You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: harden dbt review action version lookup and credential write (#911)
Follow-up hardening for the `github/review` composite action from the #900
review. Stacks on #900 (refines its new semver version step).
- Authenticate the release-version lookup with `${{ github.token }}` (lifts the
unauthenticated 60 req/hr IP limit to 1,000 req/hr) so busy runners aren't
throttled into the `latest` fallback.
- Skip the binary cache when the version resolves to `latest` (`if:
steps.version.outputs.version != 'latest'`), so one rate-limited/offline
lookup can't pin a stale binary across all later runs.
- Read the hosted API key from the environment inside the `jq` program
(`$ENV.IN_ALT_KEY`) instead of passing it via `--arg`, keeping it out of
`argv` (visible to other processes; printed under `ACTIONS_STEP_DEBUG`).
- Add 4 adversarial tests: auth header present with a token, omitted+safe
without one (bash-3.2 empty-array idiom), cache gated on `!= 'latest'`, and
the API key absent from the `jq` argv.
Closes#909
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,10 +12,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
12
12
-**The `github/review` composite action can be downloaded by GitHub Actions again.** The release tree contained three VS Code image symlinks whose removed targets caused GitHub's action downloader to reject the entire archive before the review step started. The images are now self-contained files and a release-critical test prevents dangling links from returning.
13
13
-**A valid dbt manifest is no longer mislabeled as a lint-only run.** Manifest availability is now checked independently from changed-model lookup, so new models and other valid manifests receive the correct full-run status.
14
14
15
+
-**The release-version lookup is rate-limit resilient and never caches a floating `latest`.** The composite action now authenticates its GitHub release-API call with the workflow token (lifting the 60→1,000 req/hr unauthenticated limit) and skips the binary cache entirely when the version resolves to `latest`, so a single rate-limited or offline lookup can no longer pin a stale binary across all subsequent runs.
16
+
15
17
### Added
16
18
17
19
-**Direct GitHub onboarding and a live dbt review demo.** The GitHub App installer now opens GitHub's repository-selection screen directly, and the README/docs link to the public `dbt-pr-review-demo` pull requests.
18
20
21
+
### Security
22
+
23
+
-**The hosted Altimate API key is no longer placed on the `jq` process arg list.** The credential write reads the key from the environment inside the `jq` program, keeping it out of `argv` (which is visible to other processes and printed verbatim when `ACTIONS_STEP_DEBUG` enables `set -x`).
24
+
19
25
## [0.8.4] - 2026-06-05
20
26
21
27
A trace-durability patch. Open `/traces` mid-session and you'd see a rich waterfall — then the moment the agent finished its turn the view collapsed to a single "system-prompt" span, the Summary tab's *"What was asked"* showed *"No prompt recorded"*, and the Chat tab dropped every user turn but the last. The data was genuinely gone from disk, not just hidden in the viewer. This release stops the on-disk trace from being overwritten after each turn and makes the file authoritative across worker restarts. A five-persona pre-release review drove a follow-up wording fix so a reconstructed trace isn't misread as a failed run.
0 commit comments