Copilot commented on code in PR #2066:
URL: https://github.com/apache/auron/pull/2066#discussion_r2877806857
##########
.github/workflows/pr-title-check.yml:
##########
@@ -0,0 +1,34 @@
+name: Pull Request Title Check
+
+on:
+ pull_request:
+ branches:
+ - '**'
+ types: [opened, synchronize, reopened, edited]
+
+jobs:
+ commitlint:
+ runs-on: ubuntu-latest
Review Comment:
Using `runs-on: ubuntu-latest` is inconsistent with the rest of the
workflows in this repo (which standardize on ubuntu-24.04). Pinning the runner
version improves reproducibility and prevents unexpected changes when GitHub
updates `ubuntu-latest`.
```suggestion
runs-on: ubuntu-24.04
```
##########
.github/workflows/pr-title-check.yml:
##########
@@ -0,0 +1,34 @@
+name: Pull Request Title Check
Review Comment:
This workflow is missing the standard ASF Apache 2.0 license header comment
block that appears at the top of other files under .github/workflows. Please
add the header to keep licensing consistent across workflow files.
##########
.github/workflows/pr-title-check.yml:
##########
@@ -0,0 +1,34 @@
+name: Pull Request Title Check
+
+on:
+ pull_request:
+ branches:
+ - '**'
+ types: [opened, synchronize, reopened, edited]
+
+jobs:
+ commitlint:
Review Comment:
The job id `commitlint` is misleading here because the workflow validates
the PR title rather than commit messages. Renaming the job to something like
`pr-title-check` (and/or updating step names accordingly) would make the
workflow easier to understand and maintain.
```suggestion
pr-title-check:
```
##########
.github/workflows/pr-title-check.yml:
##########
@@ -0,0 +1,34 @@
+name: Pull Request Title Check
+
+on:
+ pull_request:
+ branches:
+ - '**'
+ types: [opened, synchronize, reopened, edited]
+
+jobs:
+ commitlint:
+ runs-on: ubuntu-latest
+ if: github.event.pull_request.user.login != 'dependabot[bot]'
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
Review Comment:
The checkout step isn’t needed for this job since it only inspects
`github.event.pull_request.title` and doesn’t read repository files. Removing
it will speed up the workflow; if checkout is kept for future expansion, align
with the repo’s current `actions/checkout@v6` usage.
```suggestion
```
##########
.github/workflows/pr-title-check.yml:
##########
@@ -0,0 +1,34 @@
+name: Pull Request Title Check
+
+on:
+ pull_request:
+ branches:
+ - '**'
+ types: [opened, synchronize, reopened, edited]
+
+jobs:
+ commitlint:
+ runs-on: ubuntu-latest
+ if: github.event.pull_request.user.login != 'dependabot[bot]'
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Validate PR title
+ run: |
+ # Check PR title format - will fail the job if format is invalid
+ echo "Checking PR title: ${{ github.event.pull_request.title }}"
+
+ PATTERN='^\[AURON #[0-9]+\] .{3,}$'
+
+ if ! echo "${{ github.event.pull_request.title }}" | grep -qE
"$PATTERN"; then
Review Comment:
The PR title is being interpolated directly into the shell script via `${{
github.event.pull_request.title }}`. Since the title is user-controlled, a
crafted title containing quotes/newlines can break out of the surrounding
quotes and lead to shell injection. Pass the title via `env:` and reference it
as a normal shell variable (e.g., use `printf '%s\n' "$PR_TITLE" | grep ...`)
to avoid code execution from untrusted input.
```suggestion
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
# Check PR title format - will fail the job if format is invalid
echo "Checking PR title: $PR_TITLE"
PATTERN='^\[AURON #[0-9]+\] .{3,}$'
if ! printf '%s\n' "$PR_TITLE" | grep -qE "$PATTERN"; then
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
