-
Notifications
You must be signed in to change notification settings - Fork 23
ci: Use our own pr_title_lint.py instead of NPM commitlint [citest_skip] #338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
richm
wants to merge
1
commit into
main
Choose a base branch
from
pr_title_lint
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
linux-system-roles auto-maintenance pr_title_lint.py latest commit checksum verification recommended practice for downloading scripts in CI💡 Result:
The linux-system-roles/auto-maintenance repository is a collection of automation scripts and tools used to manage various linux-system-roles repositories [1]. Regarding the specific query about pr_title_lint.py, while auto-maintenance contains many utility scripts [1], standard PR title linting in the linux-system-roles ecosystem is typically handled via GitHub Actions—specifically using commitlint as shown in the linux-system-roles/template repository [2]. Recommended practices for downloading and executing scripts in CI pipelines emphasize security to prevent supply chain attacks, as piping directly from curl to shell (e.g., curl | bash) is considered a security risk [3][4]. The following practices are recommended: 1. Use Trusted Sources and Version Pinning: Whenever possible, use official plugins, package managers (apt, apk, npm), or container images [3][4]. If you must download a script, ensure it is from a trusted, immutable source and pin it to a specific version or commit [3]. 2. Verify Integrity via Checksums: Never execute a remote script without verification [3]. The standard practice is to: - Download the script to a temporary file [3]. - Compute its hash (e.g., sha256sum) [3][5]. - Compare the computed hash against a known, trusted checksum [3][5]. - Only execute the script if the verification succeeds [3][6][5]. Example CI pattern for checksum verification: curl -fsSL https://example.com/script.sh -o script.sh echo "EXPECTED_HASH script.sh" | sha256sum -c - if [ $? -eq 0 ]; then bash script.sh else echo "Checksum verification failed" exit 1 fi 3. Avoid Dynamic Scripts: If a script is generated dynamically, it is difficult to verify via a static checksum [5]. In such cases, prefer cloning the repository and running the script from a specific commit hash, which guarantees integrity through git's cryptographic signing rather than relying on a downloadable artifact checksum [7][5].
Citations:
🏁 Script executed:
Repository: linux-system-roles/certificate
Length of output: 8607
🏁 Script executed:
Repository: linux-system-roles/certificate
Length of output: 736
🌐 Web query:
curl --fail exit code HTTP 404 body saved without --fail documentation💡 Result:
When using the --fail (or -f) option in curl, the program will exit with code 22 if an HTTP server returns an error response code of 400 or greater [1][2]. Crucially, the --fail option explicitly prevents curl from outputting or saving the response body for these errors [1][3]. In these cases, curl stops immediately after receiving the response headers and does not store the content [1][4]. If you need to both trigger an exit code on HTTP errors (400+) and save the response body (such as the HTML error page or error details), you should use the --fail-with-body option instead [1][5][4]. This option, introduced in curl version 7.76.0, functions as an alternative to --fail by allowing the body to be saved while still returning exit code 22 upon encountering a server error [1][4]. These two options, --fail and --fail-with-body, are mutually exclusive [1][6].
Citations:
Pin the downloaded script to an immutable ref and fail fast on HTTP errors. Fetching from
mainmeans CI executes whatever upstream publishes next; pin a commit/tag, and usecurl --fail(or--fail-with-body) so 4xx/5xx responses don’t turn into a confusing Python traceback.🤖 Prompt for AI Agents