add ci, auto-fix, and upgrade code review workflows#776
add ci, auto-fix, and upgrade code review workflows#776Prasanna721 wants to merge 4 commits intomainfrom
Conversation
Add CI and upgrade Claude workflows No CI existed — type errors and lint issues only caught by Cloudflare builds. Added type check + biome lint CI on PRs, auto-fix workflow when CI fails, and upgraded code review with supermemory MCP + inline comments.
How to use the Graphite Merge QueueAdd the label Main to this PR to add it to the merge queue. You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
supermemory-app | 348a76f | Commit Preview URL Branch Preview URL |
Mar 10 2026, 02:28 AM |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.event.workflow_run.head_branch }} |
There was a problem hiding this comment.
Bug: The workflow uses a mutable branch reference (head_branch) for checkout, creating a race condition vulnerability that allows executing untrusted code with write permissions on the base repository.
Severity: CRITICAL
Suggested Fix
Replace ref: ${{ github.event.workflow_run.head_branch }} with ref: ${{ github.event.workflow_run.head_sha }}. This pins the checkout to the immutable commit SHA that triggered the workflow, preventing an attacker from injecting malicious code after the run starts. Consider also adding a condition to only run this workflow on PRs from trusted contributors.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/claude-auto-fix-ci.yml#L26
Potential issue: The GitHub workflow `claude-auto-fix-ci.yml` is vulnerable to a
Time-of-Check to Time-of-Use (TOCTOU) race condition. It triggers on pull requests from
forks and uses `github.event.workflow_run.head_branch` to check out code. An attacker
can push malicious code to their branch after the workflow is triggered but before the
checkout step executes. The workflow then checks out and runs this malicious code with
write permissions to the base repository, allowing for arbitrary code execution.
Did we get this right? 👍 / 👎 to inform future reviews.
| After fixing, commit the changes and push directly to the branch `${{ github.event.workflow_run.head_branch }}`. | ||
| Do NOT create a new PR — the fixes should be pushed to the existing PR branch. | ||
|
|
There was a problem hiding this comment.
Bug: The workflow fails on pull requests from forks because the checkout step tries to find the fork's branch in the base repository, where it doesn't exist.
Severity: HIGH
Suggested Fix
Add a condition to the job to prevent it from running on pull requests from forks. Use if: github.event.workflow_run.head_repository.fork == false to ensure the workflow only executes for branches within the base repository.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/claude-auto-fix-ci.yml#L82-L84
Potential issue: The `claude-auto-fix-ci.yml` workflow will fail for any pull request
originating from a fork. The workflow runs in the context of the base repository but
attempts to check out the code using `head_branch`, which is a branch name that only
exists in the fork. This causes the `actions/checkout` step to fail because it cannot
find the specified branch in the base repository. The workflow lacks a condition to
prevent it from running on PRs from forks, leading to consistent failures for all
external contributions.
Did we get this right? 👍 / 👎 to inform future reviews.
| auto-fix: | ||
| if: | | ||
| github.event.workflow_run.conclusion == 'failure' && | ||
| github.event.workflow_run.pull_requests[0] |
There was a problem hiding this comment.
Bug: The auto-fix workflow is silently skipped for pull requests from forked repositories because the github.event.workflow_run.pull_requests array is empty, causing the job's if condition to fail.
Severity: HIGH
Suggested Fix
To fix this, avoid using the pull_requests array in the job's if condition. Instead, you can use github.event.workflow_run.head_branch, which is available for PRs from both forks and branches. Alternatively, use the GitHub API to find the PR associated with the workflow run's head SHA or branch name.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/claude-auto-fix-ci.yml#L20
Potential issue: The workflow job condition at line 20 checks
`github.event.workflow_run.pull_requests[0]`. This expression evaluates to a falsy value
for pull requests originating from forked repositories because the `pull_requests` array
is empty in that context, which is a documented limitation of GitHub Actions.
Consequently, the auto-fix workflow job is silently skipped for all external
contributors using the standard fork-and-PR workflow. Since the project's contribution
guidelines encourage fork-based contributions, this bug breaks a core feature for an
expected and common use case.
@supermemory/tools has pre-existing type errors, so filter it out. Biome had 77 pre-existing errors across the codebase, so only lint files changed vs main. Removed biomejs/setup-biome action in favor of the lockfile version via bunx. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 participant
Add CI and upgrade Claude workflows
No CI existed — type errors and lint issues only caught by Cloudflare builds. Added type check + biome lint CI on PRs, auto-fix workflow when CI fails, and
upgraded code review with supermemory MCP + inline comments.