Skip to content

Consolidate all open PRs: docs, CI fixes, Node.js 24, SHA pinning, training health#173

Merged
Bryan-Roe merged 17 commits into
mainfrom
copilot/finish-all-pull-requests
May 9, 2026
Merged

Consolidate all open PRs: docs, CI fixes, Node.js 24, SHA pinning, training health#173
Bryan-Roe merged 17 commits into
mainfrom
copilot/finish-all-pull-requests

Conversation

Copilot AI commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR consolidates the changes from all 18 open pull requests in the repository into a single coherent set of improvements.

Changes

Documentation (PRs #127, #128, #147, #164, #168)

  • Updated copilot-instructions.md agent table and prompt list to clarify that agi.prompt.md uses hidden/internal chain-of-thought (not exposed to users), and reason.prompt.md exposes reasoning steps
  • Updated agi-reasoning.agent.md description to reflect internal self-reflection behavior
  • Updated agi.prompt.md front-matter to document hidden chain-of-thought
  • Updated COPILOT_SETUP_GUIDE.md to fix agi.prompt.md description

Training Health Fix (PRs #140, #141, #165)

  • Fixed false-positive "Training Health Degraded" alert in training-health-report.yml when no training data exists (fresh checkouts with 0 cycles all show best_acc=0.0 < 0.6)
  • Added seed training step to bootstrap data before status read
  • Added no_data output to distinguish three states: Healthy / No Training Data / DEGRADED

CI Workflow Fixes (PR #149)

  • Fixed MakeCode Build: removed submodules: recursive
  • Fixed Markdown Quality: upgraded markdownlint action v20→v23, pinned to full commit SHA
  • Fixed Devcontainer CI: postCreateCommand now installs requirements.txt too
  • Fixed PR Tests: install requirements.txt before requirements-dev.txt
  • Fixed Broken Links Check: removed invalid --exclude-mail lychee flag
  • Fixed test isolation: test_orchestrator_health_integration.py and test_orchestrator_health_in_status_endpoint.py now clean up partial function_app module from sys.modules on load failure
  • Removed Codespaces Prebuilds badge from README (workflow no longer exists)
  • Restored -r requirements.txt include in requirements-dev.txt to ensure base dependencies (e.g. PyYAML) are available in CI jobs that install only dev requirements

Node.js 24 Migration (PR #150)

Added FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true to 6 workflow files ahead of June 2026 forced migration:

  • api-health-smoke.yml, ci-pipeline.yml, integration-contract-gate.yml, nightly-regression.yml, pr-checks.yml, pr-tests.yml

GitHub Actions SHA Pinning (PRs #157, #160, #162)

Pinned all third-party GitHub Actions across 35 workflow files to full 40-char commit SHAs to prevent supply chain attacks via mutable version tags.

Security Fixes

  • Added response.raise_for_status() after HTTP POST requests in apps/aria/test_auto_execute.py (plan_mode and execute_mode) so HTTP errors are surfaced immediately rather than producing silent failures

PRs Superseded

The following PRs had their changes already incorporated in main before this PR:

Testing

  • 0 CodeQL security alerts
  • Code review: 3 comments addressed (training health error message simplified)
  • The except Exception: ... raise pattern in test files is intentional — catches all exceptions to clean up sys.modules, then always re-raises, so nothing is masked

Checklist

  • I updated relevant documentation (README, copilot-instructions.md)
  • All tests pass locally
  • No hardcoded secrets or API keys introduced
  • PR title clearly describes the change

Copilot AI and others added 2 commits April 30, 2026 15:15
…, SHA pinning, training health fix

Agent-Logs-Url: https://github.com/Bryan-Roe/Aria/sessions/14928084-823d-468d-9908-c68e5b97057a

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Copilot! 👋

Your private repo does not have access to Sourcery.

Please upgrade to continue using Sourcery ✨

Comment thread .github/workflows/markdown-quality.yml Outdated

- name: Lint Markdown files
uses: DavidAnson/markdownlint-cli2-action@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
uses: DavidAnson/markdownlint-cli2-action@v23

@bryan-roe-bot bryan-roe-bot Bot Apr 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

🍰 Fixed in commit 371b4d2 🍰

Comment thread apps/aria/test_auto_execute.py Outdated
Comment on lines +72 to +75
response = requests.post(
f"{BASE_URL}/api/aria/execute",
json={"command": command, "auto_execute": True, "use_llm": False},
timeout=30,
)
timeout=30)

@bryan-roe-bot bryan-roe-bot Bot Apr 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.

🥳 Fixed in commit 50d3222 🥳

Comment thread apps/aria/test_auto_execute.py Outdated
Comment on lines +49 to +52
response = requests.post(
f"{BASE_URL}/api/aria/execute",
json={"command": command, "auto_execute": False, "use_llm": False},
timeout=30,
)
timeout=30)

@bryan-roe-bot bryan-roe-bot Bot Apr 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an HTTP request made with requests, but the raise_for_status() utility method isn't used. This can result in request errors going unnoticed and your code behaving in unexpected ways, such as if your authorization API returns a 500 error while you're only checking for a 401.

🚀 Fixed in commit 50d3222 🚀

@Bryan-Roe Bryan-Roe marked this pull request as ready for review April 30, 2026 15:44
Copilot AI review requested due to automatic review settings April 30, 2026 15:44

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Bryan-Roe! 👋

Your private repo does not have access to Sourcery.

Please upgrade to continue using Sourcery ✨

@Bryan-Roe Bryan-Roe enabled auto-merge (squash) April 30, 2026 15:44
@Bryan-Roe

Copy link
Copy Markdown
Owner

@copilot resolve the merge conflicts in this pull request

@Bryan-Roe

Copy link
Copy Markdown
Owner

@copilot

@Bryan-Roe Bryan-Roe removed their request for review April 30, 2026 15:44
@Bryan-Roe Bryan-Roe removed their assignment Apr 30, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 85b92c4316

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread requirements-dev.txt
@@ -1,4 +1,3 @@
-r requirements.txt
pytest>=7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore base dependency include in requirements-dev.txt

Dropping -r requirements.txt from the dev requirements breaks workflows that install only requirements-dev.txt: for example, .github/workflows/llm-maker-tests.yml installs only that file, but ai-projects/llm-maker/src/tool_validator.py imports yaml, which is supplied by requirements.txt (PyYAML). In a clean CI environment this causes ModuleNotFoundError: No module named 'yaml', so the llm-maker test job can fail before running meaningful assertions.

Useful? React with 👍 / 👎.

Comment thread .github/workflows/markdown-quality.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates multiple outstanding improvements across the repo, focusing on CI/workflow reliability and security hardening, training-health reporting correctness, and documentation alignment for prompt/agent behavior.

Changes:

  • Hardens GitHub Actions workflows by SHA-pinning many third-party actions and opts key workflows into Node.js 24 for upcoming migration.
  • Fixes training health reporting to distinguish “no data” from “degraded,” including an optional seed run to bootstrap status on fresh checkouts.
  • Aligns Copilot/agent/prompt documentation around internal vs. user-visible reasoning behavior.

Reviewed changes

Copilot reviewed 45 out of 45 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/test_orchestrator_health_integration.py Prevents leaking a partially-loaded function_app into sys.modules on import failure.
tests/test_orchestrator_health_in_status_endpoint.py Same sys.modules cleanup for the status endpoint test loader.
requirements-dev.txt Adjusts dev dependency list (notably removes including requirements.txt).
apps/aria/test_auto_execute.py Minor request formatting tweak in auto-execute test helper.
README.md Removes Codespaces Prebuilds badge reference.
.devcontainer/devcontainer.json Ensures devcontainer installs requirements.txt before requirements-dev.txt.
.github/prompts/agi.prompt.md Updates prompt metadata to clarify internal-only chain-of-thought behavior.
.github/copilot-instructions.md Aligns agent/prompt descriptions with internal vs. exposed reasoning behavior.
.github/agents/agi-reasoning.agent.md Updates agent description and trigger phrases to reflect internal-only reasoning output.
.github/COPILOT_SETUP_GUIDE.md Updates setup guide prompt descriptions/examples for internal reasoning.
.github/workflows/workflow-validation.yml Pins core actions to SHAs for workflow validation jobs.
.github/workflows/training-health-report.yml Adds seed training + no_data output and refines degraded criteria/issue text.
.github/workflows/test-watcher.yml Pins checkout/setup-python actions to SHAs.
.github/workflows/telemetry-trigger.yml Pins checkout/setup-node actions to SHAs.
.github/workflows/site-bundle-validation.yml Pins checkout/upload-artifact actions to SHAs.
.github/workflows/secrets-scan.yml Pins checkout and gitleaks action to SHAs.
.github/workflows/release.yml Pins checkout action to SHA.
.github/workflows/quantum-orchestration.yml Pins checkout and azure/login actions to SHAs.
.github/workflows/quantum-ai-smoke.yml Pins checkout/upload-artifact actions to SHAs.
.github/workflows/pr-tests.yml Adds Node24 opt-in env; pins actions; installs requirements.txt before dev deps.
.github/workflows/pr-checks.yml Adds Node24 opt-in env; pins checkout and labeler action to SHAs.
.github/workflows/platform-health-daily.yml Pins checkout/upload-artifact actions to SHAs.
.github/workflows/pages.yml Pins Pages-related actions to SHAs.
.github/workflows/nightly-regression.yml Adds Node24 opt-in env; pins actions to SHAs.
.github/workflows/markdown-quality.yml Updates markdownlint action version reference.
.github/workflows/makecode.yml Removes submodule recursion; pins checkout/setup-node actions to SHAs.
.github/workflows/llm-maker-tests.yml Pins checkout/setup-python actions to SHAs.
.github/workflows/integration-contract-gate.yml Adds Node24 opt-in env; pins checkout/upload-artifact to SHAs.
.github/workflows/experiment-runner.yml Pins checkout/setup-node actions to SHAs.
.github/workflows/e2e-tests.yml Pins checkout actions to SHAs.
.github/workflows/devcontainer-ci.yml Pins checkout/devcontainers CI action to SHAs.
.github/workflows/dependency-review.yml Pins checkout/dependency-review action to SHAs.
.github/workflows/dataset-integrity.yml Pins checkout actions to SHAs.
.github/workflows/coverage-report.yml Pins checkout/upload-artifact/github-script actions to SHAs.
.github/workflows/codeql.yml Pins checkout and CodeQL actions to SHAs.
.github/workflows/code-quality.yml Pins checkout/upload-artifact actions to SHAs.
.github/workflows/ci-pipeline.yml Adds Node24 opt-in env; pins checkout/upload-artifact actions to SHAs.
.github/workflows/broken-links.yml Removes invalid lychee flag; pins checkout action to SHA.
.github/workflows/azureml-train.yml Pins checkout/azure actions to SHAs.
.github/workflows/autonomous-evolver.yml Pins checkout/setup-node actions to SHAs.
.github/workflows/auto-validation.yml Pins checkout/upload-artifact actions to SHAs.
.github/workflows/artifact-lifecycle.yml Pins checkout/upload-artifact actions to SHAs.
.github/workflows/aria-tests.yml Pins checkout/setup-python/upload/download actions to SHAs.
.github/workflows/api-health-smoke.yml Adds Node24 opt-in env; pins checkout/upload-artifact actions to SHAs.
.github/workflows/actionlint.yml Pins checkout action to SHA.

Comment thread .github/workflows/markdown-quality.yml Outdated
…finish-all-pull-requests

# Conflicts:
#	.github/prompts/agi.prompt.md
#	.github/workflows/pr-tests.yml
#	.github/workflows/training-health-report.yml

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>
auto-merge was automatically disabled April 30, 2026 15:50

Head branch was pushed to by a user without write access

Copilot AI requested a review from Bryan-Roe as a code owner April 30, 2026 15:50

Copilot AI commented Apr 30, 2026

Copy link
Copy Markdown
Contributor Author

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit 1c48bfe0. There were 3 conflicting files:

  • .github/prompts/agi.prompt.md — took main's expanded version (new "Default behavior" section, additional constraints); hidden chain-of-thought constraint is already in the body
  • .github/workflows/pr-tests.yml — merged both env blocks (FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 from our PR + PYTHON_VERSION/TEST_PATH from main), kept SHA-pinned actions and explicit requirements.txt install step, incorporated main's improved watcher job
  • .github/workflows/training-health-report.yml — kept our cleaner error message wording

@github-actions github-actions Bot added documentation Improvements or additions to documentation github-actions security labels Apr 30, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

…ed as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 7, 2026 15:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

…ed as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 7, 2026 15:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

…ed as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 7, 2026 15:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

…ed as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 7, 2026 15:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

@Bryan-Roe

Copy link
Copy Markdown
Owner

@copilot resolve the merge conflicts in this pull request

…e endings, and incorporate new commits

Changes incorporated from main:
- SQL fallback hardening (PR #194)
- Auto-merge gates (PR #193)
- Pre-commit hook scoped to changed files (PR #192)
- Line ending normalization via .gitattributes

Conflict resolution strategy:
- GitHub Actions workflow files: kept our SHA-pinned versions
- All other conflicted files: took main's version
- Preserved our security fixes (raise_for_status, XSS fixes, permissions)

Co-authored-by: Bryan-Roe <74067792+Bryan-Roe@users.noreply.github.com>

Copilot AI commented May 7, 2026

Copy link
Copy Markdown
Contributor Author

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit be3e6f8. Main had diverged with several new commits (SQL fallback hardening, auto-merge gates, pre-commit hook scoping). 63 files had conflicts — resolved as follows:

  • GitHub Actions workflow files (15 files): kept our SHA-pinned action versions
  • All other conflicted files (48 files — app code, docs, shared infra): took main's version
  • Our security fixes preserved: raise_for_status() in test_auto_execute.py, XSS fixes in JS files, permissions blocks in workflow files
  • 151 files normalized from CRLF to LF (gitattributes enforcement applied before merge)

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be3e6f8e9a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread app.py
Comment on lines +193 to +199
api_key = os.getenv("OPENAI_API_KEY")
if not api_key:
print(
"Error: missing OPENAI_API_KEY environment variable.",
file=sys.stderr,
)
return EXIT_AUTH

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve the no-argument app entrypoint

When users run the documented startup command python app.py / ./.venv/bin/python app.py (README and mount start scripts still do this without an API key or prompt), this new entrypoint now exits immediately with EXIT_AUTH before starting the existing Aria runtime or a local app. That breaks the repository's primary local/Space launch path in any environment that is not specifically configured as an OpenAI CLI invocation.

Useful? React with 👍 / 👎.

Comment thread function_app.py
Comment on lines +3894 to +3896
sys.path.insert(0, p)

try:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pass the computed max_tokens override

For /api/quantum-llm/chat requests that include max_tokens, the endpoint builds gen_kwargs but then calls pipeline.generate(...) without unpacking it, and the pipeline's provider resolution uses self.config.max_tokens instead. As a result, the documented per-request max_tokens field is silently ignored for real providers.

Useful? React with 👍 / 👎.

Comment thread function_app.py
Comment on lines +3971 to +3977
)
scripts_dir = Path(__file__).resolve().parent / "scripts"
for p in [str(quantum_ml_src), str(scripts_dir)]:
if p not in sys.path:
sys.path.insert(0, p)

try:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Yield SSE chunks as they arrive

In the quantum streaming endpoint, _collect() drains the entire async stream into a list before the response generator yields anything, so clients using /api/quantum-llm/stream receive no meta or delta events until the provider has completely finished; long or slow streams therefore appear hung and an unbounded stream never sends the initial events. The wrapper should yield each chunk from the async iterator instead of collecting the whole result first.

Useful? React with 👍 / 👎.

Comment thread app.py

try:
client = OpenAI(**client_kwargs)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment thread app.py
Comment on lines +29 to +34
from openai import (
APIConnectionError,
APIError,
AuthenticationError,
OpenAI,
RateLimitError,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Possibly found usage of AI: OpenAI

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detect-openai.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment thread scripts/autotrain.py
Comment on lines +433 to +437
result = subprocess.run(
cmd,
cwd=str(REPO_ROOT),
check=False,
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dangerous-subprocess-use-audit.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment thread function_app.py
Comment on lines +3967 to +3969
sys.path.insert(0, p)

try:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
function _drain is defined inside a function but never used

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by useless-inner-function.

You can view more details about this finding in the Semgrep AppSec Platform.

@bryan-roe-bot

bryan-roe-bot Bot commented May 7, 2026

Copy link
Copy Markdown
Contributor

Semgrep found 16 detect-generic-ai-oai findings:

Possibly found usage of AI: OpenAI

Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
@github-actions github-actions Bot added training and removed security labels May 9, 2026
@github-actions

github-actions Bot commented May 9, 2026

Copy link
Copy Markdown
Contributor

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3cd53c9.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/setup-node 49933ea5288caeca8642d1e84afbd3f7d6820020 🟢 5.8
Details
CheckScoreReason
Maintained🟢 79 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 9binaries present in source code
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/upload-artifact ea165f8d65b6e75b540449e92b4886f43607fa02 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 8Found 8/9 approved changesets -- score normalized to 8
Maintained🟢 66 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/setup-node 49933ea5288caeca8642d1e84afbd3f7d6820020 🟢 5.8
Details
CheckScoreReason
Maintained🟢 79 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 9binaries present in source code
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/github-script f28e40c7f34bde8b3046d885e986cb6290c5673b 🟢 7.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 1021 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection🟢 5branch protection is not maximal on development and all release branches

Scanned Files

  • .github/workflows/broken-links.yml
  • .github/workflows/experiment-runner.yml
  • .github/workflows/platform-health-daily.yml
  • .github/workflows/telemetry-trigger.yml
  • .github/workflows/training-health-report.yml

@Bryan-Roe Bryan-Roe merged commit 4563bb7 into main May 9, 2026
35 of 41 checks passed
@Bryan-Roe Bryan-Roe deleted the copilot/finish-all-pull-requests branch May 9, 2026 05:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation github-actions tests training

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants