fix(#1835): require file reads before asserting contents in findings

.github/scripts/install-openshell.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Install the pinned OpenShell version via upstream install.sh.
+#
+# Sources openshell-version.sh for the version and commit SHA, then
+# runs the upstream installer. Requires sudo for RPM installation.
+#
+# Usage:
+#   .github/scripts/install-openshell.sh
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/openshell-version.sh"
+
+echo "Installing OpenShell ${OPENSHELL_VERSION} (${OPENSHELL_SHA})"
+curl -LsSf "https://raw.githubusercontent.com/NVIDIA/OpenShell/${OPENSHELL_SHA}/install.sh" \
+  | OPENSHELL_VERSION="v${OPENSHELL_VERSION}" sh
+
+openshell --version

.github/scripts/openshell-version.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Single source of truth for the pinned OpenShell version.
+#
+# Source this script to set OPENSHELL_VERSION and OPENSHELL_SHA in the
+# current shell. In GitHub Actions it also exports them to GITHUB_ENV
+# for downstream steps.
+#
+# Usage:
+#   source .github/scripts/openshell-version.sh
+
+# renovate: datasource=github-tags depName=NVIDIA/OpenShell
+OPENSHELL_VERSION=0.0.63
+OPENSHELL_SHA=ec197a43ef349e36c3fff04e9aaea9599fb83b31
+
+export OPENSHELL_VERSION OPENSHELL_SHA
+
+if [[ -n "${GITHUB_ENV:-}" ]]; then
+  echo "OPENSHELL_VERSION=${OPENSHELL_VERSION}" >> "${GITHUB_ENV}"
+  echo "OPENSHELL_SHA=${OPENSHELL_SHA}" >> "${GITHUB_ENV}"
+fi

.github/workflows/e2e.yml

@@ -9,6 +9,7 @@ permissions: {}
 on:
   push:
     branches: [main]
+    # SYNC-WITH: grep regex in "Check for e2e-relevant changes" step in the e2e job
     paths:
       - '**/*.go'
       - 'go.mod'
@@ -24,19 +25,6 @@ on:
       - 'scripts/check-e2e-authorization.sh'
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
-    paths:
-      - '**/*.go'
-      - 'go.mod'
-      - 'go.sum'
-      - 'e2e/**'
-      - 'internal/scaffold/fullsend-repo/**'
-      - 'internal/security/hooks/**'
-      - 'internal/dispatch/gcf/mintsrc/**'
-      - 'internal/sentencetoken/english.json'
-      - 'Makefile'
-      - '.github/workflows/e2e.yml'
-      - '.github/actions/check-e2e-authorization/**'
-      - 'scripts/check-e2e-authorization.sh'
   merge_group:
   workflow_dispatch:
 
@@ -93,19 +81,44 @@ jobs:
       contents: read
       id-token: write
     steps:
+      - name: Check for e2e-relevant changes
+        id: changes
+        if: github.event_name == 'pull_request_target'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        # SYNC-WITH: push.paths filter above
+        run: |
+          FILES=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}/files" --paginate --jq '.[].filename') || {
+            echo "::warning::Failed to fetch PR files — running e2e tests as a precaution"
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          }
+          if echo "$FILES" | grep -qE '\.go$|^go\.(mod|sum)$|^e2e/|^internal/scaffold/fullsend-repo/|^internal/security/hooks/|^internal/dispatch/gcf/mintsrc/|^internal/sentencetoken/english\.json$|^Makefile$|^\.github/workflows/e2e\.yml$|^\.github/actions/check-e2e-authorization/|^scripts/check-e2e-authorization\.sh$'; then
+            echo "relevant=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "::notice::No e2e-relevant files changed — skipping tests"
+            echo "relevant=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - uses: actions/checkout@v4
+        if: steps.changes.outputs.relevant != 'false'
         with:
           ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
           persist-credentials: false
 
       - uses: actions/setup-go@v5
+        if: steps.changes.outputs.relevant != 'false'
         with:
           go-version-file: go.mod
 
       - name: Install Playwright system dependencies
+        if: steps.changes.outputs.relevant != 'false'
         run: npx playwright install-deps chromium
 
       - name: Check for secrets
+        if: steps.changes.outputs.relevant != 'false'
         id: secrets-check
         run: |
           if [ -z "$E2E_GITHUB_SESSION_B64" ]; then
@@ -118,7 +131,7 @@ jobs:
           E2E_GITHUB_SESSION_B64: ${{ secrets.E2E_GITHUB_SESSION }}
 
       - name: Decode session
-        if: steps.secrets-check.outputs.available == 'true'
+        if: steps.changes.outputs.relevant != 'false' && steps.secrets-check.outputs.available == 'true'
         run: |
           SESSION_FILE="${RUNNER_TEMP}/github-session.json"
           printf '%s' "$E2E_GITHUB_SESSION_B64" | base64 -d > "$SESSION_FILE"
@@ -127,14 +140,14 @@ jobs:
           E2E_GITHUB_SESSION_B64: ${{ secrets.E2E_GITHUB_SESSION }}
 
       - name: Authenticate to GCP
-        if: steps.secrets-check.outputs.available == 'true'
+        if: steps.changes.outputs.relevant != 'false' && steps.secrets-check.outputs.available == 'true'
         uses: google-github-actions/auth@v2
         with:
           workload_identity_provider: ${{ secrets.E2E_GCP_WIF_PROVIDER }}
           service_account: ${{ secrets.E2E_GCP_SERVICE_ACCOUNT }}
 
       - name: Run e2e tests
-        if: steps.secrets-check.outputs.available == 'true'
+        if: steps.changes.outputs.relevant != 'false' && steps.secrets-check.outputs.available == 'true'
         run: make e2e-test
         env:
           E2E_SCREENSHOT_DIR: ${{ runner.temp }}/e2e-screenshots
@@ -144,7 +157,7 @@ jobs:
           E2E_GCP_PROJECT_ID: ${{ secrets.E2E_GCP_PROJECT_ID }}
 
       - name: Upload debug screenshots
-        if: always() && steps.secrets-check.outputs.available == 'true'
+        if: always() && steps.changes.outputs.relevant != 'false' && steps.secrets-check.outputs.available == 'true'
         uses: actions/upload-artifact@v4
         with:
           name: e2e-screenshots-${{ github.event_name == 'pull_request_target' && github.event.pull_request.number || github.run_id }}

.github/workflows/reusable-code.yml

@@ -56,6 +56,8 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        # Keep in sync with --vendor marker paths (see internal/scaffold/vendorcontent.go VendoredMarkerPath).
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -102,6 +104,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -127,6 +130,7 @@ jobs:
           persist-credentials: false
 
       - name: Validate inputs
+        id: validate
         env:
           ISSUE_NUMBER: ${{ fromJSON(inputs.event_payload).issue.number }}
           REPO_FULL_NAME: ${{ inputs.source_repo }}
@@ -135,12 +139,14 @@ jobs:
         run: bash scripts/pre-code.sh
 
       - name: Setup GCP and prepare credentials
+        if: steps.validate.outputs.skipped != 'true'
         uses: ./.defaults/.github/actions/setup-gcp
         with:
           gcp_wif_provider: ${{ secrets.FULLSEND_GCP_WIF_PROVIDER }}
           gcp_project_id: ${{ secrets.FULLSEND_GCP_PROJECT_ID }}
 
       - name: Resolve bot identity
+        if: steps.validate.outputs.skipped != 'true'
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
@@ -154,6 +160,7 @@ jobs:
           echo "GIT_BOT_EMAIL=${GIT_BOT_EMAIL}" >> "${GITHUB_ENV}"
 
       - name: Setup agent environment
+        if: steps.validate.outputs.skipped != 'true'
         env:
           AGENT_PREFIX: CODE_
           CODE_GH_TOKEN: ${{ steps.app-token.outputs.token }}
@@ -164,6 +171,7 @@ jobs:
         run: bash .github/scripts/setup-agent-env.sh
 
       - name: Run code agent
+        if: steps.validate.outputs.skipped != 'true'
         uses: ./.defaults/
         env:
           GITHUB_ISSUE_URL: ${{ fromJSON(inputs.event_payload).issue.html_url }}
@@ -178,4 +186,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-dispatch.yml

@@ -64,7 +64,7 @@ jobs:
       contents: read
       pull-requests: read
     outputs:
-      stage: ${{ steps.role-check.outputs.skipped != 'true' && steps.route.outputs.stage || '' }}
+      stage: ${{ steps.role-check.outputs.skipped != 'true' && steps.pr-check.outputs.skipped != 'true' && steps.route.outputs.stage || '' }}
       trigger_source: ${{ steps.route.outputs.trigger_source }}
       event_payload: ${{ steps.payload.outputs.event_payload }}
     steps:
@@ -234,6 +234,27 @@ jobs:
           echo "stage=${STAGE}" >> "${GITHUB_OUTPUT}"
           echo "trigger_source=${TRIGGER_SOURCE}" >> "${GITHUB_OUTPUT}"
 
+      - name: Check for existing PRs
+        id: pr-check
+        if: steps.route.outputs.stage == 'code'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          SOURCE_REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          BOT_LOGIN="fullsend-ai[bot]"
+          CODER_BOT_LOGIN="fullsend-ai-coder[bot]"
+          MENTIONING_PRS="$(gh pr list --repo "${SOURCE_REPO}" --state open \
+            --search "${ISSUE_NUMBER} in:title,body" \
+            --json number,author \
+            --jq "[.[] | select(.author.login != \"${BOT_LOGIN}\" and .author.login != \"${CODER_BOT_LOGIN}\")] | .[].number" \
+            2>/dev/null || true)"
+          if [[ -n "${MENTIONING_PRS}" ]]; then
+            echo "::notice::Open PR(s) mentioning issue #${ISSUE_NUMBER} found — skipping code dispatch"
+            echo "skipped=true" >> "${GITHUB_OUTPUT}"
+          fi
+
       - name: Validate routed stage
         if: steps.route.outputs.stage != ''
         env:

.github/workflows/reusable-fix.yml

@@ -68,6 +68,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -114,6 +115,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -380,4 +382,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ steps.context.outputs.pr_number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-prioritize.yml

@@ -58,6 +58,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -104,6 +105,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment

.github/workflows/reusable-retro.yml

@@ -54,6 +54,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -100,6 +101,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -145,12 +147,10 @@ jobs:
           ORIGINATING_URL: ${{ fromJSON(inputs.event_payload).pull_request.html_url || fromJSON(inputs.event_payload).issue.html_url }}
           RETRO_COMMENT: ${{ fromJSON(inputs.event_payload).comment.body || '' }}
           REPO_FULL_NAME: ${{ inputs.source_repo }}
-          RETRO_SANDBOX_TOKEN: ${{ steps.app-token.outputs.token }}
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         with:
           agent: retro
           version: ${{ inputs.fullsend_version }}
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).pull_request.number || fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-review.yml

@@ -55,6 +55,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -169,4 +170,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).pull_request.number || fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-triage.yml

@@ -54,6 +54,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -100,6 +101,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -149,4 +151,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/sandbox-images.yml

@@ -136,3 +136,26 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=code
           cache-to: type=gha,mode=max,scope=code
+
+      # Load a single-platform image locally so we can smoke-test PATH ordering.
+      # Multi-arch builds cannot --load, so this reuses the GHA cache from above.
+      - name: Build code image for smoke test
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        with:
+          context: images/code
+          file: images/code/Containerfile
+          platforms: linux/amd64
+          load: true
+          tags: fullsend-code:ci-smoke
+          build-args: |
+            BASE_IMAGE=${{ needs.build-base.outputs.image-ref }}
+          cache-from: type=gha,scope=code
+
+      - name: Validate PATH security
+        run: |
+          docker run --rm --entrypoint '' fullsend-code:ci-smoke sh -c '
+            LAST=$(echo "$PATH" | tr ":" "\n" | tail -1)
+            [ "$LAST" = "/sandbox/go/bin" ] || { echo "FAIL: /sandbox/go/bin not last (got $LAST)"; exit 1; }
+            [ "$(command -v git)" = "/usr/bin/git" ] || { echo "FAIL: git shadowed ($(command -v git))"; exit 1; }
+            [ "$(command -v scan-secrets)" = "/usr/local/bin/scan-secrets" ] || { echo "FAIL: scan-secrets shadowed ($(command -v scan-secrets))"; exit 1; }
+          '

.pre-commit-config.yaml

@@ -74,6 +74,8 @@ repos:
           - property "workflow_repository" is not defined
           - -ignore
           - SC2016
+          - -ignore
+          - '__REUSABLE_(WORKFLOW|DISPATCH)__'
 
   - repo: local
     hooks: