feat(ci): add weekly ScanCode -> Provenant issue triage#1234
Merged
Conversation
Greptile SummaryThis PR adds a weekly ScanCode issue triage workflow for Provenant. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (5): Last reviewed commit: "feat(ci): add weekly ScanCode -> Provena..." | Re-trigger Greptile |
eebb67b to
a4da032
Compare
Owner
Author
|
Addressed all six Greptile findings (force-pushed). Since the automation processes attacker-controllable ScanCode issue text with an
Guards were unit-verified locally (flag/URL allowlists reject the injection cases; a legitimate GitHub fixture still scans). |
02fbc5c to
888bb40
Compare
Automates the recurring task of checking upstream ScanCode Toolkit issues
for ones that also affect Provenant and are worth fixing.
Implemented as the `scancode-triage` xtask binary so it stays within the
repo's Rust toolchain (no new language/ecosystem) and reuses already-vetted
crates (reqwest blocking, serde_json, clap, anyhow, url, tempfile) — no new
dependency enters the tree. The binary does the plumbing; a GitHub Models
LLM does the judgment:
- Fetches ScanCode issues from the last N days and drops the "New license
request:" tickets (license-catalog data, not detection bugs).
- For each remaining candidate, runs a small tool-loop where the model
classifies the issue and, via a run_provenant tool, reproduces detection
bugs with REAL scans and checks parser coverage.
Output model: each actionable finding ("reproduces - worth fixing") becomes
its own Provenant issue, labeled scancode-triage and titled "[ScanCode #N]
...", deduplicated by that prefix so re-runs never open a duplicate. The
tool only creates, never edits or closes. The full run summary is printed to
stdout and the Actions step summary rather than filed as an issue, so it does
not rely on a comment that is easy to overlook.
Free and Claude-independent: GitHub Actions minutes are free on public
repos, and GitHub Models inference is free via GITHUB_TOKEN with
permissions: models:read. The model is required with no built-in default —
set the SCANCODE_TRIAGE_MODEL repository variable (or pass --model). Weekly
cron, Mondays 08:00 UTC.
Untrusted-input hardening (the model is steered by attacker-controllable
issue text under an issues:write token): fixture fetches are restricted to
GitHub hosts with a size cap and no cross-host redirects; only read-only
detection flags are allowed on the scanner; the dispatch input is passed via
env, not interpolated into the shell.
The job builds from main rather than downloading a release: a published
release can lag main, which would falsely flag already-fixed issues as live
bugs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
888bb40 to
d87f109
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scancode-triagextask binary (xtask/src/bin/scancode-triage.rs) so it stays inside the repo's Rust toolchain — no new language/ecosystem — and reuses only already-vetted crates (reqwestblocking,serde_json,clap,anyhow,url,tempfile); no new crate enters the tree.run_provenanttool that reproduces detection bugs with real scans and alist_parserstool for parser coverage.Output model
reproduces - worth fixing) becomes its own Provenant issue, labeledscancode-triageand titled[ScanCode #N] …. Findings are deduplicated by that#Nprefix, so weekly re-runs never open a duplicate for a finding that still reproduces. The tool only creates — it never edits or closes, so stale findings are left to a human.Issues
Scope and exclusions
scancode-triagextask bin, its section inxtask/README.md, and a weekly workflow (.github/workflows/scancode-triage.yml, cron Mon 08:00 UTC + manual dispatch).New license request:tickets are filtered out (license-catalog data, a separate license-index lane), so the model is never asked to judge them; the count is reported.How to verify
provenant+ the triage bin, triages the last 8 days of ScanCode issues, prints the summary to the run log/step summary, and opens a deduplicated issue per actionable finding.SCANCODE_TRIAGE_MODEL, or pass--model):cargo run --release -p provenant-xtask --bin scancode-triage -- --days 21 --max-issues 5 --binary target/release/provenant(token via
gh auth token). Observe realrun_provenantscans in stderr and the verdict table on stdout. The tool-loop, real reproduction,--post-towiring, and create+dedup path were all exercised end-to-end.Design notes
GITHUB_TOKENwithpermissions: models: read— no API key, no dependency on Claude.SCANCODE_TRIAGE_MODELrepository variable (or--model), so changing it needs no code edit and there is no stale default to forget.main, not a release: reproduction is only as good as the binary, and a published release can lagmain— a release-based run could report an already-fixed issue as a live bug.issues:writetoken): fixture fetches are restricted to GitHub hosts with a size cap and no cross-host redirects; only read-only detection flags are allowed on the scanner; the dispatch input is passed via env (not interpolated into the shell); and per-finding issues are matched by the[ScanCode #N]title prefix for dedup.🤖 Generated with Claude Code