molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

Merge branch 'staging' into feat/canvas-test-coverage-2071

Browse Source
This commit is contained in:
Hongming Wang 2026-04-26 14:22:26 -07:00 committed by GitHub
commit 3248941ed5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 61 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
.github/workflows/secret-scan.yml vendored
View File

@ -46,7 +46,29 @@ jobs:
if: github.event_name == 'pull_request'
run: git fetch --depth=1 origin ${{ github.event.pull_request.base.sha }}
# For merge_group events the queue's pre-merge ref is a commit on
# `gh-readonly-queue/...` whose parent is the queue's base_sha.
# That parent isn't part of the queue branch's shallow clone, so
# we fetch it explicitly. Without this the diff falls through to
# "no BASE → scan entire tree" mode and false-positives on legit
# test fixtures (e.g. canvas/src/lib/validation/__tests__/secret-formats.test.ts).
- name: Fetch merge_group base SHA (merge_group events only)
if: github.event_name == 'merge_group'
run: git fetch --depth=1 origin ${{ github.event.merge_group.base_sha }}
- name: Refuse if credential-shaped strings appear in diff additions
env:
# Plumb event-specific SHAs through env so the script doesn't
# need conditional `${{ ... }}` interpolation per event type.
# github.event.before/after only exist on push events;
# merge_group has its own base_sha/head_sha; pull_request has
# pull_request.base.sha / pull_request.head.sha.
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
MG_BASE_SHA: ${{ github.event.merge_group.base_sha }}
MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
PUSH_BEFORE: ${{ github.event.before }}
PUSH_AFTER: ${{ github.event.after }}
run: |
# Pattern set covers GitHub family (the actual #2090 vector),
# Anthropic / OpenAI / Slack / AWS. Anchored on prefixes with low
@ -68,19 +90,41 @@ jobs:
'ASIA[0-9A-Z]{16}' # AWS STS temp access key ID
)
# Determine the diff base.
if [ "${{ github.event_name }}" = "pull_request" ]; then
BASE="${{ github.event.pull_request.base.sha }}"
HEAD="${{ github.event.pull_request.head.sha }}"
else
BASE="${{ github.event.before }}"
HEAD="${{ github.event.after }}"
# Determine the diff base. Each event type stores its SHAs in
# a different place — see the env block above.
case "${{ github.event_name }}" in
pull_request)
BASE="$PR_BASE_SHA"
HEAD="$PR_HEAD_SHA"
;;
merge_group)
BASE="$MG_BASE_SHA"
HEAD="$MG_HEAD_SHA"
;;
*)
BASE="$PUSH_BEFORE"
HEAD="$PUSH_AFTER"
;;
esac
# On push events with shallow clones, BASE may be present in
# the event payload but absent from the local object DB
# (fetch-depth=2 doesn't always reach the previous commit
# across true merges). Try fetching it on demand. If the
# fetch fails — e.g. the SHA was force-overwritten — we fall
# through to the empty-BASE branch below, which scans the
# entire tree as if every file were new. Correct, just slow.
if [ -n "$BASE" ] && ! echo "$BASE" | grep -qE '^0+$'; then
if ! git cat-file -e "$BASE" 2>/dev/null; then
git fetch --depth=1 origin "$BASE" 2>/dev/null || true
fi
fi
# Files added or modified in this change.
if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
# New branch / no previous SHA — check the entire tree as
# added content. Slower, but correct on first push.
if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$' || ! git cat-file -e "$BASE" 2>/dev/null; then
# New branch / no previous SHA / BASE unreachable — check the
# entire tree as added content. Slower, but correct on first
# push.
CHANGED=$(git ls-tree -r --name-only HEAD)
DIFF_RANGE=""
else

7
canvas/src/components/ProvisioningTimeout.tsx
View File

@ -2,6 +2,7 @@
import { useState, useEffect, useCallback, useRef, useMemo } from "react";
import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
import { pruneStaleKeys } from "./canvas/useCanvasViewport";
import { api } from "@/lib/api";
import { showToast } from "./Toaster";
import { ConsoleModal } from "./ConsoleModal";
@ -125,11 +126,7 @@ export function ProvisioningTimeout({
// Remove tracking for nodes that are no longer provisioning
const activeIds = new Set(parsedProvisioningNodes.map((n) => n.id));
for (const id of tracking.keys()) {
if (!activeIds.has(id)) {
tracking.delete(id);
}
}
pruneStaleKeys(tracking, activeIds);
// Also remove from timedOut list if no longer provisioning, and
// clear `dismissed` entries for workspaces that finished so a

7
canvas/src/lib/validation/__tests__/secret-formats.test.ts
View File

@ -143,7 +143,10 @@ describe('inferGroup', () => {
describe('maskSecretValue', () => {
it('masks ghp_ prefixed values showing prefix and last 4', () => {
const value = 'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
// Built via concatenation, not as a literal continuous string —
// a literal `ghp_` + 36+ alphanumerics matches the secret-scan
// workflow's own regex and false-positives merge_group / push runs.
const value = 'ghp_' + 'x'.repeat(40);
const masked = maskSecretValue(value);
expect(masked.startsWith('ghp_')).toBe(true);
expect(masked.endsWith(value.slice(-4))).toBe(true);
@ -151,7 +154,7 @@ describe('maskSecretValue', () => {
});
it('masks github_pat_ prefixed values', () => {
const value = 'github_pat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
const value = 'github_pat_' + 'x'.repeat(82);
const masked = maskSecretValue(value);
expect(masked.startsWith('github_pat_')).toBe(true);
expect(masked.endsWith(value.slice(-4))).toBe(true);