Github Actions Audit#17050
Conversation
What changed and why: - rules/ci-rules.md — terse, always-applicable constraints in the same style as dynamo-core-rules.md. Agents touching any workflow file will hit this first. - knowledge/github-actions-audit.md — the full point-in-time audit with bug inventory, fix snippets, and the phased remediation plan. Lives in knowledge/ because it will go stale as issues get fixed, and it's reference material rather than an always-applicable constraint. - The two files cross-reference each other so neither is a dead end.
|
@avidit I started this but may not have too much time to spend on it this week. Feel free to take over if you feel some of the phased plan does make sense |
There was a problem hiding this comment.
Pull request overview
Adds internal CI/CD guidance to .agents/ by introducing durable GitHub Actions rules plus a point-in-time audit of existing workflows.
Changes:
- Added
.agents/rules/ci-rules.mdwith “always applicable” GitHub Actions constraints (shell, auth, pinning, permissions, unnecessary work). - Added
.agents/knowledge/github-actions-audit.mddocumenting an 18-workflow audit, issue inventory, and phased remediation plan. - Updated
.agents/README.mdto index the new rules/knowledge docs and reflect the folder structure.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.agents/rules/ci-rules.md |
New durable rules for GitHub Actions changes under .github/workflows/. |
.agents/knowledge/github-actions-audit.md |
New audit report with issue inventory, remediation snippets, and phased plan. |
.agents/README.md |
Links to the new rules/knowledge documents and updates the .agents/ structure overview. |
| | ID | Workflow | Location | Description | | ||
| |----|----------|----------|-------------| | ||
| | BUG-01 | `build_dynamo_core.yml` | Line 93 | Linux binary check **always passes** — `test "./DynamoCLI.exe"` evaluates the non-empty string, not the file. Also checks for `.exe` which doesn't exist on Linux. | | ||
| | BUG-02 | `auto_cherrypick.yml` | Line 48 | `if [[ $milestone -eq "" ]]` uses arithmetic `-eq` to compare a string; always evaluates as equal when milestone is non-numeric — null milestone check silently never fires. | |
There was a problem hiding this comment.
In BUG-02’s description, [[ $milestone -eq "" ]] doesn’t “evaluate as equal” for non-numeric strings; in bash it triggers an arithmetic evaluation error and the condition is treated as false (so the null/empty check never runs). Please reword this to reflect the actual failure mode so the guidance is accurate.
| | BUG-02 | `auto_cherrypick.yml` | Line 48 | `if [[ $milestone -eq "" ]]` uses arithmetic `-eq` to compare a string; always evaluates as equal when milestone is non-numeric — null milestone check silently never fires. | | |
| | BUG-02 | `auto_cherrypick.yml` | Line 48 | `if [[ $milestone -eq "" ]]` uses arithmetic `-eq` to compare a string; for non-numeric values bash raises an arithmetic evaluation error and the condition is treated as false, so the null/empty milestone check never fires. | |
| |----|----------|----------|-------------| | ||
| | BUG-01 | `build_dynamo_core.yml` | Line 93 | Linux binary check **always passes** — `test "./DynamoCLI.exe"` evaluates the non-empty string, not the file. Also checks for `.exe` which doesn't exist on Linux. | | ||
| | BUG-02 | `auto_cherrypick.yml` | Line 48 | `if [[ $milestone -eq "" ]]` uses arithmetic `-eq` to compare a string; always evaluates as equal when milestone is non-numeric — null milestone check silently never fires. | | ||
| | BUG-03 | `Issues_workflow.yml` | Lines 61, 137, 144, 150 | `curl -u admin:${{ secrets.GITHUB_TOKEN }}` is the wrong format for GitHub API auth. Will return 401 silently because `--fail` is absent. | |
There was a problem hiding this comment.
The audit says all four locations use secrets.GITHUB_TOKEN, but line 61 actually uses secrets.DYNAMOBOTTOKEN
There was a problem hiding this comment.
Updated in commit 47a6a8b: BUG-03 now correctly states that line 61 uses DYNAMOBOTTOKEN while the other listed calls use GITHUB_TOKEN, and clarifies the issue is the curl -u admin:<token> auth format.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/DynamoDS/Dynamo/sessions/dcc12930-542e-473d-b5d5-e16c3cc9b29c Co-authored-by: QilongTang <3942418+QilongTang@users.noreply.github.com>
|
Purpose
What changed and why:
Declarations
Check these if you believe they are true
Release Notes
(FILL ME IN) Brief description of the fix / enhancement. Use N/A to indicate that the changes in this pull request do not apply to Release Notes. Mandatory section
Reviewers
(FILL ME IN) Reviewer 1 (If possible, assign the Reviewer for the PR)
(FILL ME IN, optional) Any additional notes to reviewers or testers.
FYIs
(FILL ME IN, Optional) Names of anyone else you wish to be notified of