Updated BOM tests#415
Conversation
📝 WalkthroughWalkthroughThe CI workflow (ci.yaml) is parameterized with ChangesCI Workflow Consolidation
Estimated code review effort: 2 (Simple) | ~15 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci.yaml (1)
61-62: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd
persist-credentials: falseto all checkout steps.None of the five checkout steps set
persist-credentials: false, so theGITHUB_TOKENis persisted in.git/configafter checkout. This PR introduces cross-repository checkouts (Luxonis/luxonis-trainwhentrain_refis provided), which means the persisted token grants access to the upstream repo — widening the blast radius if any future step uploads the workspace or a subdirectory containing.git.🔒 Proposed fix — apply to all five checkout steps
- name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 with: repository: ${{ inputs.train_ref != '' && 'Luxonis/luxonis-train' || github.repository }} ref: ${{ inputs.train_ref || github.head_ref || github.ref }} + persist-credentials: falseAlso applies to: 78-79, 95-96, 137-138, 187-188
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yaml around lines 61 - 62, Add persist-credentials: false to every actions/checkout step in this workflow, including the checkout that uses inputs.train_ref and the other four checkout invocations. The issue is that checkout currently leaves the GITHUB_TOKEN in .git/config, which is especially risky for cross-repository fetches; update each checkout configuration to disable credential persistence consistently across all occurrences.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yaml:
- Around line 61-62: Add persist-credentials: false to every actions/checkout
step in this workflow, including the checkout that uses inputs.train_ref and the
other four checkout invocations. The issue is that checkout currently leaves the
GITHUB_TOKEN in .git/config, which is especially risky for cross-repository
fetches; update each checkout configuration to disable credential persistence
consistently across all occurrences.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 02496a4e-550a-497b-8dd7-4ad870f45cb1
📒 Files selected for processing (2)
.github/workflows/ci.yaml.github/workflows/tests.yaml
💤 Files with no reviewable changes (1)
- .github/workflows/tests.yaml
d40f510 to
ed42495
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## fix/luxonis-ml #415 +/- ##
===============================================
Coverage 61.84% 61.84%
===============================================
Files 268 268
Lines 13106 13106
===============================================
Hits 8105 8105
Misses 5001 5001
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. |
Purpose
Reuses the CI workflow for BOM tests instead of using a separate workflow for it.
Specification
None / not applicable
Dependencies & Potential Impact
None / not applicable
Deployment Plan
None / not applicable
Testing & Validation
None / not applicable
AI Usage
Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]
Submitted code was reviewed by a human: YES/NO
The author is taking the responsibility for the contribution: YES/NO
Summary by CodeRabbit