Skip to content

Build-logic audit follow-ups vendored from config (2026-06 compiler audit) #691

Description

@alexander-yevsyukov

Context

The 2026-06 technical audit of SpineEventEngine/compiler and
SpineEventEngine/core-jvm-compiler surfaced several findings that live in
build-logic files vendored from this repo (config) into every consumer
via the git submodule + pull sync: buildSrc/**, .codecov.yml, and the
workflow templates under .github-workflows/. Those files are byte-identical
in the consumer repos and cannot be durably fixed there — they must be
fixed here and re-synced.

This issue collects the [config]-scoped follow-ups so they are addressed at
the source. They were previously tracked only in the consumer repos'
improvement plans (.agents/tasks/improvement-plan.md in compiler, and the
equivalent in core-jvm-compiler), which now point here. All paths below are
config-repo paths verified at filing time; a single fix here resolves the
finding in both consumer repos.

Items

1. (S1, Medium → High if scope broadens) Remove the scrambled GitHub PAT from source

buildSrc/src/main/kotlin/io/spine/gradle/repo/Repositories.kt:58-80
private object Pat holds a scrambled read:packages token, de-scrambled at
runtime into credentials for https://maven.pkg.github.com/SpineEventEngine/*.
The KDoc states the scrambling exists "because GitHub analyzes commits for the
presence of tokens and invalidates them"
— i.e. it deliberately evades GitHub
secret scanning.

Why it matters: the token is trivially extractable by anyone with repo read
access; it is a shared org-wide credential with no rotation story; and
intentionally defeating secret scanning fails third-party security review.

Blocked on a human decision (audit open question 1): the actual scope and
owner of the token, and whether GitHub Packages can be dropped as a resolution
source (the Cloud Artifact Registry europe-maven.pkg.dev already serves
releases) or instead fed via GITHUB_TOKEN / an environment variable. Target
state: a reviewer concludes "no secrets in source" by grep, not by trusting a
comment about token scope.

2. (Q3, Low) Document or fix the silently-swallowed exception in the npm-audit task

buildSrc/src/main/kotlin/io/spine/gradle/javascript/task/Check.kt:143
npm("audit") is wrapped as
try { … } catch (ignored: Exception) { npm("audit", "--registry", "https://registry.npmjs.eu") }.
The original failure is swallowed (the variable is even named ignored) with no
comment or log explaining why the EU-registry fallback is attempted. Either add
a comment documenting the failover rationale, or log the original exception
before falling back.

(The source audit described this as an empty catch { }; the current code does
have an EU-registry fallback, but still discards the original cause silently.)

3. (Q1 drift, Medium) Resolve the stale 2023-09-22 TODO in Linters.kt

buildSrc/src/main/kotlin/io/spine/gradle/java/Linters.kt:51:

// TODO:2023-09-22:yevhenii.nadtochii: Remove this piece of configuration.
// See issue: https://github.com/SpineEventEngine/logging/issues/56

This TODO (now ~2.7 years old) rides along in every consumer's buildSrc and is
the audit's headline evidence of vendored-build-logic drift. Resolve it: either
complete the linked logging#56 cleanup and remove disableLinters(), or
refresh the TODO with current rationale and owner.

4. (T2, Low) Write down the coverage policy next to .codecov.yml

.codecov.yml configures patch: off, project target auto with
threshold: 0.05%, and only_pulls: true — an effectively non-binding
"don't regress the baseline" gate. That is a reasonable floor for code-generation
repos, but the intent is undocumented. Add a short comment in .codecov.yml (or
a sibling note) stating the policy is deliberate baseline-no-regression, so the
absence of a hard number reads as a decision rather than an oversight.

5. (D1 + S3, Low) Harden the distributed workflow templates

Templates under .github-workflows/ (distributed to consumers as
.github/workflows/):

  • Concurrency (D1): build-on-ubuntu.yml, build-on-windows.yml, and
    increment-guard.yml run on every push with full integration tests and no
    concurrency block
    , so rapid pushes stack redundant long builds. Add a
    concurrency group keyed on workflow + ref with cancel-in-progress: true,
    mirroring .github/workflows/check-links.yml, which already declares one.
  • SHA-pin third-party actions (S3): actions are pinned to mutable tags, not
    commit SHAs — e.g. mikepenz/action-junit-report@v4.0.3 and
    codecov/codecov-action@v4 (build-on-ubuntu.yml),
    al-cheb/configure-pagefile-action@v1.3 (build-on-windows.yml), alongside
    actions/checkout, actions/setup-java, and gradle/actions/setup-gradle.
    Pin third-party (non-actions/) actions to full-length commit SHAs with a
    trailing version comment.

Source

  • Audit report: docs/audit-2026-06.md in SpineEventEngine/compiler (findings
    S1, S3, Q1, Q3, T2, D1).
  • Originating trackers: .agents/tasks/improvement-plan.md in
    SpineEventEngine/compiler and the equivalent in core-jvm-compiler, where
    these items are marked [config] and now reference this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions