Skip to content

[jsweep] Clean harness_retry_config.cjs#45378

Merged
pelikhan merged 3 commits into
mainfrom
signed/jsweep/harness-retry-config-c98f57685f1a4e05
Jul 14, 2026
Merged

[jsweep] Clean harness_retry_config.cjs#45378
pelikhan merged 3 commits into
mainfrom
signed/jsweep/harness-retry-config-c98f57685f1a4e05

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

Cleaned actions/setup/js/harness_retry_config.cjs as part of the JavaScript unbloat initiative.

Changes

harness_retry_config.cjs

  • Added // @ts-check`` to enable TypeScript type checking on the file
  • Exported parseRetryConfigNumber to make it directly testable
  • No logic changes — behavior is fully preserved

Context type: Node.js

harness_retry_config.test.cjs (new file)

Created a comprehensive test file with 18 test cases covering:

parseRetryConfigNumber:

  • Returns default when env var is unset or empty
  • Parses valid integers correctly
  • Rejects exponential notation (1e3) and hex (0x10)
  • Returns default when value is below minimum
  • Accepts floats when allowFloat: true
  • Rejects floats when allowFloat is false (default)
  • Calls logger callback on invalid values
  • Trims whitespace from values

resolveRetryConfig:

  • Returns correct defaults when no env vars are set
  • Reads maxRetries, initialDelayMs, backoffMultiplier, maxDelayMs from env
  • Clamps maxRetries to cap of 100 and logs warning
  • Clamps maxDelayMs to initialDelayMs when lower and logs warning
  • Works with no arguments (uses process.env)

Validation ✅

All checks passed:

  • Formatting: npm run format:cjs
  • Linting: npm run lint:cjs
  • Type checking: npm run typecheck
  • Tests: npm run test:js ✓ (18/18 tests pass)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • traces.example.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "traces.example.com"

See Network Configuration for more information.

Generated by 🧹 jsweep - JavaScript Unbloater · 70.8 AIC · ⌖ 8.93 AIC · ⊞ 7.7K ·

  • expires on Jul 15, 2026, 8:49 PM UTC-08:00

- Add // @ts-check to enable type checking
- Export parseRetryConfigNumber for testability
- Create harness_retry_config.test.cjs with 18 test cases covering:
  - parseRetryConfigNumber: empty/missing env vars, valid integers, floats,
    exponential/hex rejection, minimum enforcement, whitespace trimming, logger callback
  - resolveRetryConfig: defaults, env var overrides, maxRetries capping,
    maxDelayMs clamping, process.env fallback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@pelikhan pelikhan marked this pull request as ready for review July 14, 2026 07:01
Copilot AI review requested due to automatic review settings July 14, 2026 07:01
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Test Quality Sentinel completed test quality analysis.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #45378 does not have the 'implementation' label and has 0 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ PR Code Quality Reviewer failed to deliver outputs during code quality review.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the JavaScript retry-config parsing harness used by actions/setup/js by enabling TypeScript checking and adding unit tests, while keeping runtime behavior unchanged.

Changes:

  • Enabled // @ts-check on harness_retry_config.cjs for stronger static validation.
  • Exported parseRetryConfigNumber so it can be directly unit-tested.
  • Added a new Vitest suite covering parseRetryConfigNumber and resolveRetryConfig behaviors and edge cases.
Show a summary per file
File Description
actions/setup/js/harness_retry_config.cjs Enables @ts-check and exports parseRetryConfigNumber for direct testing without changing logic.
actions/setup/js/harness_retry_config.test.cjs Adds a focused Vitest suite validating numeric parsing rules and retry-config resolution/clamping behavior.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions github-actions Bot mentioned this pull request Jul 14, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: [jsweep] Clean harness_retry_config.cjs

One blocking issue found in the new test file.

Blocking: harness_retry_config.test.cjs uses ES module import syntax (lines 3-4), but .cjs files are treated as CommonJS by Node.js -- static import is a syntax error in CJS modules. This would cause tests to fail at runtime despite the PR description claiming all 18 tests pass.

The fix is to use require() calls instead of import, or rename the file to .mjs/.js with appropriate Vitest config.

The source file changes (// @ts-check`` and exporting parseRetryConfigNumber) are clean and correct.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 14.8 AIC · ⌖ 5.46 AIC · ⊞ 4.8K

@@ -0,0 +1,115 @@
// @ts-check

import { describe, it, expect } from "vitest";

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: ES module import in a .cjs file

import { describe, it, expect } from "vitest";
import { resolveRetryConfig, parseRetryConfigNumber } from "./harness_retry_config.cjs";

.cjs files are treated as CommonJS by Node.js (and bundlers), which does not support static import declarations. This will throw a SyntaxError at runtime/test-time.

Fix — replace the imports with require:

const { describe, it, expect } = require("vitest");
const { resolveRetryConfig, parseRetryConfigNumber } = require("./harness_retry_config.cjs");

Or rename the file to harness_retry_config.test.mjs / harness_retry_config.test.js (if the project allows ESM tests) and update the test runner config accordingly.

@copilot please address this.

@github-actions

Copy link
Copy Markdown
Contributor Author

🧪 Test Quality Sentinel Report

🔶 Test Quality Score: 53/100 — Needs improvement

Analyzed 18 test(s): 14 design, 4 implementation, 0 violation(s).

📊 Metrics (18 tests)
Metric Value
Analyzed 18 (Go: 0, JS: 18)
✅ Design 14 (78%)
⚠️ Implementation 4 (22%)
Edge/error coverage 7 (39%)
Duplicate clusters 0
Inflation Yes (115 test lines added : 2 prod lines changed)
🚨 Violations 0
Test File Classification Issues
returns defaultValue when env var is not set harness_retry_config.test.cjs design_test
returns defaultValue when env var is empty string harness_retry_config.test.cjs design_test
parses a valid integer harness_retry_config.test.cjs design_test
rejects exponential notation integers harness_retry_config.test.cjs design_test ✅ edge
rejects hex notation harness_retry_config.test.cjs design_test ✅ edge
returns defaultValue when value is below minimum harness_retry_config.test.cjs design_test ✅ edge
accepts float when allowFloat is true harness_retry_config.test.cjs design_test
rejects float when allowFloat is false (default) harness_retry_config.test.cjs design_test ✅ edge
calls logger on invalid value harness_retry_config.test.cjs design_test ✅ edge
trims whitespace from value harness_retry_config.test.cjs design_test ✅ edge
returns defaults when no env vars are set harness_retry_config.test.cjs design_test
reads maxRetries from env harness_retry_config.test.cjs implementation_test Verifies env var mapping only
clamps maxRetries to MAX_RETRIES_CAP (100) harness_retry_config.test.cjs design_test ✅ edge
reads initialDelayMs from env harness_retry_config.test.cjs implementation_test Verifies env var mapping only
reads backoffMultiplier as float from env harness_retry_config.test.cjs implementation_test Verifies env var mapping only
clamps maxDelayMs to initialDelayMs when lower harness_retry_config.test.cjs design_test ✅ edge
reads maxDelayMs from env harness_retry_config.test.cjs implementation_test Verifies env var mapping only
uses process.env when no env argument provided harness_retry_config.test.cjs design_test
⚠️ Flagged Tests (4 — implementation detail)

reads maxRetries from env, reads initialDelayMs from env, reads backoffMultiplier as float from env, reads maxDelayMs from env — These tests assert that a specific env var name is wired to the corresponding config field, which is an implementation detail (env var mapping). They would not catch a behavioral regression where the correct value is computed incorrectly after parsing. Consider supplementing with tests that exercise downstream behavior (e.g., actual backoff sequence). No action required — ratio is 22%, below the 30% threshold.

Inflation note: The new test file adds 115 lines while only 2 prod lines were changed in this PR. Since the test file is entirely new and covers pre-existing production code, this ratio is expected and acceptable.

Verdict

Passed. 22% implementation tests (threshold: 30%). No guideline violations. Score of 53/100 reflects test inflation ratio (new test file, 115 lines, vs. 2 prod lines changed in this PR).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 28.4 AIC · ⌖ 8.22 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 53/100. 22% implementation tests (threshold: 30%). No guideline violations.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /tdd — one minor finding, otherwise a solid PR.

📋 Key Themes & Highlights

Finding

  • Import style inconsistency (line 4 of test file): the module under test is loaded via ES import rather than require(), which is the established pattern in every other .test.cjs in this directory.

Positive Highlights

  • ✅ Comprehensive coverage: 18 test cases covering defaults, clamping, invalid formats, floats, whitespace trimming, and logger callbacks
  • ✅ Exporting parseRetryConfigNumber is the right seam to enable direct unit testing
  • ✅ All CI checks passed; no logic changes in production code
  • ✅ Good use of inline JSDoc @type annotations in test bodies

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 27 AIC · ⌖ 4.43 AIC · ⊞ 6.6K
Comment /matt to run again

// @ts-check

import { describe, it, expect } from "vitest";
import { resolveRetryConfig, parseRetryConfigNumber } from "./harness_retry_config.cjs";

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] Uses ES named import to load the CJS module under test, inconsistent with every other .test.cjs in this directory which uses require().

💡 Suggested fix

All sibling test files follow this pattern:

import { describe, it, expect } from "vitest";
const { resolveRetryConfig, parseRetryConfigNumber } = require("./harness_retry_config.cjs");

Using import from a .cjs file works today via vitest's CJS interop, but it silently diverges from the established convention and could behave unexpectedly if the interop rules change. Keeping the pattern consistent also makes it easier for contributors to follow.

@copilot please address this.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

@github-actions

Copy link
Copy Markdown
Contributor Author

Sighthound Security Scan — PR #45378

126 findings from automated scan (run 29319221906). After triage, most are false positives or low-risk in this codebase context.

Summary by severity

Severity Count
Critical 47
High 18
Medium 61

Findings requiring attention

1. Path Traversal — actions/setup/src/index.js:30 (High)

path.join(destination, filename)

If filename can be attacker-controlled (e.g., via a crafted archive entry), this could escape the destination directory. Validate filename does not contain .. segments before joining.

2. Path Traversal — pkg/cli/download_workflow.go:105 (High)

os.WriteFile(sparseCheckoutFile, []byte(path+"\n"), constants.FilePermSensitive)

Ensure path is validated/sanitized before writing to sparseCheckoutFile.

3. Command Injection — exec.Command calls (High)

Multiple calls in dependabot.go, pip_validation.go, gitutil.go, runner_guard.go pass externally-derived values. While exec.Command avoids shell injection, argument values should be validated.

4. Insecure Randomness — pr_helpers.go, add_workflow_pr.go (Medium)

math/rand.Intn for PR branch name suffixes — low risk but worth noting.


Confirmed false positives

Finding type Count Reason
Unsafe Deserialization 54 yaml.Unmarshal on internal content — not a Java-style risk
Code Injection 17 eval in bundled test framework, not app code
SSRF in testdata 6 Intentional linter test fixtures
ReDoS, DOM XSS, postMessage 5 Low-risk docs/editor UI

Scan performed by Sighthound. Triage by agent.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by 🛡️ Sighthound Security Scan for #45378 · 21.5 AIC · ⌖ 7.84 AIC · ⊞ 4.1K ·

….cjs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot run pr-finisher skill

Done. Changed line 4 to use require() for the CJS module under test, consistent with the pattern in all other .test.cjs files (e.g., add_labels.test.cjs, dispatch_repository.test.cjs). The import for vitest on line 3 is intentionally kept — that's the established convention across the codebase. All 18 tests still pass.

Copilot AI requested a review from pelikhan July 14, 2026 09:05
@pelikhan pelikhan merged commit 923bc0c into main Jul 14, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants