Conversation
✅ Deploy Preview for viteplus-preview canceled.
|
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 57d0ad7782
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| name: Security Analysis | ||
| runs-on: ubuntu-slim | ||
| steps: | ||
| - uses: oxc-project/security-action@4211cd3f56ba742507263ea4a999f3be4165a53c # v1.0.1 |
There was a problem hiding this comment.
This replacement removes the explicit rolldown/rolldown checkout that deny.yml performed before running cargo deny check, but the workspace still defines many path dependencies under ./rolldown/crates/* in Cargo.toml. The pinned oxc-project/security-action only checks out the current repo and then runs cargo deny check when Cargo.lock changes, so lockfile-update PRs can hit missing local path dependencies and fail the security job for infrastructure reasons rather than real advisories.
Useful? React with 👍 / 👎.
| name: Security Analysis | ||
| runs-on: ubuntu-slim | ||
| steps: | ||
| - uses: oxc-project/security-action@4211cd3f56ba742507263ea4a999f3be4165a53c # v1.0.1 |
There was a problem hiding this comment.
The new workflow delegates to security-action, whose cargo-deny step is gated on steps.cargo_lock.outputs.changed == 'true' and that flag is computed by diffing only Cargo.lock; therefore PRs that change deny.toml but not the lockfile skip cargo-deny entirely. The removed deny.yml explicitly ran on deny.toml changes, so this commit introduces a regression where policy/config updates can merge without any deny validation.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8b4bb59869
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| paths: | ||
| - ".github/workflows/**" |
There was a problem hiding this comment.
The new push trigger only matches .github/workflows/**, so direct pushes to main that change Cargo.lock or deny.toml will skip this workflow entirely. The removed deny.yml explicitly ran on those files for push events, so this introduces a coverage gap where dependency or deny-policy changes can land on main without any security check.
Useful? React with 👍 / 👎.
| name: Security Analysis | ||
| runs-on: ubuntu-slim | ||
| steps: | ||
| - uses: oxc-project/security-action@4211cd3f56ba742507263ea4a999f3be4165a53c # v1.0.1 |
There was a problem hiding this comment.
This step delegates entirely to oxc-project/security-action, whose pinned action.yml runs cargo deny with the action’s bundled config (${{ github.action_path }}/deny.toml) instead of this repository’s root deny.toml. That means the project-specific advisory ignores and policy rules are no longer what the CI check enforces, which is a regression from the previous workflow’s cargo deny check behavior.
Useful? React with 👍 / 👎.
2 participants
Summary
Testing