docs: correct misleading comments in mirror-to-freenet workflow#4041
Merged
docs: correct misleading comments in mirror-to-freenet workflow#4041
Conversation
## Problem Two comment-accuracy issues flagged by the code-first reviewer on freenet-stdlib#71 (the sibling caller of the same reusable workflow). Same misleading comments shipped here in #4040 before the review pass: 1. The cron offset comment claimed "11:42 UTC = mid-morning US" without explaining the relationship to freenet-stdlib's 12:53. The actual reusable workflow's `concurrency:` group keys on `inputs.freenet_repo`, so freenet-core and freenet-stdlib are in separate groups and cannot contend with each other regardless of timing. The stagger is purely for log readability. 2. The SHA-pin comment implied the pin closed the entire supply chain. It does not -- the reusable workflow's `cargo install freenet-git --locked` step still pulls `latest` from crates.io, so a malicious freenet-git release would still execute under this caller's secrets. The pin closes the workflow-definition vector, not the binary-install vector. ## Solution Reword the cron comment to call out what the concurrency group actually protects against. Add a "Note:" paragraph to the SHA-pin comment acknowledging the binary-install gap and the conditions under which it'd be worth tightening (override `freenet_git_version` if we lose control of crates.io publishing for that crate). Behavior is unchanged. Same fix landed in freenet-stdlib#71 already. ## Testing - `python3 -c 'import yaml; yaml.safe_load(open(...))'` parses. - No behavioral change, so no regression test surface. [AI-assisted - Claude] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Rule Review: No issues foundRules checked: The PR is a
No rule violations detected. Rule review against |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two comment-accuracy issues flagged by the code-first reviewer on freenet-stdlib#71 (the sibling caller of the same reusable workflow). The same misleading comments shipped here in #4040 before the review pass.
concurrency:group keys oninputs.freenet_repo, so the two callers are in separate groups and cannot contend with each other regardless of timing. The stagger is purely for log readability.cargo install freenet-git --lockedstill pullslatestfrom crates.io. The pin closes the workflow-definition vector, not the binary-install vector.Solution
freenet_git_versionif we lose control of crates.io publishing for that crate).Behavior is unchanged. Same fix landed in freenet-stdlib#71 already.
Testing
python3 -c 'import yaml; yaml.safe_load(open(...))').Fixes
Code-first reviewer's findings #3 and #4/#7 from freenet-stdlib#71's review thread.
[AI-assisted - Claude]