Lsan redness #714
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SECURITY: | |
| # | |
| # This workflow runs on pull_request_target and has write privileges. | |
| # Those are used to add labels to the PR. | |
| # | |
| # **IF a user can run code in here, they would be able to extract our secrets.** | |
| # | |
| # This is why it doesn't run external scripts. | |
| # The exception is the get_real_pr_shas.yml workflow. | |
| # The input of it is santized. | |
| name: AI/LLM Checks | |
| on: | |
| pull_request_target: | |
| jobs: | |
| real_pr_shas: | |
| uses: rizinorg/rizin/.github/workflows/get_real_pr_shas.yml@dev | |
| ai_checks: | |
| name: LLM checks | |
| permissions: | |
| pull-requests: write | |
| runs-on: ubuntu-latest | |
| needs: real_pr_shas | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # Full history needed for commit scanning | |
| - name: Validate input hashes | |
| env: | |
| BASE_SHA: ${{ needs.real_pr_shas.outputs.BASE_SHA }} | |
| HEAD_SHA: ${{ needs.real_pr_shas.outputs.HEAD_SHA }} | |
| run: | | |
| if echo "$BASE_SHA" | grep -q "[^a-f0-9]"; then | |
| echo "BASE_SHA is malformed: $BASE_SHA" | |
| exit 1 | |
| fi | |
| if echo "$HEAD_SHA" | grep -q "[^a-f0-9]"; then | |
| echo "HEAD_SHA is malformed: $HEAD_SHA" | |
| exit 1 | |
| fi | |
| - name: Check AGENT.md is unchanged | |
| env: | |
| BASE_SHA: ${{ needs.real_pr_shas.outputs.BASE_SHA }} | |
| run: | | |
| diff=$(git diff --name-status "$BASE_SHA" AGENTS.md) | |
| if [[ $? -eq 128 ]]; then | |
| echo "Failed to diff" | |
| exit 1 | |
| fi | |
| if [[ -n "$diff" ]]; then | |
| echo "Edits to 'AGENT.md' are not allowed!" | |
| exit 1 | |
| fi | |
| - name: Check for AI usage and label | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| NUMBER: ${{ github.event.number }} | |
| BASE_SHA: ${{ needs.real_pr_shas.outputs.BASE_SHA }} | |
| HEAD_SHA: ${{ needs.real_pr_shas.outputs.HEAD_SHA }} | |
| COMMIT_MSGS: ${{ needs.real_pr_shas.outputs.COMMIT_MSGS }} | |
| run: | | |
| LABEL_NAME="AI/LLM" | |
| NEEDLE="Co-authored-by agent" | |
| if echo "$COMMIT_MSGS" | grep -q "$NEEDLE"; then | |
| echo "Authored by AI agent" | |
| gh pr --repo $REPO edit $NUMBER --add-label "$LABEL_NAME" | |
| fi |