Conversation
- Use YAML.safe_load with permitted_classes to prevent arbitrary object deserialization - Reject config paths containing '..' or starting with '/' to block path traversal - Resolve config file to absolute path with File.expand_path(path, Dir.pwd) - Use File.basename when copying the template to prevent traversal via filename Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Warn at startup when running unauthenticated (rate limit: 60 req/hour)
- Add warn_if_insecure_netrc to flag world-readable ~/.netrc permissions
- Use File.expand_path('~/.netrc') instead of ENV['HOME'] for correctness
in containerized environments
- Add require 'json' for GraphQL request serialization
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Read WHATSUP_GITHUB_ENTERPRISE_HOSTNAME from environment; default to github.com (GHEC) when unset, so .whatsup.yml is safe to commit to git - Validate hostname against allowlist regex; block private/internal ranges - Remove enterprise: key from config_reader and the host= assignment in pulls.rb — hostname is no longer sourced from the config file - Override graphql_path in EnterpriseClient: relative /graphql for github.com (GHEC), full https://hostname/api/graphql for GHE Server Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add PULL_REQUEST_GRAPHQL query and pull_requests_by_node_ids method to Client. EnterpriseClient inherits the method and overrides graphql_path. In Pulls#data, replace per-PR REST pull_request calls with a single GraphQL nodes(ids: [...]) call using node IDs from the search results. Use snake_case field aliases in the query (merged_at, merge_commit, is_private) so Sawyer response attributes match expected names. Update RowCollector#collect_rows_for_a for the new GraphQL response shape and add the pr_url helper to mask the enterprise hostname in PR links. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove the org-membership check entirely: drop @membership, @repo, @repo_url, and @is_private from Row; remove membership: from the yaml_formatter output hash. The feature required a separate API call per contributor and is no longer needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Require dotenv/load in the executable so .env is loaded before any class constants (like access tokens) are evaluated - Update template .whatsup.yml: use base_branch: main, replace real repo with placeholder my-org/my-repo, remove membership section, fix enterprise comment to note the env var default - Add .env.example and .netrc.example as credential reference files Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The template .whatsup.yml now uses a placeholder repo (my-org/my-repo) which causes a 422 from the GitHub API during the Basic scenario. Add a 'Given a file named' step to create a real config using octokit/octokit.rb and assert 'Done!' instead of the removed 'Searching on' log line. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Document WHATSUP_GITHUB_ENTERPRISE_HOSTNAME env var (replaces enterprise: config key); note github.com default for GHEC - Document DEBUG=1 for opt-in query logging - Remove membership field from 'What's generated' section - Update enterprise link format description (enterprise:org/repo/pull/N) - Add Local testing section with credential and DEBUG usage - Add .markdownlint.json to relax MD013 line-length rule for tables and code blocks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace credentials.yml with .env in .gitignore; add .cursor/ - Bump .ruby-version from 3.3.0 to 3.4.8 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Bump version to 2.0.0 (breaking changes: membership field removed, enterprise hostname moved to env var, enterprise link format changed). Update repo URLs to commerce-docs organization. Update CHANGELOG. Update all dependencies to latest compatible versions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added `faraday-retry` as a runtime dependency in the gemspec to resolve missing-gem warnings for consumers. - Updated CHANGELOG to reflect this bug fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Ship v2.0.0 of
whatsup_github: security hardening, GitHub Enterprise hostname handling via environment variables, faster PR metadata loading via GraphQL, and documentation/example updates for safe configuration.Summary
This release replaces per-PR REST lookups with a single GraphQL batch query (
nodes(ids: [...])) to cut API traffic and speed up runs. YAML config loading is hardened (safe_load, path traversal checks, resolved.netrcpath) and enterprise hostname moves toWHATSUP_GITHUB_ENTERPRISE_HOSTNAMEwith allowlist-style validation and blocking of private/internal hosts to reduce SSRF risk. Startup warns when running unauthenticated and when.netrcis world-readable.Breaking: the
membershipfield is removed from output and config (org membership checks are gone). Enterprise PR links in output use theenterprise:org/repo/pull/Nform instead of embedding the internal hostname. Theenterprisekey in.whatsup.ymlis no longer used for the hostname.Other updates: Ruby 3.4.8, dependency refresh (
Gemfile.lock), dotenv loading from the executable, expanded README (security, enterprise,DEBUG=1),.env.example/.netrc.example, markdownlint config, Cucumber scenario adjusted for a real public repo, and CHANGELOG entries for 2.0.0.Migration notes
WHATSUP_GITHUB_ENTERPRISE_HOSTNAMEfor GitHub Enterprise (defaults togithub.comfor GHEC when unset); remove hostname from committed.whatsup.ymlif it was there.membershipusage from config or downstream consumers of the YAML.enterprise:...form if you parse links.How to test
bundle installand run the existing test/lint workflows locally (e.g.bundle exec rake/ cucumber as documented in the README).DEBUG=1, confirm query logging only when intended.Related documentation