chore(ci): add workflow to warn PRs modifying vendored aqua-registry#8897
chore(ci): add workflow to warn PRs modifying vendored aqua-registry#8897
Conversation
Automatically comments on PRs that modify files under crates/aqua-registry/aqua-registry/pkgs/ to direct contributors to submit changes to the upstream aqua-registry instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pull_request_target runs in the base repo context so GITHUB_TOKEN has permission to comment on PRs from forks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use a dedicated MISE_PR_COMMENT_TOKEN instead of GITHUB_TOKEN to limit the blast radius of pull_request_target workflows. The token should be a fine-grained PAT scoped to only pull request comments. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR adds a GitHub Actions workflow ( Key changes:
Confidence Score: 5/5Safe to merge — the new workflow is functionally correct and uses pull_request_target safely; remaining findings are P2 style/clarity suggestions. All findings are P2: the PAT-vs-GITHUB_TOKEN swap in semantic-pr-lint and the misleading permissions: {} comment are style/documentation concerns that don't affect correctness. The pull_request_target usage is safe (no code checkout), deduplication logic is correct, and the previously flagged silent-failure issue was already noted in a prior review thread. No files require special attention beyond the P2 notes on semantic-pr-lint.yml and vendored-file-warning.yml. Important Files Changed
Sequence DiagramsequenceDiagram
participant Dev as Contributor
participant GH as GitHub
participant WF as vendored-file-warning workflow
participant PAT as MISE_PR_COMMENT_TOKEN (PAT)
Dev->>GH: Open PR touching pkgs/**
GH->>WF: Trigger pull_request_target
WF->>WF: Skip if actor == jdx or mise-en-dev
WF->>PAT: gh pr view --json comments
PAT->>GH: GET PR comments
GH-->>PAT: Comment bodies
PAT-->>WF: Pipe to grep -c "vendored from the upstream"
WF->>WF: existing == "0"?
alt No existing warning
WF->>PAT: gh pr comment --body "..."
PAT->>GH: POST comment on PR
GH-->>Dev: Warning comment posted
else Warning already present
WF->>WF: Skip (deduplicated)
end
Reviews (2): Last reviewed commit: "chore(ci): use MISE_PR_COMMENT_TOKEN for..." | Re-trigger Greptile |
| existing=$(gh pr view "${{ github.event.pull_request.number }}" \ | ||
| -R "${{ github.repository }}" \ | ||
| --json comments --jq '.comments[].body' \ | ||
| | grep -c "vendored from the upstream" || true) |
There was a problem hiding this comment.
gh pr view errors out
If gh pr view itself fails (e.g., MISE_PR_COMMENT_TOKEN is missing or expired, network hiccup), the command substitution produces empty stdout. existing becomes "", the condition [ "$existing" = "0" ] is then false, and the warning is silently skipped — no comment is posted and no job failure surfaces.
Consider scoping the || true only to the grep step so that a failure in gh pr view still causes the job to fail loudly:
| existing=$(gh pr view "${{ github.event.pull_request.number }}" \ | |
| -R "${{ github.repository }}" \ | |
| --json comments --jq '.comments[].body' \ | |
| | grep -c "vendored from the upstream" || true) | |
| existing=$(gh pr view "${{ github.event.pull_request.number }}" \ | |
| -R "${{ github.repository }}" \ | |
| --json comments --jq '.comments[].body' \ | |
| | grep -c "vendored from the upstream") || existing=0 |
This keeps the job exit-code clean while still treating "no matches" as 0.
All pull_request_target workflows now use the same fine-grained PAT. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d360c45. Configure here.
| - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_TOKEN: ${{ secrets.MISE_PR_COMMENT_TOKEN }} |
There was a problem hiding this comment.
Built-in token replaced with custom PAT unnecessarily
Medium Severity
The GITHUB_TOKEN value for the semantic PR lint action was changed from the built-in secrets.GITHUB_TOKEN (which is auto-generated and always available) to secrets.MISE_PR_COMMENT_TOKEN (a manually-configured PAT). This change isn't mentioned in the PR description and appears unrelated to the stated goal of adding the vendored-file-warning workflow. The action only needs pull-requests: read permission, which the built-in token already provides. Using a custom PAT introduces unnecessary fragility — if the PAT expires, is revoked, or loses the required scope, the semantic PR lint check will break for all PRs.
Reviewed by Cursor Bugbot for commit d360c45. Configure here.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 x -- echo |
22.6 ± 0.4 | 21.7 | 24.8 | 1.00 |
mise x -- echo |
23.2 ± 0.4 | 22.4 | 25.9 | 1.03 ± 0.02 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 env |
22.1 ± 0.6 | 21.3 | 27.7 | 1.00 |
mise env |
22.7 ± 0.5 | 21.8 | 24.7 | 1.03 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 hook-env |
22.8 ± 0.5 | 22.0 | 31.4 | 1.00 |
mise hook-env |
23.3 ± 0.5 | 22.5 | 27.6 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 ls |
20.1 ± 0.3 | 19.3 | 22.5 | 1.00 |
mise ls |
20.7 ± 0.5 | 19.8 | 22.7 | 1.03 ± 0.03 |
xtasks/test/perf
| Command | mise-2026.4.3 | mise | Variance |
|---|---|---|---|
| install (cached) | 153ms | 153ms | +0% |
| ls (cached) | 80ms | 81ms | -1% |
| bin-paths (cached) | 83ms | 83ms | +0% |
| task-ls (cached) | 835ms | -69% |
### 🚀 Features - **(ci)** auto-convert external PRs to draft mode by @jdx in [#8896](#8896) - **(deps)** add `depends` field for user-specified tool dependencies by @cprecioso in [#8776](#8776) - **(dotnet)** support runtime-only installs by @fragon10 in [#8524](#8524) - **(npm)** apply install_before to transitive dependencies by @risu729 in [#8851](#8851) - **(task)** allow passing arguments to task dependencies via {{usage.*}} templates by @jdx in [#8893](#8893) - add options field to BackendListVersionsCtx by @esteve in [#8875](#8875) ### 🐛 Bug Fixes - **(backend)** filter PEP 440 .dev versions in fuzzy version matching by @richardthe3rd in [#8849](#8849) - **(ci)** update COPR BuildRequires rust version to match MSRV 1.88 by @jdx in [#8911](#8911) - **(ci)** add Ruby build dependencies to e2e Docker image by @jdx in [#8910](#8910) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8912](#8912) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8914](#8914) - **(ci)** use Node 24 LTS for corepack e2e test by @jdx in [#8915](#8915) - **(ci)** add libxml2 and pkg-config to e2e Docker image by @jdx in [#8917](#8917) - **(ci)** add libxml2-dev to e2e image and disable Swift SPM tests by @jdx in [#8918](#8918) - **(docs)** use sans-serif font for badges by @jdx in [#8887](#8887) - **(env)** parse --env=VALUE and -E=VALUE flag forms correctly by @jdx in [#8889](#8889) - **(exec)** use i64::from() for seccomp syscall numbers to survive autofix by @jdx in [#8882](#8882) - **(github)** preserve tool options like filter_bins when version specified via CLI by @jdx in [#8888](#8888) - **(github)** use alias-specific options when tool_alias has its own config by @jdx in [#8892](#8892) - **(install)** add locked_verify_provenance setting and detect github attestations at lock time by @jdx in [#8901](#8901) - **(lock)** prune stale version entries during filtered `mise lock <tool>` runs by @altendky in [#8599](#8599) - **(python)** use lockfile URL for precompiled installs by @hehaoqian in [#8750](#8750) - **(release)** verify all build targets succeed before releasing by @jdx in [#8886](#8886) - **(ruby)** support build revisions for precompiled binaries in mise.lock by @jdx in [#8900](#8900) - **(swift)** fall back to Ubuntu 24.04 for unsupported Ubuntu versions by @jdx in [#8916](#8916) - **(zsh)** avoid duplicate trust warning after cd by @timothysparg in [#8898](#8898) - update flake.lock and add fix for rust-bindgen to default.nix by @esteve in [#8874](#8874) - when direnv diff is empty, do not try to parse it by @yaleman in [#8857](#8857) - skip trust check for plain .tool-versions in task list by @dportalesr in [#8876](#8876) ### 🚜 Refactor - **(go)** rename go_* settings to go.* namespace by @jdbruijn in [#8598](#8598) ### 📚 Documentation - **(tasks)** clarify task_config.includes behavior by @risu729 in [#8905](#8905) ### 🧪 Testing - **(ci)** run e2e tests inside Docker containers by @jdx in [#8899](#8899) ### 📦️ Dependency Updates - bump ubi from 0.8 to 0.9 by @jdx in [#8906](#8906) - bump zip from 3 to 8 by @jdx in [#8908](#8908) - update lockfile deps (hold back rattler) by @jdx in [#8909](#8909) - update bun.lock by @jdx in [#8913](#8913) ### 📦 Registry - add turso ([github:tursodatabase/turso-cli](https://github.com/tursodatabase/turso-cli)) by @kenn in [#8884](#8884) - remove carp test by @jdx in [#8894](#8894) ### Chore - **(ci)** add workflow to warn PRs modifying vendored aqua-registry by @jdx in [#8897](#8897) - **(ci)** use github.token for draft conversion in auto-draft workflow by @jdx in [#8903](#8903) - remove deprecated settings older than 12 months by @jdx in [#8904](#8904) ### New Contributors - @dportalesr made their first contribution in [#8876](#8876) - @timothysparg made their first contribution in [#8898](#8898) - @hehaoqian made their first contribution in [#8750](#8750) - @jdbruijn made their first contribution in [#8598](#8598) - @cprecioso made their first contribution in [#8776](#8776) - @yaleman made their first contribution in [#8857](#8857) - @kenn made their first contribution in [#8884](#8884) - @fragon10 made their first contribution in [#8524](#8524) ## 📦 Aqua Registry Updates #### New Packages (6) - [`ahkohd/oyo`](https://github.com/ahkohd/oyo) - [`bellicose100xp/jiq`](https://github.com/bellicose100xp/jiq) - [`kurama/dealve-tui`](https://github.com/kurama/dealve-tui) - [`micahkepe/jsongrep`](https://github.com/micahkepe/jsongrep) - [`textfuel/lazyjira`](https://github.com/textfuel/lazyjira) - [`ubugeeei/vize`](https://github.com/ubugeeei/vize) #### Updated Packages (1) - [`sigstore/cosign`](https://github.com/sigstore/cosign)
Summary
crates/aqua-registry/aqua-registry/pkgs/Test plan
crates/aqua-registry/aqua-registry/pkgs/and verify the comment is posted🤖 Generated with Claude Code
Note
Low Risk
Low risk: CI-only workflow changes that post PR comments; main risk is misconfiguration of
pull_request_target/token permissions causing unexpected commenting behavior.Overview
Adds a new
vendored-file-warningGitHub Actions workflow that triggers onpull_request_targetwhen files undercrates/aqua-registry/aqua-registry/pkgs/**change and posts a one-time warning comment directing contributors to update the upstreamaqua-registryinstead.Updates the semantic PR title lint workflow to use
MISE_PR_COMMENT_TOKEN(instead of the defaultGITHUB_TOKEN) for the semantic PR action.Reviewed by Cursor Bugbot for commit d360c45. Bugbot is set up for automated code reviews on this repo. Configure here.