Skip to content

ci(policy): require process and network policy receipts (#211, rollout PR 12/12 — FINAL)#224

Merged
EffortlessSteven merged 1 commit into
mainfrom
ci/policy-promote-process-network-blocking-20260511
May 12, 2026
Merged

ci(policy): require process and network policy receipts (#211, rollout PR 12/12 — FINAL)#224
EffortlessSteven merged 1 commit into
mainfrom
ci/policy-promote-process-network-blocking-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Twelfth and final PR in the file-policy rollout. Promotes check-process-policy and check-network-policy from --mode advisory to --mode blocking-allowlist, completing the 12-PR ladder.

Issue

Closes #211. Closes the 12-PR ladder under #180. Builds on PR 11 (#210). Tracks #109.

What changed

1. Refined process detector (xtask/src/workflow_checks.rs)

PR 10's grep-style detector produced 10 false positives (e.g., shipper flagged because workflows reference cargo build -p shipper). New detect_commands_in_runs:

  1. Extracts content under run: keys only — inline AND block scalars (run: | / >).
  2. Splits each block by shell separators (\n, ;, &&, ||, |).
  3. Looks at the first word of each segment. Only that first word can be a command in shell semantics; subsequent tokens are arguments.
  4. Strips env-var assignments (FOO=bar cmd) and shell glue (\, &&, ||).

cargo build -p shipper now flags cargo and nothing else. Real commands like sudo, mkdir, python3 still flag correctly.

Removed now-dead word_present / is_word_char helpers.

2. Process allowlist gets the genuinely-missed commands

After refinement, 4 unknown tokens remained — all real shell commands in run: blocks:

  • ci profile adds: sudo (cross-compile prep: sudo apt-get install gcc-aarch64-linux-gnu), mkdir, python3
  • release profile adds: mkdir

3. CI: promote both to blocking

.github/workflows/ci.yml policy job now runs all seven checks in --mode blocking-allowlist. Header comment explains why refinement made promotion safe.

4. Docs: close the ladder

  • docs/FILE_POLICY.md: marks PR 12 as "the full file-policy rollout is now complete."
  • docs/POLICY_ALLOWLISTS.md + docs/policy/NON_RUST_ROLLOUT.md: PR 11 → landed, PR 12 → in flight.

Live local validation

check-file-policy           tracked=178 entries=35  ALL ZERO
check-generated             universe=0  entries=1   ALL ZERO
check-executable-files      universe=0  entries=0   ALL ZERO
check-dependency-surfaces   universe=16 entries=5   ALL ZERO
check-workflow-surfaces     workflows=9 entries=10  ALL ZERO
check-process-policy        workflows=9 unknown=0   (was 10 in PR 8)
check-network-policy        workflows=9 unknown=0

All seven blocking-allowlist invocations exit 0.

End state after this PR merges

Every new non-Rust file in shipper falls into exactly one of seven receipted scopes, or CI fails. The allowlists encode "known surface, owner, reason, current disposition" — never "approved forever." reason = "Scheduled to be converted to Rust/xtask" remains a valid disposition for legacy items, paired with expires.

blocking-strict mode (which fails on unused entries and stale review dates) remains deferred to a future cleanup pass.

Acceptance

  • cargo check --workspace --locked passes.
  • cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
  • cargo fmt --all -- --check clean.
  • All 7 --mode blocking-allowlist invocations exit 0 locally.
  • .github/workflows/ci.yml parses; the Policy job now blocks on all seven.
  • Process detector refinement validated on the actual shipper workflows (false positives dropped from 10 to 0).

Closes the file-policy ladder

This is PR 12 of 12. After merge, #180 (the umbrella) can be closed with a summary of the final receipt set. The broader 0.4.0 quality rollout (#179, #198, #191, #187, #182, #189, #184, #190, #192, #195) can then resume.

**Twelfth and final PR in the file-policy rollout.** Promotes
check-process-policy and check-network-policy from --mode advisory
to --mode blocking-allowlist, completing the ladder.

## What changed

### 1. Refined process detector (xtask/src/workflow_checks.rs)

The previous detector grep-matched the whole YAML for known command
tokens, which produced 10 false positives in PR 10's report (e.g.,
`shipper` matched as a token because workflows reference
`cargo build -p shipper`).

New `detect_commands_in_runs` extracts content under `run:` keys —
inline (`run: cargo build`) and block scalars (`run: |` followed by
indented lines) — splits each block by shell statement separators
(newline, `;`, `&&`, `||`, `|`), and looks at the **first word** of
each segment. Only that first word can be a command in shell
semantics; subsequent tokens are arguments.

Drops `cargo build -p shipper` from flagging `shipper`. Keeps real
commands like `sudo apt-get install`, `mkdir`, `python3`. Strips
leading env-var assignments (`FOO=bar cmd`) and shell glue
(`\`, `&&`, `||`).

Removes the now-dead `word_present` / `is_word_char` helpers.

### 2. Process allowlist gets the genuinely-missed commands

After refinement, 4 unknown tokens remained — all real shell commands
appearing in `run:` blocks:

  ci profile      : sudo, mkdir, python3  (cross-compile prep, ad-hoc
                                            dirs, helper scripts)
  release profile : mkdir                  (binary packaging step)

Added to policy/process-allowlist.toml.

### 3. CI: promote both to blocking-allowlist

.github/workflows/ci.yml `policy` job now runs ALL SEVEN checks in
--mode blocking-allowlist. The job header comment explains that the
detector refinement made promotion safe, and reaffirms that
blocking-strict mode remains out of scope.

### 4. Docs: close the ladder

- docs/FILE_POLICY.md: marks PR 12 as **the full file-policy
  rollout is now complete**.
- docs/POLICY_ALLOWLISTS.md: flips PR 11 → landed, PR 12 → in flight.
- docs/policy/NON_RUST_ROLLOUT.md: same.

## Live local validation

  check-file-policy           tracked=178 entries=35  ALL ZERO
  check-generated             universe=0  entries=1   ALL ZERO
  check-executable-files      universe=0  entries=0   ALL ZERO
  check-dependency-surfaces   universe=16 entries=5   ALL ZERO
  check-workflow-surfaces     workflows=9 entries=10  ALL ZERO
  check-process-policy        workflows=9 unknown=0   (down from 10)
  check-network-policy        workflows=9 unknown=0

All seven blocking-allowlist invocations exit 0.

## End state

After this PR merges, every new file in shipper falls into exactly
one of seven receipted scopes (non-Rust / generated / executable /
dep-surface / workflow / process / network), or CI fails. The
allowlists encode "known surface, owner, reason, current
disposition" — never "approved forever." `reason = "Scheduled to be
converted to Rust/xtask"` remains a valid disposition for legacy
items, paired with `expires`.

`blocking-strict` mode (which fails on unused entries and stale
review dates) remains deferred to a future cleanup pass.

Closes #211. Closes the 12-PR ladder under #180. Tracks #109.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 9 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4f77a229-d9b5-45f4-b280-a8d45355f1ef

📥 Commits

Reviewing files that changed from the base of the PR and between 2bc1360 and e19ae07.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • docs/FILE_POLICY.md
  • docs/POLICY_ALLOWLISTS.md
  • docs/policy/NON_RUST_ROLLOUT.md
  • policy/process-allowlist.toml
  • xtask/src/workflow_checks.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/policy-promote-process-network-blocking-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 12, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid is reviewing code and running a security check…

@EffortlessSteven EffortlessSteven merged commit a740dc5 into main May 12, 2026
21 checks passed
@EffortlessSteven EffortlessSteven deleted the ci/policy-promote-process-network-blocking-20260511 branch May 12, 2026 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(policy): require process and network policy receipts (rollout PR 12/12)

1 participant