Context
The 2026-06 technical audit of SpineEventEngine/compiler and
SpineEventEngine/core-jvm-compiler surfaced several findings that live in
build-logic files vendored from this repo (config) into every consumer
via the git submodule + pull sync: buildSrc/**, .codecov.yml, and the
workflow templates under .github-workflows/. Those files are byte-identical
in the consumer repos and cannot be durably fixed there — they must be
fixed here and re-synced.
This issue collects the [config]-scoped follow-ups so they are addressed at
the source. They were previously tracked only in the consumer repos'
improvement plans (.agents/tasks/improvement-plan.md in compiler, and the
equivalent in core-jvm-compiler), which now point here. All paths below are
config-repo paths verified at filing time; a single fix here resolves the
finding in both consumer repos.
Items
1. (S1, Medium → High if scope broadens) Remove the scrambled GitHub PAT from source
buildSrc/src/main/kotlin/io/spine/gradle/repo/Repositories.kt:58-80 —
private object Pat holds a scrambled read:packages token, de-scrambled at
runtime into credentials for https://maven.pkg.github.com/SpineEventEngine/*.
The KDoc states the scrambling exists "because GitHub analyzes commits for the
presence of tokens and invalidates them" — i.e. it deliberately evades GitHub
secret scanning.
Why it matters: the token is trivially extractable by anyone with repo read
access; it is a shared org-wide credential with no rotation story; and
intentionally defeating secret scanning fails third-party security review.
Blocked on a human decision (audit open question 1): the actual scope and
owner of the token, and whether GitHub Packages can be dropped as a resolution
source (the Cloud Artifact Registry europe-maven.pkg.dev already serves
releases) or instead fed via GITHUB_TOKEN / an environment variable. Target
state: a reviewer concludes "no secrets in source" by grep, not by trusting a
comment about token scope.
2. (Q3, Low) Document or fix the silently-swallowed exception in the npm-audit task
buildSrc/src/main/kotlin/io/spine/gradle/javascript/task/Check.kt:143 —
npm("audit") is wrapped as
try { … } catch (ignored: Exception) { npm("audit", "--registry", "https://registry.npmjs.eu") }.
The original failure is swallowed (the variable is even named ignored) with no
comment or log explaining why the EU-registry fallback is attempted. Either add
a comment documenting the failover rationale, or log the original exception
before falling back.
(The source audit described this as an empty catch { }; the current code does
have an EU-registry fallback, but still discards the original cause silently.)
3. (Q1 drift, Medium) Resolve the stale 2023-09-22 TODO in Linters.kt
buildSrc/src/main/kotlin/io/spine/gradle/java/Linters.kt:51:
// TODO:2023-09-22:yevhenii.nadtochii: Remove this piece of configuration.
// See issue: https://github.com/SpineEventEngine/logging/issues/56
This TODO (now ~2.7 years old) rides along in every consumer's buildSrc and is
the audit's headline evidence of vendored-build-logic drift. Resolve it: either
complete the linked logging#56 cleanup and remove disableLinters(), or
refresh the TODO with current rationale and owner.
4. (T2, Low) Write down the coverage policy next to .codecov.yml
.codecov.yml configures patch: off, project target auto with
threshold: 0.05%, and only_pulls: true — an effectively non-binding
"don't regress the baseline" gate. That is a reasonable floor for code-generation
repos, but the intent is undocumented. Add a short comment in .codecov.yml (or
a sibling note) stating the policy is deliberate baseline-no-regression, so the
absence of a hard number reads as a decision rather than an oversight.
5. (D1 + S3, Low) Harden the distributed workflow templates
Templates under .github-workflows/ (distributed to consumers as
.github/workflows/):
- Concurrency (D1):
build-on-ubuntu.yml, build-on-windows.yml, and
increment-guard.yml run on every push with full integration tests and no
concurrency block, so rapid pushes stack redundant long builds. Add a
concurrency group keyed on workflow + ref with cancel-in-progress: true,
mirroring .github/workflows/check-links.yml, which already declares one.
- SHA-pin third-party actions (S3): actions are pinned to mutable tags, not
commit SHAs — e.g. mikepenz/action-junit-report@v4.0.3 and
codecov/codecov-action@v4 (build-on-ubuntu.yml),
al-cheb/configure-pagefile-action@v1.3 (build-on-windows.yml), alongside
actions/checkout, actions/setup-java, and gradle/actions/setup-gradle.
Pin third-party (non-actions/) actions to full-length commit SHAs with a
trailing version comment.
Source
- Audit report:
docs/audit-2026-06.md in SpineEventEngine/compiler (findings
S1, S3, Q1, Q3, T2, D1).
- Originating trackers:
.agents/tasks/improvement-plan.md in
SpineEventEngine/compiler and the equivalent in core-jvm-compiler, where
these items are marked [config] and now reference this issue.
Context
The 2026-06 technical audit of
SpineEventEngine/compilerandSpineEventEngine/core-jvm-compilersurfaced several findings that live inbuild-logic files vendored from this repo (
config) into every consumervia the git submodule +
pullsync:buildSrc/**,.codecov.yml, and theworkflow templates under
.github-workflows/. Those files are byte-identicalin the consumer repos and cannot be durably fixed there — they must be
fixed here and re-synced.
This issue collects the
[config]-scoped follow-ups so they are addressed atthe source. They were previously tracked only in the consumer repos'
improvement plans (
.agents/tasks/improvement-plan.mdincompiler, and theequivalent in
core-jvm-compiler), which now point here. All paths below areconfig-repo paths verified at filing time; a single fix here resolves thefinding in both consumer repos.
Items
1. (S1, Medium → High if scope broadens) Remove the scrambled GitHub PAT from source
buildSrc/src/main/kotlin/io/spine/gradle/repo/Repositories.kt:58-80—private object Patholds a scrambledread:packagestoken, de-scrambled atruntime into credentials for
https://maven.pkg.github.com/SpineEventEngine/*.The KDoc states the scrambling exists "because GitHub analyzes commits for the
presence of tokens and invalidates them" — i.e. it deliberately evades GitHub
secret scanning.
Why it matters: the token is trivially extractable by anyone with repo read
access; it is a shared org-wide credential with no rotation story; and
intentionally defeating secret scanning fails third-party security review.
Blocked on a human decision (audit open question 1): the actual scope and
owner of the token, and whether GitHub Packages can be dropped as a resolution
source (the Cloud Artifact Registry
europe-maven.pkg.devalready servesreleases) or instead fed via
GITHUB_TOKEN/ an environment variable. Targetstate: a reviewer concludes "no secrets in source" by
grep, not by trusting acomment about token scope.
2. (Q3, Low) Document or fix the silently-swallowed exception in the npm-audit task
buildSrc/src/main/kotlin/io/spine/gradle/javascript/task/Check.kt:143—npm("audit")is wrapped astry { … } catch (ignored: Exception) { npm("audit", "--registry", "https://registry.npmjs.eu") }.The original failure is swallowed (the variable is even named
ignored) with nocomment or log explaining why the EU-registry fallback is attempted. Either add
a comment documenting the failover rationale, or log the original exception
before falling back.
(The source audit described this as an empty
catch { }; the current code doeshave an EU-registry fallback, but still discards the original cause silently.)
3. (Q1 drift, Medium) Resolve the stale 2023-09-22 TODO in
Linters.ktbuildSrc/src/main/kotlin/io/spine/gradle/java/Linters.kt:51:This TODO (now ~2.7 years old) rides along in every consumer's
buildSrcand isthe audit's headline evidence of vendored-build-logic drift. Resolve it: either
complete the linked
logging#56cleanup and removedisableLinters(), orrefresh the TODO with current rationale and owner.
4. (T2, Low) Write down the coverage policy next to
.codecov.yml.codecov.ymlconfigurespatch: off, project targetautowiththreshold: 0.05%, andonly_pulls: true— an effectively non-binding"don't regress the baseline" gate. That is a reasonable floor for code-generation
repos, but the intent is undocumented. Add a short comment in
.codecov.yml(ora sibling note) stating the policy is deliberate baseline-no-regression, so the
absence of a hard number reads as a decision rather than an oversight.
5. (D1 + S3, Low) Harden the distributed workflow templates
Templates under
.github-workflows/(distributed to consumers as.github/workflows/):build-on-ubuntu.yml,build-on-windows.yml, andincrement-guard.ymlrun on every push with full integration tests and noconcurrencyblock, so rapid pushes stack redundant long builds. Add aconcurrencygroup keyed on workflow + ref withcancel-in-progress: true,mirroring
.github/workflows/check-links.yml, which already declares one.commit SHAs — e.g.
mikepenz/action-junit-report@v4.0.3andcodecov/codecov-action@v4(build-on-ubuntu.yml),al-cheb/configure-pagefile-action@v1.3(build-on-windows.yml), alongsideactions/checkout,actions/setup-java, andgradle/actions/setup-gradle.Pin third-party (non-
actions/) actions to full-length commit SHAs with atrailing version comment.
Source
docs/audit-2026-06.mdinSpineEventEngine/compiler(findingsS1, S3, Q1, Q3, T2, D1).
.agents/tasks/improvement-plan.mdinSpineEventEngine/compilerand the equivalent incore-jvm-compiler, wherethese items are marked
[config]and now reference this issue.