Skip to content

dismiss Vale review and re-run after followup fixes #481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jth-nw merged 2 commits into from
Mar 11, 2026
Merged

dismiss Vale review and re-run after followup fixes #481

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78b9480
fix: dismiss Vale review and re-run after followup fixes
jth-nw Mar 11, 2026
ca964b1
Merge pull request #480 from netwrix/fix/doc-pr-resolve-vale
jth-nw Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions .github/workflows/claude-doc-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,3 +268,65 @@
prompt: |
/doc-pr-fix ${{ steps.pr-info.outputs.number }} $COMMENT_BODY
claude_args: '--allowedTools "Bash(vale:*),Bash(gh:*),Bash(git:*),Read,Write,Edit,Glob,Grep,Skill(doc-pr-fix),Skill(dale)"'

- name: Re-run Vale and update inline comments
if: steps.pr-info.outputs.is_fork == 'false' && steps.pr-info.outputs.targets_dev == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PR_NUMBER=${{ steps.pr-info.outputs.number }}
REPO=${{ github.repository }}

# Dismiss all previous Vale reviews
REVIEW_IDS=$(gh api repos/${REPO}/pulls/${PR_NUMBER}/reviews \
--jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | contains("Vale found"))) | .id] | .[]' 2>/dev/null || true)
for ID in $REVIEW_IDS; do
gh api repos/${REPO}/pulls/${PR_NUMBER}/reviews/${ID}/dismissals \
-f message="Superseded after fixes applied" -f event="DISMISS" 2>/dev/null || true
done

# Pull latest changes from Claude's push
git pull origin ${{ steps.pr-info.outputs.branch }} 2>/dev/null || true

Check failure

Code scanning / CodeQL

Code injection

Potential code injection in [${{ steps.pr-info.outputs.branch }}](1), which may be controlled by an external user ([issue_comment](2)).

Copilot Autofix

AI 9 days ago

To fix this, we must stop interpolating the untrusted branch name directly into the run: script via ${{ ... }} and instead pass it as an environment variable, then reference it using standard shell variable syntax. This prevents arbitrary code injection because the shell receives only the resolved environment variable value, and proper quoting can be applied.

Concretely, in the step that currently contains:

run: |
  ...
  git pull origin ${{ steps.pr-info.outputs.branch }} 2>/dev/null || true

we should:

  1. Add an env: section to this step that sets a safe environment variable, e.g. PR_BRANCH: ${{ steps.pr-info.outputs.branch }}.
  2. Change the git pull invocation to use the shell variable, properly quoted: git pull origin "$PR_BRANCH" 2>/dev/null || true.

All other logic remains the same; we do not change how branch is computed or stored, only how it is consumed in the shell. No new imports or external libraries are required; only YAML changes within .github/workflows/claude-doc-pr.yml in the shown snippet.

Suggested changeset 1
.github/workflows/claude-doc-pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/claude-doc-pr.yml b/.github/workflows/claude-doc-pr.yml
--- a/.github/workflows/claude-doc-pr.yml
+++ b/.github/workflows/claude-doc-pr.yml
@@ -273,6 +273,7 @@
         if: steps.pr-info.outputs.is_fork == 'false' && steps.pr-info.outputs.targets_dev == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_BRANCH: ${{ steps.pr-info.outputs.branch }}
         run: |
           PR_NUMBER=${{ steps.pr-info.outputs.number }}
           REPO=${{ github.repository }}
@@ -286,7 +287,7 @@
           done
 
           # Pull latest changes from Claude's push
-          git pull origin ${{ steps.pr-info.outputs.branch }} 2>/dev/null || true
+          git pull origin "$PR_BRANCH" 2>/dev/null || true
 
           # Get changed files
           CHANGED_MD_FILES=$(gh pr diff "$PR_NUMBER" --name-only | grep -E '^docs/.*\.md$' | grep -v '/CLAUDE\.md$' | grep -v '/SKILL\.md$' || true)
EOF
@@ -273,6 +273,7 @@
if: steps.pr-info.outputs.is_fork == 'false' && steps.pr-info.outputs.targets_dev == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_BRANCH: ${{ steps.pr-info.outputs.branch }}
run: |
PR_NUMBER=${{ steps.pr-info.outputs.number }}
REPO=${{ github.repository }}
@@ -286,7 +287,7 @@
done

# Pull latest changes from Claude's push
git pull origin ${{ steps.pr-info.outputs.branch }} 2>/dev/null || true
git pull origin "$PR_BRANCH" 2>/dev/null || true

# Get changed files
CHANGED_MD_FILES=$(gh pr diff "$PR_NUMBER" --name-only | grep -E '^docs/.*\.md$' | grep -v '/CLAUDE\.md$' | grep -v '/SKILL\.md$' || true)
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated

# Get changed files
CHANGED_MD_FILES=$(gh pr diff "$PR_NUMBER" --name-only | grep -E '^docs/.*\.md$' | grep -v '/CLAUDE\.md$' | grep -v '/SKILL\.md$' || true)
if [ -z "$CHANGED_MD_FILES" ]; then
echo "No docs markdown files to re-check"
exit 0
fi

# Re-run Vale and collect results
VALE_COUNT=0
COMMENTS_JSON="[]"
while IFS= read -r FILE; do
if [ -f "$FILE" ]; then
RESULT=$(vale --output=line "$FILE" 2>&1 || true)
if [ -n "$RESULT" ]; then
while IFS= read -r LINE; do
LINE_NUM=$(echo "$LINE" | cut -d: -f2)
RULE=$(echo "$LINE" | cut -d: -f4)
MESSAGE=$(echo "$LINE" | cut -d: -f5-)
if [ -n "$LINE_NUM" ] && [ -n "$MESSAGE" ]; then
BODY="**Vale** (\`${RULE}\`): ${MESSAGE}"
COMMENTS_JSON=$(echo "$COMMENTS_JSON" | jq \
--arg path "$FILE" \
--argjson line "$LINE_NUM" \
--arg body "$BODY" \
'. += [{"path": $path, "line": $line, "body": $body}]')
VALE_COUNT=$((VALE_COUNT + 1))
fi
done <<< "$RESULT"
fi
fi
done <<< "$CHANGED_MD_FILES"

if [ "$VALE_COUNT" -gt 0 ]; then
echo "Vale still found $VALE_COUNT issue(s) after fixes"
jq -n \
--arg body "**Vale found ${VALE_COUNT} remaining issue(s) after fixes.** See inline comments below." \
--argjson comments "$COMMENTS_JSON" \
'{"body": $body, "event": "COMMENT", "comments": $comments}' \
| gh api repos/${REPO}/pulls/${PR_NUMBER}/reviews --input - 2>&1
else
echo "All Vale issues resolved"
fi
Loading