The GitHub Actions job "link-check" on airflow-steward.git/feat-sandbox-lint has failed. Run started by GitHub user andreahlert (triggered by andreahlert).
Head commit for run: 5afb8a425ecf2857a1289e9cc926c17a3e3f040c / André Ahlert <[email protected]> feat(security): implement M.29 sandbox-lint for `.claude/settings.json` Mitigation M.29 in `docs/security/threat-model.md` (PR #91) committed to lint the agent-host sandbox configuration in CI on every PR that touches it. This is the implementation: - `tools/sandbox-lint/` — new stdlib-only Python project. The CLI compares `.claude/settings.json` against the canonical baseline at `tools/sandbox-lint/expected.json` (set semantics on `denyRead`, `allowRead`, `allowWrite`, `allowedDomains`, `deny`, `ask`) and runs three layers of hard invariants — required `denyRead` entries, forbidden `allowRead` and `allowWrite` paths, required `permissions.deny` entries — against both the live settings and the baseline itself. The same invariants applied to the baseline catch the case where a future PR weakens both files in lockstep. - `.github/workflows/sandbox-lint.yml` — runs the linter on every PR that touches `.claude/settings.json`, the baseline, or the linter code. Path-scoped so the rest of the matrix is unaffected. - `.pre-commit-config.yaml` — adds `ruff check`, `ruff format --check`, `mypy`, and `pytest` hooks for the new project; the pytest hook also fires when `.claude/settings.json` changes because the test suite loads both files. - `.github/workflows/tests.yml` — adds the new project to the per-project pytest matrix so the visible-signal lane reports pass/fail in the CI checks list. Threat-model cross-references are in `tools/sandbox-lint/README.md`. The X3 residual (a maintainer editing the file locally outside a PR) remains accepted; the lint gates the shipped configuration, not local overrides during a single agent run. Generated-by: Claude Opus 4.7 Report URL: https://github.com/apache/airflow-steward/actions/runs/25522009491 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
