Skip to content

feat(ci): add weekly ScanCode -> Provenant issue triage#1234

Merged
mstykow merged 1 commit into
mainfrom
feat/scancode-weekly-triage
Jul 8, 2026
Merged

feat(ci): add weekly ScanCode -> Provenant issue triage#1234
mstykow merged 1 commit into
mainfrom
feat/scancode-weekly-triage

Conversation

@mstykow

@mstykow mstykow commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds a free, Claude-independent weekly automation that triages upstream ScanCode Toolkit issues for relevance to Provenant — the recurring task done manually earlier in this stack.
  • Implemented as the scancode-triage xtask binary (xtask/src/bin/scancode-triage.rs) so it stays inside the repo's Rust toolchain — no new language/ecosystem — and reuses only already-vetted crates (reqwest blocking, serde_json, clap, anyhow, url, tempfile); no new crate enters the tree.
  • The binary does the plumbing; GitHub Models does the judgment via a small tool-loop with a run_provenant tool that reproduces detection bugs with real scans and a list_parsers tool for parser coverage.

Output model

  • Each actionable finding (reproduces - worth fixing) becomes its own Provenant issue, labeled scancode-triage and titled [ScanCode #N] …. Findings are deduplicated by that #N prefix, so weekly re-runs never open a duplicate for a finding that still reproduces. The tool only creates — it never edits or closes, so stale findings are left to a human.
  • The full run summary is not an issue — it is printed to stdout and to the Actions job step summary, so it lives in the workflow run output rather than as a comment that is easy to overlook.

Issues

  • Covers: the "triage recent ScanCode issues for Provenant" workflow.

Scope and exclusions

  • Included: the scancode-triage xtask bin, its section in xtask/README.md, and a weekly workflow (.github/workflows/scancode-triage.yml, cron Mon 08:00 UTC + manual dispatch).
  • Explicit exclusions: New license request: tickets are filtered out (license-catalog data, a separate license-index lane), so the model is never asked to judge them; the count is reported.

How to verify

  • Manually dispatch the ScanCode weekly triage workflow (or wait for Monday). It builds provenant + the triage bin, triages the last 8 days of ScanCode issues, prints the summary to the run log/step summary, and opens a deduplicated issue per actionable finding.
  • Locally (requires SCANCODE_TRIAGE_MODEL, or pass --model):
    cargo run --release -p provenant-xtask --bin scancode-triage -- --days 21 --max-issues 5 --binary target/release/provenant
    (token via gh auth token). Observe real run_provenant scans in stderr and the verdict table on stdout. The tool-loop, real reproduction, --post-to wiring, and create+dedup path were all exercised end-to-end.

Design notes

  • Free & Claude-independent: Actions minutes are free on public repos; GitHub Models inference is free via the built-in GITHUB_TOKEN with permissions: models: read — no API key, no dependency on Claude.
  • Model config is external and required: no built-in default; the model comes only from the SCANCODE_TRIAGE_MODEL repository variable (or --model), so changing it needs no code edit and there is no stale default to forget.
  • Builds from main, not a release: reproduction is only as good as the binary, and a published release can lag main — a release-based run could report an already-fixed issue as a live bug.
  • Untrusted-input hardening (the model is steered by attacker-controllable issue text under an issues:write token): fixture fetches are restricted to GitHub hosts with a size cap and no cross-host redirects; only read-only detection flags are allowed on the scanner; the dispatch input is passed via env (not interpolated into the shell); and per-finding issues are matched by the [ScanCode #N] title prefix for dedup.

🤖 Generated with Claude Code

@greptile-apps

greptile-apps Bot commented Jul 7, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds a weekly ScanCode issue triage workflow for Provenant. The main changes are:

  • A new GitHub Actions workflow that builds and runs the triage tool.
  • A new Rust xtask binary that fetches recent ScanCode issues and asks GitHub Models to classify them.
  • Tool calls that run real Provenant scans with bounded fixture fetching and limited scanner flags.
  • Per-finding issue creation with title-prefix deduplication.
  • README and workspace dependency updates for the new maintainer workflow.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
.github/workflows/scancode-triage.yml Adds the scheduled and manual workflow that builds Provenant and runs the triage binary.
xtask/src/bin/scancode-triage.rs Adds the triage tool, including issue fetching, model calls, scan reproduction, report output, and per-finding issue creation.
xtask/README.md Documents the new scancode-triage maintainer command and its CI usage.
Cargo.toml Moves reqwest into the workspace dependencies for reuse by the xtask binary.
xtask/Cargo.toml Registers the scancode-triage binary and adds its workspace dependencies.

Reviews (5): Last reviewed commit: "feat(ci): add weekly ScanCode -> Provena..." | Re-trigger Greptile

Comment thread .github/workflows/scancode-triage.yml Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
Comment thread tools/scancode-triage/triage.py Outdated
@mstykow mstykow force-pushed the feat/scancode-weekly-triage branch from eebb67b to a4da032 Compare July 7, 2026 19:03
@mstykow

mstykow commented Jul 7, 2026

Copy link
Copy Markdown
Owner Author

Addressed all six Greptile findings (force-pushed). Since the automation processes attacker-controllable ScanCode issue text with an issues:write token, the security items are treated as blocking:

  • Dispatch Input Reaches Shell (P1): the days dispatch input is now passed via an env var (TRIAGE_DAYS) instead of being interpolated into the run: script, so it can no longer break out of the shell command. triage.py also rejects non-positive/junk values.
  • Model URL Fetch Is Unbounded (P1, SSRF): run_provenant now fetches only via safe_fetch, which enforces https, an allowlist of GitHub hosts (raw.githubusercontent.com, github.com, gist.githubusercontent.com), no cross-host redirects, and a 2 MiB size cap. localhost/169.254.169.254/arbitrary hosts are rejected.
  • Model Arguments Become CLI Flags (P1): cli_args is now validated against an allowlist of read-only detection flags (--copyright/--license/--package/--package-only/--email/--url/--info); anything else (e.g. --paths-file, --cache-dir, --processes, injected tokens) is rejected before the scanner runs. A model-supplied filename is also reduced to its basename so it cannot escape the temp dir.
  • Label Match Overwrites Issues (P1): the upsert now requires both the scancode-triage label and the exact rolling-issue title, so an unrelated labeled issue is never overwritten.
  • Malformed Rows Crash Report (P1): the recommended-actions block guards the cell split (len(cells) >= 5) instead of blindly indexing [4], so a malformed model row can no longer crash report assembly after the triage work.
  • Negative Window Posts Empty Report (P2): --days must now be >= 1; a non-positive window errors out instead of computing a future date and posting an empty report.

Guards were unit-verified locally (flag/URL allowlists reject the injection cases; a legitimate GitHub fixture still scans).

@mstykow mstykow force-pushed the feat/scancode-weekly-triage branch 2 times, most recently from 02fbc5c to 888bb40 Compare July 7, 2026 20:06
Automates the recurring task of checking upstream ScanCode Toolkit issues
for ones that also affect Provenant and are worth fixing.

Implemented as the `scancode-triage` xtask binary so it stays within the
repo's Rust toolchain (no new language/ecosystem) and reuses already-vetted
crates (reqwest blocking, serde_json, clap, anyhow, url, tempfile) — no new
dependency enters the tree. The binary does the plumbing; a GitHub Models
LLM does the judgment:

- Fetches ScanCode issues from the last N days and drops the "New license
  request:" tickets (license-catalog data, not detection bugs).
- For each remaining candidate, runs a small tool-loop where the model
  classifies the issue and, via a run_provenant tool, reproduces detection
  bugs with REAL scans and checks parser coverage.

Output model: each actionable finding ("reproduces - worth fixing") becomes
its own Provenant issue, labeled scancode-triage and titled "[ScanCode #N]
...", deduplicated by that prefix so re-runs never open a duplicate. The
tool only creates, never edits or closes. The full run summary is printed to
stdout and the Actions step summary rather than filed as an issue, so it does
not rely on a comment that is easy to overlook.

Free and Claude-independent: GitHub Actions minutes are free on public
repos, and GitHub Models inference is free via GITHUB_TOKEN with
permissions: models:read. The model is required with no built-in default —
set the SCANCODE_TRIAGE_MODEL repository variable (or pass --model). Weekly
cron, Mondays 08:00 UTC.

Untrusted-input hardening (the model is steered by attacker-controllable
issue text under an issues:write token): fixture fetches are restricted to
GitHub hosts with a size cap and no cross-host redirects; only read-only
detection flags are allowed on the scanner; the dispatch input is passed via
env, not interpolated into the shell.

The job builds from main rather than downloading a release: a published
release can lag main, which would falsely flag already-fixed issues as live
bugs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
@mstykow mstykow force-pushed the feat/scancode-weekly-triage branch from 888bb40 to d87f109 Compare July 8, 2026 07:01
@mstykow mstykow merged commit 66648da into main Jul 8, 2026
17 checks passed
@mstykow mstykow deleted the feat/scancode-weekly-triage branch July 8, 2026 07:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant