fix: unblock check and secrets CI failures

[altaywtf]

Summary

• Problem: check was failing on main before 20db7afd5 because Feishu media calls had invalid per-call timeout properties, and PR secrets runs were failing in two ways: first by falling back to a full-repo scan when the shallow checkout lacked the base SHA, then by requiring a refreshed .secrets.baseline once the scan was correctly limited to changed files.
• Why it matters: the PR could not go green while secrets was diffing against incomplete history or while the generated baseline update was missing from the branch.
• What changed: kept the Feishu timeout-path coverage in extensions/feishu/src/media.test.ts, added the shared ensure-base-commit step to the secrets job before changed-file diffing, and refreshed .secrets.baseline so the changed-file secret scan no longer rewrites tracked metadata.
• What did NOT change (scope boundary): no detect-secrets allowlist cleanup beyond the generated baseline refresh, no main push skip-policy changes, and no new Feishu runtime behavior beyond test coverage.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related fix(agents): handle overloaded failover separately #38301
• Related fix(feishu): remove invalid timeout properties from SDK method calls #38267

User-visible / Behavior Changes

None.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? Yes
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation:
  The secrets CI job now fetches the PR base ref before diffing changed files. This is limited to the PR base branch on origin and reuses the existing shared ensure-base-commit action already used by other CI jobs.

Repro + Verification

Environment

• OS: macOS local workstation + GitHub Actions Ubuntu 24.04 failure logs
• Runtime/container: Node 22.22.0, pnpm 10.23.0
• Model/provider: N/A
• Integration/channel (if any): Feishu, GitHub Actions CI
• Relevant config (redacted): depth-1 checkout on PR CI; Feishu media timeout override set via httpTimeoutMs: 120_000

Steps

1. Inspect the failing check job 66086536179, the fallback-path PR secrets job 66088689815, and the changed-files PR secrets job 66094255246.
2. Re-run pnpm tsgo and pnpm vitest run extensions/feishu/src/media.test.ts locally on the rebased branch.
3. Reproduce the PR shallow-checkout path against merge commit 645c2826414ec1cd6d60c2695304cb70ffe79dcf with base ab5fcfcc01281f1f6cd6e8f43f7c302c12806feb, then run python3 -m pre_commit run detect-secrets --files .github/workflows/ci.yml extensions/feishu/src/media.test.ts extensions/feishu/src/media.ts .secrets.baseline.

Expected

• check passes TypeScript validation.
• PR secrets scans only changed files instead of falling back to a full-repo scan.
• The changed-file detect-secrets hook passes without rewriting .secrets.baseline.

Actual

• Before the fixes, check failed with TS2353 on Feishu media request objects.
• Before the base-fetch fix, PR secrets logged Falling back to full detect-secrets scan. because the shallow checkout did not contain the base SHA.
• Before the baseline refresh, PR secrets failed because detect-secrets rewrote .secrets.baseline and exited non-zero.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: pnpm tsgo, pnpm vitest run extensions/feishu/src/media.test.ts, and python3 -m pre_commit run detect-secrets --files .github/workflows/ci.yml extensions/feishu/src/media.test.ts extensions/feishu/src/media.ts .secrets.baseline on the rebased branch.
• Edge cases checked: Feishu tests still verify the 120s timeout is applied through createFeishuClient; the PR diff path works once the base commit is present; the baseline no longer rewrites during the changed-file secret scan.
• What you did not verify: I did not wait for the fresh post-rebase GitHub Actions run to finish.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert the PR commits on top of main.
• Files/config to restore: extensions/feishu/src/media.test.ts, .github/workflows/ci.yml, .secrets.baseline
• Known bad symptoms reviewers should watch for: PR secrets logging Falling back to full detect-secrets scan., detect-secrets asking to stage .secrets.baseline, or Feishu timeout regression coverage disappearing from media.test.ts.

Risks and Mitigations

• Risk: a future workflow edit could again shift baseline metadata without updating .secrets.baseline.
  • Mitigation: the branch now includes the refreshed baseline produced by the same detect-secrets hook used in CI.
• Risk: unusually deep PR ancestry could still require more history than the initial checkout contains.
  • Mitigation: ensure-base-commit deepens incrementally and then fetches the full base ref if needed.

Post-rebase Follow-up

• Current PR head: 3b13e56c6
• Rebased onto current main commit c301c5d08
• The merge-ref failures being followed here are still:
  • check 66094971631
  • secrets 66094930426
  • actionlint 66094930448
• Root causes confirmed:
  • .github/workflows/auto-response.yml on main added the new r: no-ci-pr reply as a multiline template literal that broke YAML parsing inside script: |.
  • .github/workflows/ci.yml interpolated ${{ github.* }} directly inside shell run: blocks, which zizmor flagged as template-injection.
• Current state on this branch:
  • rewrites the r: no-ci-pr auto-response message in a YAML-safe JS array/join form
  • moves github context values into step env variables before shell use in the secrets job
  • does not carry the earlier inline zizmor ignore anymore
• Current local verification:
  • pnpm check
  • pnpm vitest run extensions/feishu/src/media.test.ts
  • python3 -m pre_commit run actionlint --files .github/workflows/auto-response.yml .github/workflows/ci.yml
  • python3 -m pre_commit run detect-secrets --files .github/workflows/ci.yml .github/workflows/auto-response.yml .secrets.baseline
  • official zizmor binary v1.22.0: /tmp/zizmor-v1.22.0/zizmor --persona=regular --min-severity=medium --min-confidence=medium .github/workflows/ci.yml .github/workflows/auto-response.yml
• Remaining blocker without suppression:
  • zizmor still reports dangerous-triggers on .github/workflows/auto-response.yml because it uses pull_request_target; that finding is currently unsuppressed on this branch.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	Secret scanning bypass via broad dist/ and vendor/ file exclusions in detect-secrets baseline

---

1. 🟠 Secret scanning bypass via broad dist/ and vendor/ file exclusions in detect-secrets baseline

Property	Value
Severity	High
CWE	CWE-693
Location	.secrets.baseline:129-132

Description

The detect-secrets baseline was updated to exclude entire directory classes (dist/ and vendor/) from scanning:

• detect_secrets.filters.regex.should_exclude_file now matches any file path that contains a /dist/ or /vendor/ segment (or starts with dist//vendor/), causing all files under any such directory to be skipped.
• The same regex also excludes .detect-secrets.cfg, meaning secrets added to that file will not be detected.
• In CI, the “Detect secrets” job on pull requests runs detect-secrets only on the changed files list (fast path). If an attacker adds a secret in an excluded path (e.g., vendor/...), the file will be part of --files but will still be skipped by the exclusion regex, allowing the secret to be committed undetected by this control.

This is particularly relevant because the repo contains vendored directories (e.g., vendor/a2ui/ and src/auto-reply/reply/export-html/vendor/), which are now entirely outside secret scanning coverage.

Vulnerable configuration:

"pattern": [
  "(^|/)(dist/|vendor/|pnpm-lock\\.yaml$|\\.detect-secrets\\.cfg$)"
]

Recommendation

Avoid globally excluding broad directory names like vendor/ (and dist/ if it can contain checked-in artifacts). Instead:

1. Narrow exclusions to known-safe, specific paths (vendored third-party trees you never want to scan), and keep everything else scanned.
2. Do not exclude .detect-secrets.cfg entirely; if it causes false positives, exclude specific lines/patterns instead.
3. Add a compensating control: run a scheduled (or manual) full-repo detect-secrets scan that does not exclude these directories.

Example safer --exclude-files / baseline regex (tailor to your exact vendored locations):

# only exclude specific vendored trees, not any directory named "vendor"
- --exclude-files
- '(^|/)(pnpm-lock\.yaml$|vendor/a2ui/|src/auto-reply/reply/export-html/vendor/)'

If dist/ must be excluded, prefer excluding only the repo-root build output:

- --exclude-files
- '^(dist/|pnpm-lock\.yaml$)'

---

Analyzed PR: #38353 at commit 3b13e56

_{Last updated on: 2026-03-06T22:24:48Z}

[greptile-apps]

Greptile Summary

This PR fixes two CI regressions: a TypeScript TS2353 error caused by per-call timeout fields that don't exist in the @larksuiteoapi/node-sdk request types, and a secrets job fallback to a full-repo detect-secrets scan when the PR shallow checkout didn't contain the base commit.

• extensions/feishu/src/media.ts: Removes the unsupported per-call timeout field from four SDK call sites (downloadImageFeishu, downloadMessageResourceFeishu, uploadImageFeishu, uploadFileFeishu). The 120-second timeout is already enforced at client-creation time via httpTimeoutMs: FEISHU_MEDIA_HTTP_TIMEOUT_MS in each function's createFeishuClient(...) call, so there is no functional timeout regression.
• extensions/feishu/src/media.test.ts: Updates four test assertions to verify createFeishuClientMock is called with httpTimeoutMs: 120_000 instead of checking the now-removed per-call timeout on individual SDK mock functions.
• .github/workflows/ci.yml: Adds the shared ensure-base-commit action to the secrets job (PR events only), before the git diff --name-only "$BASE" HEAD changed-file scan. This matches the pattern already used in docs-scope, changed-scope, and build-artifacts jobs, and also benefits the zizmor step in the same job which performs the same kind of base-to-HEAD diff.

Confidence Score: 5/5

• This PR is safe to merge — it removes type-invalid SDK fields while preserving the existing client-level timeout, and adds a well-understood fetch helper already used by other CI jobs.
• The changes are minimal, targeted, and well-scoped. The timeout behavior is provably unchanged (client-level httpTimeoutMs was already set before the removed fields were ever added). The CI fix follows an established pattern already used by other jobs. No new logic paths, no security surface changes, and the PR description clearly documents the scope boundaries.
• No files require special attention.

_{Last reviewed commit: 8fe48ae}