Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 82dc0eb214
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/create-release.yml">
<violation number="1" location=".github/workflows/create-release.yml:22">
P2: Script injection: `${{ github.ref_name }}` is interpolated directly into the shell script. If a malicious branch name contains shell metacharacters, it will execute arbitrary commands. Assign it to an env variable and reference that instead.</violation>
<violation number="2" location=".github/workflows/create-release.yml:151">
P2: Potential script injection: `${{ steps.version.outputs.version }}` is interpolated directly into a JavaScript string literal. If the version ever contained a single quote, it would break the JS and could allow code injection. Safer to pass it as an environment variable and access via `process.env.VERSION`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
@cursor review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/create-release.yml">
<violation number="1" location=".github/workflows/create-release.yml:108">
P2: `pushed_at` is recorded after the push, so the `createdAt >= pushed_at` filter can exclude the release-drafter run that was triggered by the push. This can cause the wait loop to time out even when the run exists.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
There was a problem hiding this comment.
2 issues found across 2 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/create-release.yml">
<violation number="1" location=".github/workflows/create-release.yml:172">
P2: Publishing the first draft release without matching the version can publish the wrong draft when multiple drafts exist. Keep filtering by tag (or by target commit) so the workflow only publishes the draft for the current release version.</violation>
</file>
<file name=".github/workflows/release-drafter.yml">
<violation number="1" location=".github/workflows/release-drafter.yml:4">
P2: Release Drafter updates release notes when PRs are merged; removing the `push` trigger means the workflow won’t run after merges, so draft releases will stay stale. Add a `push` (or `pull_request_target: closed`) trigger for main to update on merges.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| per_page: 100, | ||
| }) | ||
|
|
||
| const draft = releases.find((release) => release.draft) |
There was a problem hiding this comment.
P2: Publishing the first draft release without matching the version can publish the wrong draft when multiple drafts exist. Keep filtering by tag (or by target commit) so the workflow only publishes the draft for the current release version.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/create-release.yml, line 172:
<comment>Publishing the first draft release without matching the version can publish the wrong draft when multiple drafts exist. Keep filtering by tag (or by target commit) so the workflow only publishes the draft for the current release version.</comment>
<file context>
@@ -178,25 +154,25 @@ jobs:
- const draft = releases.find(
- (release) => release.draft && release.tag_name === version,
- )
+ const draft = releases.find((release) => release.draft)
if (!draft) {
</file context>
| const draft = releases.find((release) => release.draft) | |
| const draft = releases.find( | |
| (release) => release.draft && release.tag_name === version, | |
| ) |
|
|
||
| on: | ||
| push: | ||
| pull_request_target: |
There was a problem hiding this comment.
P2: Release Drafter updates release notes when PRs are merged; removing the push trigger means the workflow won’t run after merges, so draft releases will stay stale. Add a push (or pull_request_target: closed) trigger for main to update on merges.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release-drafter.yml, line 4:
<comment>Release Drafter updates release notes when PRs are merged; removing the `push` trigger means the workflow won’t run after merges, so draft releases will stay stale. Add a `push` (or `pull_request_target: closed`) trigger for main to update on merges.</comment>
<file context>
@@ -1,15 +1,16 @@
on:
- push:
+ pull_request_target:
branches:
- main
</file context>
No description provided.