ci: pin remaining actions to commit SHAs, add coverage regression gate, review runner token scope#2233
Merged
Merged
Conversation
…e, review runner token scope (REQ-1.4.10)
- SHA-pin all uses: lines in codeql.yml, pages.yml, pr-lint.yml, stale.yml (checkout@v7,
codeql-action/{init,autobuild,analyze}@v4, setup-python@v6, upload-pages-artifact@v5,
deploy-pages@v5, action-semantic-pull-request@v6, stale@v10) — resolved via
gh api repos/<owner>/<action>/commits/<tag> against the tags actually present in the
files (newer than the plan's 2026-07-06 snapshot; re-resolved to match current state).
- ci.yml: replace `python -m unittest discover -v` with
`pytest --cov=agent --cov-report=term-missing --cov-fail-under=90 tests/`, add a
`pip install -r requirements.txt` step (none existed previously since requirements.txt
was empty). Verified locally: 48 tests pass, 98.20% coverage, exit 0.
- requirements.txt: add pytest-cov.
- .gitignore: add .coverage (new local artifact from the coverage-enabled test run).
- Reviewed fixer.yml (self-hosted Windows runner) and runner-health.yml token scopes
against agent/poll_once.py's actual GitHub API calls: poll_once.py only issues a GET
to /repos/{owner}/{repo}/issues (no gh issue/pr write calls), so fixer.yml's
`issues: read` is already correctly minimal. runner-health.yml's `issues: write` is
used for its actual purpose (creating/commenting on runner-offline issues) and is
already correctly scoped. No permission changes needed on either file.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes out ci-autopilot's remaining supply-chain gaps (S1) and the P3 coverage-gate backlog item, per Phase 31 wave 2 plan 31-05 (REQ-1.4.10).
codeql.yml,pages.yml,pr-lint.yml,stale.yml). All third-partyuses:refs now pinned to a 40-char commit SHA with a trailing# vX.Y.Zcomment, resolved viagh api repos/<owner>/<action>/commits/<tag>against the tag currently in each file (checkout@v7,codeql-action/{init,autobuild,analyze}@v4,setup-python@v6,upload-pages-artifact@v5,deploy-pages@v5,action-semantic-pull-request@v6,stale@v10).ci.yml,fixer.yml,runner-health.yml,autopilot-create-issue.yml,autopilot-failure-intake.yml,runner-smoke-test.ymlwere already fully pinned and untouched by this change.ci.yml's Unit tests step now runspytest --cov=agent --cov-report=term-missing --cov-fail-under=90 tests/instead ofpython -m unittest discover -v. Added apip install -r requirements.txtstep (none existed before —requirements.txtwas previously just a header comment).pytest-covadded torequirements.txt. Verified locally: 48 tests pass, 98.20% statement coverage — 90% floor is a deliberate safety margin below that baseline.agent/poll_once.py(the scriptfixer.ymlruns on the self-hosted Windows runner) end-to-end. It only issues a singleGET /repos/{owner}/{repo}/issuescall — nogh issue create/commentor any write-scoped API call.fixer.yml'sissues: readis therefore already correctly minimal; no escalation needed.runner-health.yml'sissues: writeis used for its stated purpose (creating/commenting on a runner-offline issue) and is already correctly scoped. No permission changes made to either file.pages.ymldeploys to GitHub Pages only) — the operator lock requiringworkflow_dispatch-gating on Azure-deploy workflows does not apply to this repo.Test plan
grep -c "uses: [a-z/-]*@v[0-9]"returns 0 for all 4 remediated files (no unpinned tag-only refs remain)pytest --cov=agent --cov-fail-under=90 tests/exits 0 locally (48 passed, 98.20% coverage)scripts/workflow-lint.ps1 -Path portfolio/ci-autopilot -Jsonreports clean against this branch🤖 Generated with GSD plan executor (Phase 31-05)