actions workflow that builds Provenant and posts a rolling tracking issue.
  • Workspace dependency wiring for the new Rust tool.
  • xtask documentation for local and CI usage.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
.github/workflows/scancode-triage.yml Adds the weekly and manual workflow that builds the scanner and runs the new triage tool.
xtask/src/bin/scancode-triage.rs Adds the Rust triage tool, including issue fetching, model calls, bounded scan reproduction, report assembly, and tracking-issue updates.
Cargo.toml Moves reqwest into workspace dependencies for reuse by the new xtask binary.
xtask/Cargo.toml Registers the scancode-triage binary and adds its required dependencies.
xtask/README.md Documents the new ScanCode triage maintainer workflow and usage.

Reviews (4): Last reviewed commit: "feat(ci): add weekly ScanCode -> Provena..." | Re-trigger Greptile

Comment thread .github/workflows/scancode-triage.yml Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
@mstykow mstykow force-pushed the feat/scancode-weekly-triage branch from eebb67b to a4da032 Compare July 7, 2026 19:03
@mstykow

mstykow commented Jul 7, 2026

Copy link
Copy Markdown
Owner Author

Addressed all six Greptile findings (force-pushed). Since the automation processes attacker-controllable ScanCode issue text with an issues:write token, the security items are treated as blocking:

  • Dispatch Input Reaches Shell (P1): the days dispatch input is now passed via an env var (TRIAGE_DAYS) instead of being interpolated into the run: script, so it can no longer break out of the shell command. triage.py also rejects non-positive/junk values.
  • Model URL Fetch Is Unbounded (P1, SSRF): run_provenant now fetches only via safe_fetch, which enforces https, an allowlist of GitHub hosts (raw.githubusercontent.com, github.com, gist.githubusercontent.com), no cross-host redirects, and a 2 MiB size cap. localhost/169.254.169.254/arbitrary hosts are rejected.
  • Model Arguments Become CLI Flags (P1): cli_args is now validated against an allowlist of read-only detection flags (--copyright/--license/--package/--package-only/--email/--url/--info); anything else (e.g. --paths-file, --cache-dir, --processes, injected tokens) is rejected before the scanner runs. A model-supplied filename is also reduced to its basename so it cannot escape the temp dir.
  • Label Match Overwrites Issues (P1): the upsert now requires both the scancode-triage label and the exact rolling-issue title, so an unrelated labeled issue is never overwritten.
  • Malformed Rows Crash Report (P1): the recommended-actions block guards the cell split (len(cells) >= 5) instead of blindly indexing [4], so a malformed model row can no longer crash report assembly after the triage work.
  • Negative Window Posts Empty Report (P2): --days must now be >= 1; a non-positive window errors out instead of computing a future date and posting an empty report.

Guards were unit-verified locally (flag/URL allowlists reject the injection cases; a legitimate GitHub fixture still scans).

@mstykow mstykow force-pushed the feat/scancode-weekly-triage branch from a4da032 to 02fbc5c Compare July 7, 2026 19:58
Automates the recurring task of checking upstream ScanCode Toolkit issues
for ones that also affect Provenant and are worth fixing.

Implemented as the `scancode-triage` xtask binary so it stays within the
repo's Rust toolchain (no new language/ecosystem) and reuses already-vetted
crates (reqwest blocking, serde_json, clap, anyhow, url, tempfile) — no new
dependency enters the tree. The binary does the plumbing; a GitHub Models
LLM does the judgment:

- Fetches ScanCode issues from the last N days and drops the "New license
  request:" tickets (license-catalog data, not detection bugs).
- For each remaining candidate, runs a small tool-loop where the model
  classifies the issue and, via a run_provenant tool, reproduces detection
  bugs with REAL scans and checks parser coverage.
- Upserts a rolling tracking issue (label scancode-triage): latest run in
  the body, history in comments.

Free and Claude-independent: GitHub Actions minutes are free on public
repos, and GitHub Models inference is free via GITHUB_TOKEN with
permissions: models:read. The model is required with no built-in default —
set the SCANCODE_TRIAGE_MODEL repository variable (or pass --model). Weekly
cron, Mondays 08:00 UTC.

Untrusted-input hardening (the model is steered by attacker-controllable
issue text under an issues:write token): fixture fetches are restricted to
GitHub hosts with a size cap and no cross-host redirects; only read-only
detection flags are allowed on the scanner; the dispatch input is passed via
env, not interpolated into the shell; and the rolling issue is matched by
exact title, not just label.

The job builds from main rather than downloading a release: a published
release can lag main, which would falsely flag already-fixed issues as live
bugs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
@mstykow mstykow force-pushed the feat/scancode-weekly-triage branch from 02fbc5c to 888bb40 Compare July 7, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant