Fix CI #60

coderabbitai · 2026-04-09T21:40:14Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "Pin set in workflow:" nl -ba .github/workflows/tests.yml | sed -n '724,736p' echo echo "Fallback order in Complement checkout script:" nl -ba .ci/scripts/checkout_complement.sh | sed -n '14,30p'

Repository: beeper/synapse

Length of output: 138

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "=== Checking workflow file (lines 724-736) ===" if [ -f .github/workflows/tests.yml ]; then sed -n '724,736p' .github/workflows/tests.yml | cat -n else echo "File not found: .github/workflows/tests.yml" fi echo echo "=== Checking checkout_complement.sh (lines 1-50) ===" if [ -f .ci/scripts/checkout_complement.sh ]; then sed -n '1,50p' .ci/scripts/checkout_complement.sh | cat -n else echo "File not found: .ci/scripts/checkout_complement.sh" fi

Repository: beeper/synapse

Length of output: 1959

Make the Complement pin fail-closed instead of silently falling back.

Line 732 pins GITHUB_HEAD_REF to 1de64122c351539624c943d0ad7433e7b75e1ae0, but synapse/.ci/scripts/checkout_complement.sh (line 18) iterates through multiple fallback branches (GITHUB_HEAD_REF → GITHUB_BASE_REF → GITHUB_REF → HEAD). If the SHA fetch fails—due to typo, availability issues, or network problems—the script silently continues to the next fallback without error, potentially pinning to an unintended Complement version.

Add a strict pin mode in checkout_complement.sh that rejects fallbacks when a pin is explicitly provided, or add a verification step that exits if the requested SHA was not successfully fetched.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.github/workflows/tests.yml around lines 729 - 732, The workflow pins Complement via GITHUB_HEAD_REF but checkout_complement.sh currently falls back silently (iterating GITHUB_HEAD_REF → GITHUB_BASE_REF → GITHUB_REF → HEAD); update checkout_complement.sh to implement a strict-pin mode: when GITHUB_HEAD_REF (or an explicit PIN_SHA env var) is set, attempt to fetch/checkout that SHA only and exit non-zero with an error if that exact SHA cannot be resolved, or alternatively add a verification step after checkout that compares the resolved commit against GITHUB_HEAD_REF and fails if they differ; modify the script's logic around the current branch-resolution loop (the code that reads GITHUB_HEAD_REF/GITHUB_BASE_REF/GITHUB_REF/HEAD) to enforce this behavior and return a non-zero exit code on mismatch.

-Original file line number
+Diff line change
@@ Expand Up / @@ -726,6 +726,10 @@ jobs: @@
           - name: Prepare Complement's Prerequisites
             run: synapse/.ci/scripts/setup_complement_prerequisites.sh
+            env:
+              # Beep: older version of complement since we have not
+              # upgraded synapse in a while
+              GITHUB_HEAD_REF: "1de64122c351539624c943d0ad7433e7b75e1ae0"
           - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
             with:
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix CI #60

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Apr 9, 2026

Uh oh!

Uh oh!

Uh oh!

Fix CI #60

Uh oh!

Fix CI #60

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Apr 9, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!