fix(shims,docs): resolve CodeQL and AI code quality findings#388
Merged
Conversation
Address all open findings from GitHub Security > Code Quality: Standard findings (CodeQL): - C# shim: replace generic catch clauses with specific exception types - C# shim: use Path.Join instead of Path.Combine to avoid silent arg drops - C# shim: replace foreach loop with LINQ FirstOrDefault - C# shim: make checksum fetch failure a hard error (security hardening) - Java shim: catch NumberFormatException from Long.parseLong in tar parsing - Python shim: remove unused `import os` - Python test: consolidate duplicate unittest import styles AI findings (validated and fixed): - Go shim: make missing checksum a hard failure instead of silent warning - Docs: fix GrepMatch.file description from "Absolute" to "Project-relative" - Docs: remove duplicate RuleSet sections in en/nb/pt-br rule-api pages - Docs: correct init.mdx generated filenames (GEN-001, not ARCH-001) - Docs: correct init.mdx lint dir file (README.md, not archgate.config.ts) Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Add toolchain pins so contributors can run shim tests locally via proto: - Go 1.21 (built-in proto plugin) - .NET 8.0 (community proto-dotnet-plugin) - Java 11 (Eclipse Adoptium via openjdk-adoptium-proto-plugin) Maven still requires manual install — no proto plugin exists. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Deploying archgate-cli with
|
| Latest commit: |
67081c3
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://aa8c5421.archgate-cli.pages.dev |
| Branch Preview URL: | https://fix-security-quality-finding.archgate-cli.pages.dev |
The C# and Java shim source code constants were stuck at 0.39.0 while package.json is 0.41.1. The release script (.simple-release.js) updated package manifests (.csproj, pom.xml) but missed the hardcoded Version constants used to construct download URLs. Fixes: - Update Program.cs and Shim.java version constants to 0.41.1 - Add both source files to .simple-release.js bump targets - Extend ARCH-013/shim-version-sync rule to check source constants - Sync nb/pt-br init.mdx translations (GEN-001, README.md filenames) Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Contributor
Code Coverage
Full HTML report available in workflow artifacts. Per-directory breakdown
|
The Java proto plugin (openjdk-adoptium-proto-plugin) doesn't have a compatible WASM asset for proto 0.57.x used in CI, causing the Windows smoke test to fail on `proto install`. This cascaded into coverage failure (no Windows coverage merged → 88.3% < 90% threshold). Shim toolchains (Go, .NET, Java) should be managed separately — CI already handles them via actions/setup-* in the shim-tests matrix. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Merged
rhuanbarreto
pushed a commit
that referenced
this pull request
May 30, 2026
# archgate ## [0.42.0](v0.41.1...v0.42.0) (2026-05-30) ### Features * **engine:** add inline suppression via archgate-ignore comments ([#383](#383)) ([1240860](1240860)) ### Bug Fixes * **deps:** resolve dependency dashboard deprecation and lookup warnings ([#387](#387)) ([18eae44](18eae44)), closes [#107](#107) * **docs:** restore Norwegian Bokmål diacritical marks across nb/ locale ([#384](#384)) ([ef98b39](ef98b39)) * **shims,docs:** resolve CodeQL and AI code quality findings ([#388](#388)) ([63ec93f](63ec93f)) --- This PR was generated with [simple-release](https://github.com/TrigenSoftware/simple-release). <details> <summary>📄 Cheatsheet</summary> <br> You can configure the bot's behavior through a pull request comment using the `!simple-release/set-options` command. ### Command Format ````md !simple-release/set-options ```json { "bump": {}, "publish": {} } ``` ```` ### Useful Parameters #### Bump | Parameter | Type | Description | |-----------|------|-------------| | `version` | `string` | Force set specific version | | `as` | `'major' \| 'minor' \| 'patch' \| 'prerelease'` | Release type | | `prerelease` | `string` | Pre-release identifier (e.g., "alpha", "beta") | | `firstRelease` | `boolean` | Whether this is the first release | | `skip` | `boolean` | Skip version bump | | `byProject` | `Record<string, object>` | Per-project bump options for monorepos | #### Publish | Parameter | Type | Description | |-----------|------|-------------| | `skip` | `boolean` | Skip publishing | | `access` | `'public' \| 'restricted'` | Package access level | | `tag` | `string` | Tag for npm publication | ### Usage Examples #### Force specific version ````md !simple-release/set-options ```json { "bump": { "version": "2.0.0" } } ``` ```` #### Force major bump ````md !simple-release/set-options ```json { "bump": { "as": "major" } } ``` ```` #### Create alpha pre-release ````md !simple-release/set-options ```json { "bump": { "prerelease": "alpha" } } ``` ```` #### Publish with specific access and tag ````md !simple-release/set-options ```json { "bump": { "prerelease": "beta" }, "publish": { "access": "public", "tag": "beta" } } ``` ```` ### Access Restrictions The command can only be used by users with permissions: - repository owner - organization member - collaborator ### Notes - The last comment with `!simple-release/set-options` command takes priority - JSON must be valid, otherwise the command will be ignored - Parameters apply only to the current release execution - The command can be updated by editing the comment or adding a new one </details> <!-- Please do not edit this comment. simple-release-pull-request: true simple-release-branch-from: release simple-release-branch-to: main --> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all open findings from GitHub Security > Code Quality (both standard CodeQL and AI-powered findings).
Standard findings (CodeQL) — 10 findings across 4 shims
C# shim (
shims/nuget/Archgate.Tool/Program.cs):catch (Exception)/ barecatchwith specific exception types (HttpRequestException,IOException, etc.)Path.Joininstead ofPath.Combineto avoid silent argument dropping when a later arg is absoluteforeach+breakwith LINQFirstOrDefaultJava shim (
shims/maven/.../Shim.java):Long.parseLong(sizeStr, 8)in try-catch to handle corrupt tar headers with non-octal size fieldsPython shim (
shims/pypi/archgate/_shim.py,shims/pypi/tests/test_shim.py):import osimport unittest/from unittest import mockinto single importAI findings (validated) — 7 findings across 5 files
Go shim (
shims/go/internal/shim/shim.go):Docs (
docs/src/content/docs/reference/):GrepMatch.filedescription from "Absolute path" to "Project-relative path" (en, nb, pt-br) — verified againstrunner.tsimplementation## RuleSetsections at bottom of rule-api pages (en, nb, pt-br)init.mdxgenerated filenames:ARCH-001-example→GEN-001-example,archgate.config.ts→README.md— verified againstinit-project.tsToolchain
.prototoolsso shim tests can run locally via protoTest plan
bun run validatepasses (lint, typecheck, format, test, ADR check, knip, build)pytest shims/pypi/tests/ -v— 15/15)go test ./...— 7/7)dotnet test— 7/7)