molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

ci(canary): route curl -w to tempfile to satisfy status-capture lint
Some checks failed
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 2s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 7s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 7s
Details
pr-guards / disable-auto-merge-on-push (pull_request) Failing after 5s
Details
CI / Detect changes (pull_request) Successful in 10s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 10s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 10s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 11s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 12s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 11s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 13s
Details
CI / Platform (Go) (pull_request) Successful in 7s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
CI / Python Lint & Test (pull_request) Successful in 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 9s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 8s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 12s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details

Browse Source 
The two API probes used the unsafe shape rejected by
lint-curl-status-capture.yml (per feedback_curl_status_capture_pollution):

  status=$(curl ... -w '%{http_code}' ... || echo "000")

When curl exits non-zero (transport error, --fail-with-body 4xx/5xx),
the `-w` already wrote a code; the `|| echo "000"` then APPENDS another
"000", yielding "000000" or "409000" — passes shape checks while looking
right.

Switch to the canonical safe shape (set +e + tempfile + cat):

  set +e
  curl ... -w '%{http_code}' >code_file 2>/dev/null
  set -e
  status=$(cat code_file 2>/dev/null || true)
  [ -z "$status" ] && status="000"

Inline comment in both probe steps explains the lint constraint so
the next editor doesn't re-introduce the bad pattern.

Refs: #72, lint failure on PR #77 (1/22 red → 22/22 expected green)
This commit is contained in:
claude-ceo-assistant 2026-05-07 15:26:22 -07:00
parent bfc393c065
commit 0cef033a6a
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/auto-sync-canary.yml vendored
View File

@ -211,15 +211,23 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
response_file="$(mktemp)" response_file="$(mktemp)"
code_file="$(mktemp)"
# `--max-time 30`: full call ceiling. `--connect-timeout 10`: # `--max-time 30`: full call ceiling. `--connect-timeout 10`:
# DNS + TCP. `-w "%{http_code}"` to a separate var (not # DNS + TCP. `-w "%{http_code}"` routed to a tempfile so curl's
# response body — see feedback_curl_status_capture_pollution). # exit code can't pollute the captured status — see
status=$(curl -sS -o "$response_file" \ # feedback_curl_status_capture_pollution + the
# `lint-curl-status-capture.yml` gate that rejects the unsafe
# `$(curl ... || echo "000")` shape.
set +e
curl -sS -o "$response_file" \
--max-time 30 --connect-timeout 10 \ --max-time 30 --connect-timeout 10 \
-w "%{http_code}" \ -w "%{http_code}" \
-H "Authorization: token ${AUTO_SYNC_TOKEN}" \ -H "Authorization: token ${AUTO_SYNC_TOKEN}" \
-H "Accept: application/json" \ -H "Accept: application/json" \
"https://${GITEA_HOST}/api/v1/user" || echo "000") "https://${GITEA_HOST}/api/v1/user" >"$code_file" 2>/dev/null
set -e
status=$(cat "$code_file" 2>/dev/null || true)
[ -z "$status" ] && status="000"
if [ "$status" != "200" ]; then if [ "$status" != "200" ]; then
echo "::error::Token rotation suspected: GET /api/v1/user returned HTTP $status (expected 200)." >&2 echo "::error::Token rotation suspected: GET /api/v1/user returned HTTP $status (expected 200)." >&2
@ -247,12 +255,20 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
response_file="$(mktemp)" response_file="$(mktemp)"
status=$(curl -sS -o "$response_file" \ code_file="$(mktemp)"
# See first probe step for the rationale on the tempfile-routed
# `-w "%{http_code}"` pattern — the unsafe `|| echo "000"` shape
# is rejected by lint-curl-status-capture.yml.
set +e
curl -sS -o "$response_file" \
--max-time 30 --connect-timeout 10 \ --max-time 30 --connect-timeout 10 \
-w "%{http_code}" \ -w "%{http_code}" \
-H "Authorization: token ${AUTO_SYNC_TOKEN}" \ -H "Authorization: token ${AUTO_SYNC_TOKEN}" \
-H "Accept: application/json" \ -H "Accept: application/json" \
"https://${GITEA_HOST}/api/v1/repos/${REPO_PATH}" || echo "000") "https://${GITEA_HOST}/api/v1/repos/${REPO_PATH}" >"$code_file" 2>/dev/null
set -e
status=$(cat "$code_file" 2>/dev/null || true)
[ -z "$status" ] && status="000"
if [ "$status" != "200" ]; then if [ "$status" != "200" ]; then
echo "::error::Token lacks read:repository scope on ${REPO_PATH}: HTTP $status." >&2 echo "::error::Token lacks read:repository scope on ${REPO_PATH}: HTTP $status." >&2