Skip to content

deploy: fix update-release release-root metadata path leak#130

Merged
benvinegar merged 4 commits into
mainfrom
ben/audit-agent-skills
Feb 22, 2026
Merged

deploy: fix update-release release-root metadata path leak#130
benvinegar merged 4 commits into
mainfrom
ben/audit-agent-skills

Conversation

@benvinegar
Copy link
Copy Markdown
Member

@benvinegar benvinegar commented Feb 22, 2026
edited
Loading

Summary

  • fix bin/update-release.sh so release paths are normalized after env/CLI parsing
  • ensure BAUDBOT_RELEASE_ROOT wins over inherited BAUDBOT_SOURCE_* variables
  • remove early cached source metadata path locals and use BAUDBOT_SOURCE_URL_FILE / BAUDBOT_SOURCE_BRANCH_FILE at point of use
  • add regression coverage in bin/update-release.test.sh for stale source-path env vars

Validation

  • bin/update-release.test.sh
  • bin/rollback-release.test.sh
  • npm run test:shell
  • npm run lint:shell (fails locally: shellcheck not installed in PATH)

@benvinegar
docs: trim agent skills for token efficiency and extract Slack reference
287d14d 
Reduce control-agent SKILL.md from 476 to 303 lines (36%) by:
- Deduplicating sentry agent section
- Extracting Slack integration details to SLACK.md (progressive disclosure)
- Removing health checks section (duplicates HEARTBEAT.md)
- Trimming explanations Claude already knows
- Replacing placeholder repo names with dynamic lookup

Trim dev-agent (225->186) and sentry-agent (121->113) similarly.
@benvinegar
docs: address PR review — restore SLACK_BOT_TOKEN and security preamble
683ce14 
- Re-add SLACK_BOT_TOKEN to sentry-agent env vars (required by list action)
- Restore SECURITY NOTICE preamble in SLACK.md message example
@benvinegar
docs: inline Slack details back into SKILL.md, remove SLACK.md
f4bf919 
Pi agents load SKILL.md as a single document and cannot follow
markdown links to separate files. The progressive disclosure
pattern doesn't apply here — skills must be self-contained.
@benvinegar
deploy: honor release-root for source metadata paths
7719186
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Feb 22, 2026

Greptile Summary

Fixed a path leak in bin/update-release.sh where --release-root would incorrectly inherit stale BAUDBOT_SOURCE_* environment variables instead of using paths derived from the provided release root. The fix:

  • Removed early caching of source metadata path locals that were set before CLI argument parsing
  • Moved bb_refresh_release_paths call to after all argument parsing completes
  • Changed --release-root handler to set BAUDBOT_RELEASE_ROOT instead of immediately calling refresh
  • Updated all source path references to use $BAUDBOT_SOURCE_URL_FILE / $BAUDBOT_SOURCE_BRANCH_FILE directly
  • Added regression test coverage in bin/update-release.test.sh

The SKILL.md files were condensed to reduce token usage in agent prompts while preserving all operational guidance.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The fix correctly addresses the metadata path leak by ensuring release paths are normalized after all env/CLI parsing. The logic change is sound: moving path refresh to after argument parsing and removing early cached locals prevents stale environment variables from leaking through. The new regression test validates the fix. Documentation changes are token-reduction refactoring with no behavioral impact.
  • No files require special attention

Important Files Changed

Filename Overview
bin/update-release.sh Fixed release-root metadata path leak by removing early cached source path locals and normalizing release paths after all CLI/env parsing
bin/update-release.test.sh Added regression test to verify BAUDBOT_RELEASE_ROOT overrides inherited stale BAUDBOT_SOURCE_* environment variables

Last reviewed commit: 7719186

@benvinegar benvinegar merged commit 1573799 into main Feb 22, 2026
10 checks passed
@greptile-apps greptile-apps Bot mentioned this pull request Feb 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benvinegar