perf(ci): scope remote audit to changed skills via revision diff#13
Merged
Conversation
Large plugin updates were timing out because every skill in the plugin was re-audited even when only a few actually changed. Use the old/new revision pair from marketplace.json to `git diff` the plugin repo and audit only the skills whose files changed. Shared-path (`skills/_*`) changes fall back to a full audit to preserve correctness. Also add a 300s per-skill timeout so a single hung audit cannot stall the job. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…COPE_KIND enum
Applying reviewer feedback on the diff-scoping patch:
- Validate `revision` / `old_revision` fields as `^[a-f0-9]{7,40}$`
before they reach `git fetch` / `git diff` (defense-in-depth).
- Tighten awk path filter from `NF>=2` to `NF>=3` so that files sitting
directly under `skills/` (e.g. `skills/README.md`) no longer pollute
`CHANGED_DIRS` or `SHARED_CHANGED` detection.
- Split `SCOPE_MODE` into `SCOPE_KIND` (enum for control flow) and
`SCOPE_DESC` (human-readable label). The old string was used for both,
so any future label tweak would silently break the full-fallback
branch. Comparisons now use the enum only.
- Convert `cmd && A || B` DIFF_OK assignment to `if/then/else` for
readability.
- Replace `wc -l | tr -d ' '` skill count with `grep -c .` for correct
handling of trailing-newline-less input.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
skill-audit-remote.yml이 플러그인의 모든SKILL.md를 감사해 대규모 업데이트 시 타임아웃이 발생하던 문제 해소marketplace.json의 old/newrevision쌍으로git diff를 돌려 실제 바뀐 스킬만 감사skills/_*/공유 경로 변경 시 해당 플러그인 전수 감사로 fallback (정합성 유지)timeout 300상한으로 한 스킬이 먹통이어도 job 전체가 멈추지 않음동작 매트릭스
skills/_*/공유 경로 변경old_revision없음)Security / Fail-Closed
revision/old_revision필드를^[a-f0-9]{7,40}$로 형식 검증한 뒤 shell에 전달git fetch실패 → 전수 감사 (fail-open 아님)claude --print실패/타임아웃 → BLOCKEDSCOPE_KINDenum(diff/full_shared/full_fetch_failed/full_new_plugin) +SCOPE_DESC라벨 분리 — 제어 흐름과 표시 문자열 이중 용도 해소Review 반영 이력
병렬 서브에이전트 3명 리뷰 후:
NF>=2→NF>=3(skills/ 직하 파일 오탐 제거)cmd && A \|\| B→if/then/else(가독성)wc -l→grep -c .(trailing newline 케이스)후속 논의 (별도 이슈)
skills/_*/하위에만 둘 것" 명시Test plan
skills/_shared/파일만 변경한 PR로 전수 감사 fallback 동작 확인🤖 Generated with Claude Code