ci(policy): require process and network policy receipts (#211, rollout PR 12/12 — FINAL)#224
Conversation
**Twelfth and final PR in the file-policy rollout.** Promotes
check-process-policy and check-network-policy from --mode advisory
to --mode blocking-allowlist, completing the ladder.
## What changed
### 1. Refined process detector (xtask/src/workflow_checks.rs)
The previous detector grep-matched the whole YAML for known command
tokens, which produced 10 false positives in PR 10's report (e.g.,
`shipper` matched as a token because workflows reference
`cargo build -p shipper`).
New `detect_commands_in_runs` extracts content under `run:` keys —
inline (`run: cargo build`) and block scalars (`run: |` followed by
indented lines) — splits each block by shell statement separators
(newline, `;`, `&&`, `||`, `|`), and looks at the **first word** of
each segment. Only that first word can be a command in shell
semantics; subsequent tokens are arguments.
Drops `cargo build -p shipper` from flagging `shipper`. Keeps real
commands like `sudo apt-get install`, `mkdir`, `python3`. Strips
leading env-var assignments (`FOO=bar cmd`) and shell glue
(`\`, `&&`, `||`).
Removes the now-dead `word_present` / `is_word_char` helpers.
### 2. Process allowlist gets the genuinely-missed commands
After refinement, 4 unknown tokens remained — all real shell commands
appearing in `run:` blocks:
ci profile : sudo, mkdir, python3 (cross-compile prep, ad-hoc
dirs, helper scripts)
release profile : mkdir (binary packaging step)
Added to policy/process-allowlist.toml.
### 3. CI: promote both to blocking-allowlist
.github/workflows/ci.yml `policy` job now runs ALL SEVEN checks in
--mode blocking-allowlist. The job header comment explains that the
detector refinement made promotion safe, and reaffirms that
blocking-strict mode remains out of scope.
### 4. Docs: close the ladder
- docs/FILE_POLICY.md: marks PR 12 as **the full file-policy
rollout is now complete**.
- docs/POLICY_ALLOWLISTS.md: flips PR 11 → landed, PR 12 → in flight.
- docs/policy/NON_RUST_ROLLOUT.md: same.
## Live local validation
check-file-policy tracked=178 entries=35 ALL ZERO
check-generated universe=0 entries=1 ALL ZERO
check-executable-files universe=0 entries=0 ALL ZERO
check-dependency-surfaces universe=16 entries=5 ALL ZERO
check-workflow-surfaces workflows=9 entries=10 ALL ZERO
check-process-policy workflows=9 unknown=0 (down from 10)
check-network-policy workflows=9 unknown=0
All seven blocking-allowlist invocations exit 0.
## End state
After this PR merges, every new file in shipper falls into exactly
one of seven receipted scopes (non-Rust / generated / executable /
dep-surface / workflow / process / network), or CI fails. The
allowlists encode "known surface, owner, reason, current
disposition" — never "approved forever." `reason = "Scheduled to be
converted to Rust/xtask"` remains a valid disposition for legacy
items, paired with `expires`.
`blocking-strict` mode (which fails on unused entries and stale
review dates) remains deferred to a future cleanup pass.
Closes #211. Closes the 12-PR ladder under #180. Tracks #109.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Droid is reviewing code and running a security check… |
Summary
Twelfth and final PR in the file-policy rollout. Promotes
check-process-policyandcheck-network-policyfrom--mode advisoryto--mode blocking-allowlist, completing the 12-PR ladder.Issue
Closes #211. Closes the 12-PR ladder under #180. Builds on PR 11 (#210). Tracks #109.
What changed
1. Refined process detector (
xtask/src/workflow_checks.rs)PR 10's grep-style detector produced 10 false positives (e.g.,
shipperflagged because workflows referencecargo build -p shipper). Newdetect_commands_in_runs:run:keys only — inline AND block scalars (run: |/>).\n,;,&&,||,|).FOO=bar cmd) and shell glue (\,&&,||).cargo build -p shippernow flagscargoand nothing else. Real commands likesudo,mkdir,python3still flag correctly.Removed now-dead
word_present/is_word_charhelpers.2. Process allowlist gets the genuinely-missed commands
After refinement, 4 unknown tokens remained — all real shell commands in
run:blocks:sudo(cross-compile prep:sudo apt-get install gcc-aarch64-linux-gnu),mkdir,python3mkdir3. CI: promote both to blocking
.github/workflows/ci.ymlpolicyjob now runs all seven checks in--mode blocking-allowlist. Header comment explains why refinement made promotion safe.4. Docs: close the ladder
docs/FILE_POLICY.md: marks PR 12 as "the full file-policy rollout is now complete."docs/POLICY_ALLOWLISTS.md+docs/policy/NON_RUST_ROLLOUT.md: PR 11 → landed, PR 12 → in flight.Live local validation
All seven blocking-allowlist invocations exit 0.
End state after this PR merges
Every new non-Rust file in shipper falls into exactly one of seven receipted scopes, or CI fails. The allowlists encode "known surface, owner, reason, current disposition" — never "approved forever."
reason = "Scheduled to be converted to Rust/xtask"remains a valid disposition for legacy items, paired withexpires.blocking-strictmode (which fails on unused entries and stale review dates) remains deferred to a future cleanup pass.Acceptance
cargo check --workspace --lockedpasses.cargo clippy -p xtask --all-targets --locked -- -D warningsclean.cargo fmt --all -- --checkclean.--mode blocking-allowlistinvocations exit 0 locally..github/workflows/ci.ymlparses; thePolicyjob now blocks on all seven.Closes the file-policy ladder
This is PR 12 of 12. After merge, #180 (the umbrella) can be closed with a summary of the final receipt set. The broader 0.4.0 quality rollout (#179, #198, #191, #187, #182, #189, #184, #190, #192, #195) can then resume.