docs(analysis): Factory-AI/droid-action security constraint blocker#960
Merged
Conversation
…blocker Root cause analysis of Droid Auto Review workflow failure. The Factory-AI/droid-action internally uses actions/upload-artifact@v4 (non-SHA-pinned), which violates repository security constraints requiring all actions to be pinned to full-length commit SHAs. Key findings: - Latest droid-action version (e3f8be9f, 2026-01-12) still contains non-pinned references - Repository security rules apply recursively to all nested action dependencies - No workaround available without modifying third-party action or relaxing security constraints Impact: BLOCKING - droid-review.yml and droid.yml workflows fail at setup phase Recommendations: - File issue with Factory-AI requesting SHA-pinned action references - Evaluate alternative PR review automation tools - Document as known limitation in operational runbook Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Contributor
PR Validation ReportTip ✅ Status: PASS Description Validation
QA Validation
Powered by PR Validation workflow |
Contributor
Session Protocol Compliance ReportTip ✅ Overall Verdict: PASS All session protocol requirements satisfied. What is Session Protocol?Session logs document agent work sessions and must comply with RFC 2119 requirements:
See .agents/SESSION-PROTOCOL.md for full specification. Compliance Summary
Detailed Validation ResultsClick each session to see the complete validation report with specific requirement failures. 📄 sessions-2026-01-16-session-9-droid-action-blocker✨ Zero-Token ValidationThis validation uses deterministic PowerShell script analysis instead of AI:
Powered by Validate-SessionJson.ps1 📊 Run Details
Powered by Session Protocol Validator workflow |
Contributor
AI Quality Gate ReviewTip ✅ Final Verdict: PASS WalkthroughThis PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:
Review Summary
💡 Quick Access: Click on individual agent jobs (e.g., "🔒 security Review", "🧪 qa Review") in the workflow run to see detailed findings and step summaries. Security Review DetailsSecurity Review: PR #960PR Type Classification
Classification: DOCS-only PR (session log + memory documentation) Findings
Analysis Summary
RecommendationsNone. This PR documents security best practices regarding action pinning and supply chain security. VerdictQA Review DetailsBased on my analysis, I can now provide the QA verdict. QA Review: PR #960EvidenceFile Classification
Tests Required: N/APer QA guidelines: "Files without executable logic do not require tests." Both files are:
Neither contains executable code (no .ps1, .psm1, .cs, .ts, .js, .py files). Documentation Quality Check
Blocking Issues: 0No BLOCKING or HIGH severity issues identified. This PR documents a legitimate investigation into a third-party action security constraint violation with clear evidence and actionable recommendations. Analyst Review DetailsNow let me examine an existing session log and memory file to understand the expected format and patterns. Let me check the existing session log schema and a related memory file to compare patterns. Now I have sufficient context to provide the analysis. This is a documentation-only PR adding a session log and a memory file documenting a security constraint blocker. PR #960 AnalysisCode Quality Score
Overall: 5/5 Impact Assessment
Findings
Recommendations
VerdictArchitect Review DetailsDesign Quality Assessment
Overall Design Score: 5/5 Architectural Concerns
No architectural concerns. This PR documents an investigation finding about third-party action incompatibility with repository security constraints. Breaking Change Assessment
Technical Debt Analysis
ADR Assessment
The PR correctly identifies that an ADR or operational runbook update may be needed as a follow-up action, but the investigation itself does not introduce an architectural decision requiring an ADR. Recommendations
VerdictDevOps Review DetailsPR #960 DevOps ReviewPR Scope Detection
Classification: DOCS-only PR (analysis documentation and session log) Pipeline Impact Assessment
CI/CD Quality ChecksNot applicable. This PR contains:
No workflow files, scripts, or CI configuration changed. Findings
ObservationsThe PR documents a legitimate infrastructure blocker:
RecommendationsNone. This is analysis documentation with actionable next steps already identified. Roadmap Review DetailsStrategic Alignment Assessment
Feature Completeness
Impact Analysis
Concerns
Recommendations
VerdictRun Details
Powered by AI Quality Gate workflow |
Owner
Review Triage RequiredNote Priority: NORMAL - Human approval required before bot responds Review Summary
Next Steps
Powered by PR Maintenance workflow - Add triage:approved label |
Owner
|
@rjmurillo-bot is there an issue tracking this upstream with factory droid? |
rjmurillo
previously approved these changes
Jan 18, 2026
Collaborator
Author
Factory-AI Droid-Action: Detailed ContextWhat Is It?Factory-AI droid-action is a GitHub Action for automated AI-powered PR review. It runs Factory's Droid Exec in headless mode within GitHub Actions CI/CD pipelines to:
Repository Workflows Using ItThis repository has two workflows using Factory-AI droid-action:
BLOCKING Issue: Security Constraint ViolationStatus: ❌ BLOCKED The repository has a security ruleset requiring all actions to be pinned to full-length commit SHA. Factory-AI/droid-action internally uses non-SHA-pinned references: # Inside Factory-AI/droid-action's action.yml
- uses: actions/upload-artifact@v4 # NOT SHA-pinnedError message from workflow runs: Investigation Findings (from session 9)
Conclusion: No compatible version exists that satisfies the security constraint. Why This Matters (Security Context)Repository security rules apply recursively to all nested action dependencies:
This ensures SLSA Level 2+ compliance and prevents supply chain attacks via tag manipulation. Recommended ActionsShort-term:
Long-term alternatives:
Related MemoryThe full root cause analysis is stored in Serena memory: Sources: |
Collaborator
Author
✅ Upstream issue now filed: Factory-AI/droid-action#20 Issue DetailsTitle: Request: Use SHA-pinned action references for security-constrained repositories Summary: Repositories with security rulesets requiring "all actions must be pinned to full-length commit SHA" cannot use Requested Change: # Before
- uses: actions/upload-artifact@v4
# After
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0Justification:
Monitoring for response from Factory-AI maintainers. |
- Added workLog entries for PR #960 comment activities - Documented upstream issue research (no issue exists) - Added PR comments as deliverables - Added learning pattern about upstream issue verification Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated memory with upstream issue link and status - Marked "file upstream issue" as DONE in recommendations - Updated session log with issue filing activity - Added next step to monitor for maintainer response Upstream: Factory-AI/droid-action#20 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
rjmurillo-bot
added a commit
that referenced
this pull request
Jan 19, 2026
…960) * docs(analysis): document Factory-AI/droid-action security constraint blocker Root cause analysis of Droid Auto Review workflow failure. The Factory-AI/droid-action internally uses actions/upload-artifact@v4 (non-SHA-pinned), which violates repository security constraints requiring all actions to be pinned to full-length commit SHAs. Key findings: - Latest droid-action version (e3f8be9f, 2026-01-12) still contains non-pinned references - Repository security rules apply recursively to all nested action dependencies - No workaround available without modifying third-party action or relaxing security constraints Impact: BLOCKING - droid-review.yml and droid.yml workflows fail at setup phase Recommendations: - File issue with Factory-AI requesting SHA-pinned action references - Evaluate alternative PR review automation tools - Document as known limitation in operational runbook Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs(session): update session-9 with PR comment responses - Added workLog entries for PR #960 comment activities - Documented upstream issue research (no issue exists) - Added PR comments as deliverables - Added learning pattern about upstream issue verification Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs: record upstream issue Factory-AI/droid-action#20 - Updated memory with upstream issue link and status - Marked "file upstream issue" as DONE in recommendations - Updated session log with issue filing activity - Added next step to monitor for maintainer response Upstream: Factory-AI/droid-action#20 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: rjmurillo-bot <rjmurillo-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Richard Murillo <richard.murillo@example.com>
rjmurillo
added a commit
that referenced
this pull request
Jan 19, 2026
* docs!: add ADR-042 Python migration strategy (supersedes ADR-005) Migrate ai-agents from PowerShell to Python as primary scripting language over a 12-24 month phased migration period. ## Decision Summary - Python 3.10+ established as project language standard - ADR-005 superseded for new development - Phased approach: Foundation -> New Development -> Migration - Python already prerequisite via skill-installer (PR #962) ## Rationale - 70-second PowerShell tool startup times per invocation - No CodeQL support for PowerShell (deterministic security unavailable) - AI/ML ecosystem (Anthropic SDK, MCP) is Python-native - skill-installer already requires Python 3.10+ and UV ## 6-Agent ADR Review Debate | Agent | Verdict | |-------|---------| | Analyst | CONCERNS | | Architect | CONCERNS | | Critic | CONCERNS | | Independent-Thinker | CONCERNS | | Security | CONCERNS | | High-Level-Advisor | ACCEPT | Result: Disagree-and-Commit (5 CONCERNS + 1 ACCEPT) Tie-breaker: High-Level-Advisor ## P0 Issues Resolved - Stack Overflow claim corrected (Python growth, not #1) - Path Dependence language fixed ("Python-first with phased migration") ## P1 Issues Deferred to Phase 1 Implementation - pyproject.toml creation - pytest infrastructure setup - PROJECT-CONSTRAINTS.md update - Supply chain controls (uv.lock, Dependabot, pip-audit) BREAKING CHANGE: ADR-005 PowerShell-only standard superseded. New scripts SHOULD be Python. Existing scripts migrate incrementally. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(planning): add ADR-042 Python migration implementation plan Self-contained 618-line plan synthesizing inputs from: - traycerai[bot]: Phase structure validation - coderabbitai[bot]: 9 actionable suggestions - github-actions[bot]: Detailed PRD with success metrics Covers: - Phase 1: Foundation (pyproject.toml, pytest, security controls) - Phase 2: New Development Guidelines - Phase 3: Migration (priority order, deprecation timeline) Complete code templates included for immediate execution. Relates-to: #965 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(planning): add verification sections for autonomous execution Enhance ADR-042 implementation plan for amnesiac agent execution: - Add Quick Verification section with pre-flight checks - Add Session Protocol section with JSON template - Add Local File References table (all verified 2026-01-18) - Add repository field to header metadata Plan now 712 lines, fully self-contained for context-free execution. Relates-to: #965 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(python)!: implement Phase 1 Python infrastructure (ADR-042) BREAKING CHANGE: Language policy changes from PowerShell-only to Python-first Phase 1 establishes Python infrastructure for new development: Infrastructure: - pyproject.toml: Project metadata, dependencies, tool configs (ruff, mypy, pytest) - uv.lock: Hash-pinned dependencies for supply chain security (16 packages) - tests/conftest.py: Shared pytest fixtures (project_root, temp_test_dir) - .github/workflows/pytest.yml: CI workflow with paths-filter, coverage, pip-audit, bandit Policy Updates: - PROJECT-CONSTRAINTS.md: SHOULD prefer Python for new scripts (ADR-042) - CRITICAL-CONTEXT.md: Python-first (.py preferred) - .githooks/pre-commit: Non-blocking Python linting with ruff - .github/dependabot.yml: pip ecosystem for dependency updates Housekeeping: - .gitignore: Python patterns (__pycache__, .venv, .egg-info, etc.) - .markdownlint-cli2.yaml: Exclude .venv from linting Verification: uv pip install -e ".[dev]" succeeds, pytest discovers 77 tests Refs: #965, ADR-042 Co-Authored-By: Claude <noreply@anthropic.com> * docs: update documentation for Python-first development (ADR-042) Update CONTRIBUTING.md and AGENTS.md to reflect the Python migration: - Change "Always Do" from PowerShell-only to Python-first for new scripts - Update "Never Do" to prohibit bash only (Python now allowed) - Add Python 3.12.x and UV to Tech Stack table - Add pytest testing section with automated quality gates emphasis - Update Development Tools commands to include Python testing - Emphasize shift-left automation: pre-commit hooks and CI handle quality - Note Python 3.12.x requirement due to Ubuntu 25 incompatibility Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(session): update session log with documentation changes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(python): implement Phase 2 parallel infrastructure (ADR-042) Add documentation and security utilities for Python development: - Create CI/CD migration patterns guide for GitHub Actions integration - Create Python security checklist covering CWE-22, CWE-78, CWE-798 - Create path validation utility with 42 tests for CWE-22 protection - Create PowerShell-to-Python developer migration guide Part of epic #965. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(python): add pilot migration of Check-SkillExists to Python (ADR-042 Phase 3) Migrates Check-SkillExists.ps1 to Python as the pilot script for ADR-042 Phase 3. This demonstrates the migration patterns established in Phase 2. Changes: - scripts/check_skill_exists.py: Python port with argparse CLI, type hints, ADR-035 exit codes, and path_validation utility usage - tests/test_check_skill_exists.py: 31 pytest tests with 88% coverage The Python version provides: - --list-available: Lists all skills by operation type - --operation/--action: Checks if a skill exists using substring matching - --project-root: Optional custom project root for testing Both PowerShell and Python versions will run in parallel per migration plan. Refs: #965 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(python): add gradual rollout migrations (ADR-042 Phase 4) Migrate two additional scripts from PowerShell to Python following the pilot pattern established in Phase 3: - Detect-SkillViolation.ps1 -> detect_skill_violation.py - 89% test coverage (35 tests) - Uses dataclass for Violation type - Integrates path_validation utility - Non-blocking warning for skill violations - Validate-SessionJson.ps1 -> validate_session_json.py - 91% test coverage (39 tests) - Uses ValidationResult dataclass - Case-insensitive JSON key lookup - Pre-commit mode for compact output Also fixes uv.lock format (was incorrectly in pip-tools format, now in native uv format). See: ADR-042 Python Migration Strategy, Issue #965 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(python): fix regex bug and dead code in detect_skill_violation - Fixed regex pattern gh\\s\+ to gh\s+ in extract_capability_gaps - Replaced duplicated capability extraction logic in report_violations with call to extract_capability_gaps function (DRY) - All 34 tests pass Issues identified by pr-review-toolkit parallel review agents. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address gemini-code-assist security findings **Security Fixes**: 1. **Path Validation (CWE-22)** - scripts/validate_session_json.py: - Added `validate_safe_path` import from scripts.utils.path_validation - Validate user-provided session_path before file operations - Prevents path traversal attacks (../, symlinks, etc.) 2. **Python Version Alignment** - pyproject.toml: - Updated ruff target-version: py310 → py312 - Updated mypy python_version: 3.10 → 3.12 - Aligns linting/type checking with project standard (3.12.x) **Gemini Review Comments Addressed**: - Comment 2702879539: Added path validation imports ✓ - Comment 2702879541: Added CWE-22 protection with validate_safe_path ✓ - Comment 2702879542: Updated ruff to target py312 ✓ - Comment 2702879543: Updated mypy to python 3.12 ✓ **Testing**: - Verified imports work correctly - Path validation prevents traversal attacks - Session protocol validation: PASS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * refactor: slim instructions files by removing redundant agent registry (#961) Remove agent catalog tables and routing heuristics from instruction file templates. This content is already available in YAML frontmatter of each agent file, which platforms parse directly. - Claude: 129 → 45 lines (65% reduction) - Copilot CLI: 126 → 53 lines (58% reduction) - VSCode: 116 → 45 lines (61% reduction) Estimated savings: ~2,000 tokens per session per platform. Signed-off-by: Richard Murillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: Richard Murillo <richard.murillo@example.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Richard Murillo <6811113+rjmurillo@users.noreply.github.com> * docs(analysis): Factory-AI/droid-action security constraint blocker (#960) * docs(analysis): document Factory-AI/droid-action security constraint blocker Root cause analysis of Droid Auto Review workflow failure. The Factory-AI/droid-action internally uses actions/upload-artifact@v4 (non-SHA-pinned), which violates repository security constraints requiring all actions to be pinned to full-length commit SHAs. Key findings: - Latest droid-action version (e3f8be9f, 2026-01-12) still contains non-pinned references - Repository security rules apply recursively to all nested action dependencies - No workaround available without modifying third-party action or relaxing security constraints Impact: BLOCKING - droid-review.yml and droid.yml workflows fail at setup phase Recommendations: - File issue with Factory-AI requesting SHA-pinned action references - Evaluate alternative PR review automation tools - Document as known limitation in operational runbook Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs(session): update session-9 with PR comment responses - Added workLog entries for PR #960 comment activities - Documented upstream issue research (no issue exists) - Added PR comments as deliverables - Added learning pattern about upstream issue verification Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs: record upstream issue Factory-AI/droid-action#20 - Updated memory with upstream issue link and status - Marked "file upstream issue" as DONE in recommendations - Updated session log with issue filing activity - Added next step to monitor for maintainer response Upstream: Factory-AI/droid-action#20 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: rjmurillo-bot <rjmurillo-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Richard Murillo <richard.murillo@example.com> * fix(ci): disable Droid workflows due to unpinned action (#957) * chore: recover 650 orphaned session logs and memory files (#964) * chore: recover 650 orphaned session logs and memory files Extract artifacts from 52 feature branches that were left behind when PRs auto-merged before session logs were pushed. Recovery summary: - Session logs: 378 files recovered - Memory files: 272 files recovered - Total: 650 files, 82,632 lines of content Analysis found 61,497 file references across branches but only 1,728 unique files (average file in 35+ branches). Of these, 1,080 already existed in main. The 648 truly orphaned files are now consolidated. Used consolidated PR approach instead of 52 individual PRs to avoid massive merge conflicts from overlapping content. Note: 150 memory files use legacy 'skill-' prefix naming that predates ADR-017. These are historical artifacts being preserved as-is. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs: update session log with PR #964 details Add PR information and audit trail for validation skip. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: rjmurillo-bot <noreply@github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * feat: implement investigation-only session validator (ADR-034 Phase 1) (#931) * Initial plan * Add comprehensive test suite for investigation-only validation Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * fix: convert functional tests to pattern-based tests to avoid git state dependency Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * fix(validation): Allow .agents/memory/ in investigation-only sessions (#926) * Initial plan * feat: Add .agents/memory/ to investigation allowlist Add .agents/memory/ pattern to investigation-only allowlist in Test-InvestigationEligibility.ps1 scripts and update tests. This allows memory infrastructure files like causal-graph.json to be committed in investigation sessions per ADR-034 memory-first principle. Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * feat: Add verification-based session-start gates for Codex effectiveness (#924) * Initial plan * docs: add Codex effectiveness backlog and context optimization plan (Phase 1 complete) Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * feat: add Codex session-start gate script with 4 verification gates (Phase 2 complete) Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * Changes before error encountered Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: Richard Murillo <richard.murillo@example.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * docs: standardize YAML array format for cross-platform compatibility (#923) * Initial plan * refactor: convert frontmatter to block-style YAML arrays in prompt and command files Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * docs: update frontmatter examples to use block-style YAML arrays Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * docs(governance): add YAML frontmatter array format constraint - Add YAML Frontmatter Constraints section to PROJECT-CONSTRAINTS.md - Include rationale with evidence from Session 826 RCA and GitHub Copilot CLI Issue #694 - Add validation checklist item for frontmatter arrays - Add frontmatter validation requirement to SKILL-CREATION-CRITERIA.md - Create session log for session 02 Refs: #898, Session 826 * docs: add issue URLs to YAML array format references Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: Richard Murillo <richard.murillo@example.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * docs: improve autonomous-issue-development.md structure (#566) * docs: improve autonomous-issue-development.md structure Expand documentation from 46 to 441 lines to match autonomous-pr-monitor.md style: - Add "Common Development Patterns" section (5 validated patterns) - Add "Troubleshooting" section (5 common scenarios) - Enhance "Example Session Output" with TodoWrite and agent handoffs - Add "Workflow Phases" table for quick reference - Add "Agent Responsibilities" reference table - Add "Prerequisites" and "Related Documentation" sections Closes #506 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(session): add protocol compliance sections Added Session Start and Session End checklist tables to match the required session protocol format. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): prevent command injection in PR creation example Addresses gemini-code-assist[bot] security review comment #2653014226. The example showed a hardcoded PR title which could enable command injection if autonomous agents construct titles from untrusted GitHub issue titles containing shell metacharacters (e.g., $(reboot)). Changes: - Add security warning comment explaining CWE-78 risk - Use read -r with process substitution to safely read issue title - Demonstrate secure pattern for handling untrusted external input This aligns with security principle of validating all external inputs. Comment-ID: 2653014226 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: rjmurillo[bot] <rjmurillo-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Claude <claude@anthropic.com> * feat: implement local GitHub Actions validation and testing infrastructure (#925) * Initial plan * feat: Add actionlint validation for GitHub Actions workflows (Phase 1) - Add actionlint to pre-commit hook (.githooks/pre-commit) - Integrate actionlint into unified validation runner (scripts/Validate-PrePR.ps1) - Add actionlint to Worktrunk pre-merge hooks (.config/wt.toml) - Update SHIFT-LEFT.md documentation with workflow YAML validation section - Update validation sequence to include step 3.5 (Workflow YAML) - Create session log 2026-01-15-session-01-github-actions-local-testing.json This implements Phase 1 (P0) of the GitHub Actions local testing epic. actionlint catches 80%+ workflow YAML errors before push, reducing expensive CI iteration cycles. Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * feat: Add act support for local workflow testing (Phase 2) - Create .actrc configuration with optimized defaults for act - Create scripts/Test-WorkflowLocally.ps1 PowerShell wrapper for act - Update SHIFT-LEFT.md with comprehensive local workflow testing documentation - Document supported workflows (pester-tests, validate-paths, memory-validation) - Document unsupported workflows (AI-dependent: ai-session-protocol, etc.) - Add troubleshooting guide for act and PowerShell issues This implements Phase 2 (P1) of the GitHub Actions local testing epic. Enables local testing for PowerShell-only workflows without CI round-trips. Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * feat: Add yamllint for YAML style validation (Phase 3) - Create .yamllint.yml configuration with GitHub Actions-optimized rules - Add yamllint validation to scripts/Validate-PrePR.ps1 (validation 3.9) - Add yamllint to pre-commit hook (.githooks/pre-commit) as non-blocking warnings - Update SHIFT-LEFT.md with YAML style validation documentation - Document yamllint vs actionlint relationship (style vs semantics) - Configure yamllint as non-blocking to avoid impeding development velocity This implements Phase 3 (P2) of the GitHub Actions local testing epic. yamllint enforces YAML style consistency while actionlint handles semantic validation. Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * docs: Update session log with completion status * fix: Address PR feedback on local testing infrastructure - Add gh act extension to installation instructions - Include .github/actions in actionlint validation scope - Remove chocolatey recommendation, use GitHub releases instead - Clarify Copilot CLI installation vs BOT_PAT requirement for AI workflows - Switch to full production images in .actrc for maximum compatibility - Update documentation to reflect full image usage and rationale Addresses comments: 2693400619, 2693406075, 2693409506, 2693411769, 2693418268 Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * refactor: Move Test-WorkflowLocally.ps1 to .claude/skills/github/scripts - Move Test-WorkflowLocally.ps1 from scripts/ to .claude/skills/github/scripts/ - Update all documentation references in SHIFT-LEFT.md - Update session log to reflect new location Addresses comment 2699896328 Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * fix: address all PR #925 review comments Fixes all 15 unresolved review threads from owner and automated reviewers: 1. Remove duplicate actionlint validation block in pre-commit hook - Kept newer comprehensive version (validates workflows + actions) - Removed old TIER 1 block (lines 269-313) 2. Fix wt.toml to validate both workflows and actions directories - Changed: actionlint .github/workflows/*.yml .github/actions/*.yml - Matches pre-commit hook validation scope 3. Remove Windows-specific chocolatey references - Prioritize cross-platform gh extension - Show macOS brew as alternative - Link to releases for manual download 4. Rename Write-Warning to Write-WarningMessage - Avoids shadowing PowerShell built-in cmdlet - Updated all call sites 5. Fix Validate-PrePR.ps1 to match both .yml and .yaml files - Changed -Filter to -Include with both extensions - Applies to both workflow and YAML validation sections 6. Fix session log field name inconsistencies - Changed handoffNotUpdated.evidence -> Evidence - Changed handoffNotUpdated.complete -> Complete - Matches other compliance entries 7. Add endingCommit to session log - Set to 38217dc (latest commit) - Required field per session protocol 8. Fix Test-WorkflowLocally.ps1 null handling - Check for null before Test-Path call - Prevents crash under Set-StrictMode when workflow not found All fixes maintain existing functionality while addressing review feedback. Related: #925 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: Richard Murillo <richard.murillo@example.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: ADR-017 memory validation compliance (skill- prefix removal + bundled skill splitting) (#966) * fix(pr-964): clean up session files and remove skill- prefix violations Addresses two validation failures in PR #964: 1. Session file cleanup: - Moved 341 .md session files to .agents/archive/sessions/ - Deleted 1 session file already in archive - All moved files have corresponding JSON equivalents 2. Memory file ADR-017 compliance: - Removed 87 duplicate memory files with skill- prefix - Renamed 56 unique memory files to remove skill- prefix - Zero skill- prefixed files remain - Added skills-serena-index to memory-index.md These legacy files predate ADR-017 naming conventions and were recovered from 52 orphaned branches. The skill- prefixed duplicates existed alongside non-prefixed versions and have been cleaned up. Note: Bundled skill validation failures are pre-existing in PR #964 and require separate handling via skill unbundling process. Script: scripts/Fix-PR964-Validation.ps1 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * refactor: split 37 bundled skill files into 135 atomic files per ADR-017 Split bundled skill files to comply with one-skill-per-file standard. Changes: - Created scripts/Split-BundledSkills.ps1 automation script - Split 37 bundled files containing 135 skills total - Generated 110 new atomic skill files with proper naming - Modified 25 existing skill files - Deleted 37 bundled files Validation: - Validate-SkillFormat.ps1: PASSED - markdownlint: PASSED (0 errors) Context: PR #964 recovered orphaned files that predate ADR-017 Note: Memory index will be updated in a follow-up commit Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs: update session log to JSON schema v1.0 Update session-04 log to use new JSON schema format with protocolCompliance and learnings sections per SESSION-PROTOCOL.md requirements. Validation: Validate-SessionJson.ps1 PASSED Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: convert skills-serena-index to table-only format per ADR-017 --------- Co-authored-by: rjmurillo-bot <noreply@github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(ci): use PATH export instead of source env for uv The uv installer no longer creates an env file to source. Replace `source $HOME/.local/bin/env` with `export PATH="$HOME/.local/bin:$PATH"` to properly add uv to PATH in GitHub Actions workflows. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(ci): add --system flag to uv pip install uv pip now requires either a virtual environment or the --system flag to install packages. Add --system flag for GitHub Actions workflows where we want to install directly to the system Python. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(ci): enable Python tooling for agent contributions - Add Python setup to setup-code-env composite action with: - enable-python and python-version inputs - Python version output - Python dependency installation via uv - Verification of ruff and pytest availability - Enable Python 3.12 in copilot-setup-steps workflow - Add Python dependency installation to bootstrap-vm.sh This enables agents to contribute Python code with proper tooling (ruff, pytest) available in the development environment. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(ci): use pip-audit without --requirement flag The --requirement flag expects requirements.txt format, not pyproject.toml. Running pip-audit without arguments audits installed packages instead. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(tests): patch SAFE_BASE_DIR for temp directory tests - Monkeypatch _PROJECT_ROOT in validate_session_json tests - Monkeypatch SAFE_BASE_DIR in invoke_skill_learning tests - Fix tests checking 'extracted_learning' to use 'source' key The path validation correctly rejects temp directories outside project root. Tests now patch the base directory to allow temp paths during testing while maintaining security in production. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(hooks): rename test_skill_context to check_skill_context Pytest was collecting the function as a test because it started with 'test_'. Renamed to 'check_skill_context' to prevent pytest from treating it as a test function. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs: add test exit code interpretation as blocking constraint - Add testing-exit-code-interpretation memory documenting that pytest "X passed, Y errors" output means test suite FAILED (non-zero exit) - Update AGENTS.md Testing section with BLOCKING Test Exit Code Interpretation subsection - Update CRITICAL-CONTEXT.md with explicit test exit code requirement - Update memory-index with new memory for discoverability Learning: "error" and "failed" are both non-pass outcomes in pytest. Both result in non-zero exit code and must block commits. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Signed-off-by: Richard Murillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: Test <test@test.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Richard Murillo <richard.murillo@example.com> Co-authored-by: Richard Murillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: rjmurillo-bot <rjmurillo-bot@users.noreply.github.com> Co-authored-by: rjmurillo-bot <noreply@github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Claude <claude@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Root cause analysis of Droid Auto Review workflow failure. Factory-AI/droid-action internally uses non-SHA-pinned actions (actions/upload-artifact@v4), violating repository security constraints.
Key Findings
Impact
BLOCKING: droid-review.yml and droid.yml workflows fail at setup phase on branches with security constraints.
Recommendations
Deliverables
.agents/sessions/2026-01-16-session-9-droid-action-blocker.json.serena/memories/ci-infrastructure-droid-action-blocker.mdRelated
ci-infrastructure-codeql-ruleset-frictionsecurity-practices🤖 Generated with Claude Code