feat: add changelog grouping and supply chain hooks to goreleaser config#72
Open
nsportsman wants to merge 1 commit into
Open
feat: add changelog grouping and supply chain hooks to goreleaser config#72nsportsman wants to merge 1 commit into
nsportsman wants to merge 1 commit into
Conversation
- Before hooks: go mod tidy -diff (fails fast if modules dirty without modifying files — safe for release time) + go mod verify (validates cached dep checksums against go.sum for supply chain integrity) - Changelog: grouped by conventional commit type using GitHub API for richer data (PR links, author handles). Groups: Breaking Changes → Features → Bug Fixes → Other Changes. Scope regex supports hyphens. Breaking regex handles GoReleaser's SHA-prefixed entry format. docs/test/chore commits excluded via filters. Incorporates 3 rounds of multi-model review feedback (Claude, Gemini, Codex) on regex correctness, SHA prefix handling, and tidy -diff safety. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
nsportsman
added a commit
to praetorian-inc/public-workflows
that referenced
this pull request
May 30, 2026
* fix(codex-code): don't pre-disable sudo on codex-review job The codex-review job ran Harden-Runner with `disable-sudo-and-containers: true` (added in #56 / v2.1.0, applied uniformly to all 22 instances). But openai/codex-action manages sudo itself: it runs `sudo chmod 444` / `sudo chown root` to lock its responses-api-proxy server-info file, then irreversibly drops sudo via `safety-strategy: drop-sudo` before the untrusted Codex CLI runs. With sudo pre-disabled by Harden-Runner, that chmod fails with "sudo: a password is required" and the action exits 1 before any review runs. This broke every caller pinned to v2.1.0+ whenever a real (non-docs) PR actually invoked Codex — e.g. praetorian-inc/augustus#135, praetorian-inc/pius#72. Fix: set `disable-sudo-and-containers: false` on the codex-review job only and document why. `safety-strategy: drop-sudo` already provides the equivalent secret-protection guarantee (removes sudo before untrusted code runs). The post-feedback job (no codex-action) keeps `disable-sudo-and-containers: true`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(codex-code): preserve CVE-2025-32955 container lockdown on codex-review Addresses review feedback on #80: re-enabling sudo via `disable-sudo-and-containers: false` (needed because codex-action chmod/chown- locks its proxy server-info file then drops sudo itself) ALSO re-enabled container access, because Harden-Runner has no container-only control and codex-action's drop-sudo strips the runner's sudo/admin group but not its `docker` group. That reopened CVE-2025-32955: a prompt-injected Codex could `docker run --privileged -v /:/host` to regain root before review output posts. Fix: add a dedicated step that stops+masks docker/containerd and removes the docker socket, running while sudo is still available and BEFORE Codex executes. After codex-action drops sudo, Codex has neither sudo nor a container runtime — restoring the container half of the lockdown without breaking the sudo the action requires (all codex-action versions still need it). The step logs evidence (socket removed, daemon unreachable) before the review runs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Improves the GoReleaser config with supply chain hooks and structured changelogs.
go mod tidy -diff+go mod verifyrun before every release build.tidy -difffails fast if modules are dirty (never modifies files mid-release).verifyvalidates cached dependency checksums against go.sum.Incorporates 3 rounds of multi-model review feedback (Claude, Gemini, Codex).
Supersedes #70.
Test plan
goreleaser checkpasses🤖 Generated with Claude Code