Skip to content

Commit bf6c2ac

Browse files
committed
Merge remote-tracking branch 'base/main' into sdcg-poc
# Conflicts: # be/src/exec/file_scanner/json_scanner.cpp
2 parents 63abcea + bed4395 commit bf6c2ac

761 files changed

Lines changed: 24382 additions & 5720 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ai-sr-skills.yml

Lines changed: 77 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -230,15 +230,35 @@ jobs:
230230
# the GitHub REST API (GITHUB_TOKEN injected). --comment applies a strict confidence gate and emits
231231
# either a sticky-marked briefing or the sentinel "MODULE-RISK: none" (then we post nothing).
232232
#
233-
# SECURITY (pull_request_target): this job injects secrets (GITHUB_TOKEN, CLAUDE_CODE_OAUTH_TOKEN)
234-
# into `claude --dangerously-skip-permissions`, which reads attacker-influenceable PR body/diff and
235-
# whose output is posted back to the PR. An untrusted author could prompt-inject the model to run
236-
# bash / emit secrets (e.g. after the marker) and have them published. So it is GATED to TRUSTED
237-
# authors only (author_association OWNER/MEMBER/COLLABORATOR = write access); external / first-time
238-
# contributors never reach the model. (assign-reviewer tolerates all authors because its host step
239-
# extracts only login-shaped tokens — a strict whitelist; module-risk's output is free-form, so it
240-
# needs the author gate. The marker-bounded extraction below is defense-in-depth, not the control.)
241-
# For an external PR a maintainer can still run /github-pr-module-risk:review manually.
233+
# TRIGGER: every human-authored PR event (opened/reopened/synchronize/ready_for_review), minus
234+
# mergify/ and *-sync-pr-* automation branches and Bot-typed authors. It intentionally does NOT
235+
# restrict to org members / collaborators — external contributors are briefed too (deliberate; see
236+
# the SECURITY note below for the accepted risk).
237+
#
238+
# Why no trusted-author gate: the prior `author_association in [OWNER,MEMBER,COLLABORATOR]` check
239+
# silently skipped EVERY PR. In the pull_request_target payload `author_association` reflects only
240+
# PUBLICLY-visible org membership, and StarRocks committers keep membership private, so they arrive
241+
# as CONTRIBUTOR and the gate matched nobody (module-risk never ran once since it was added). The
242+
# replacement `github.event.pull_request.user.type != 'Bot'` keeps automation (mergify[bot],
243+
# dependabot, ...) out while briefing all human PRs.
244+
#
245+
# SECURITY (pull_request_target): the briefing runs attacker-influenceable PR body/diff through
246+
# `claude --dangerously-skip-permissions` with secrets in env, so a malicious PR can prompt-inject
247+
# the model to run bash and try to exfiltrate whatever the container holds. To bound the blast
248+
# radius the work is SPLIT into two jobs:
249+
# * module-risk (runs the model): its GITHUB_TOKEN is scoped READ-only (job `permissions:` below),
250+
# so an injected run cannot write to the repo or steal a write-capable token. It never posts —
251+
# it only hands the briefing text to the next job via a job output.
252+
# * module-risk-comment (posts the comment): holds the pull-requests:write token, never runs the
253+
# model, and receives the untrusted body through env (never spliced into a command via ${{ }}),
254+
# so an injected body cannot inject shell. The body crosses the job boundary base64-encoded, so
255+
# it also cannot forge the job-output framing.
256+
# Residual risk: CLAUDE_CODE_OAUTH_TOKEN still lives in the model container and a determined
257+
# injection could exfiltrate it — that is a Claude billing/abuse exposure (rotatable), NOT repo
258+
# write or supply-chain. Closing it fully needs container network-egress allowlisting
259+
# (anthropic / github / context-base only); tracked separately. (assign-reviewer stays safe for any
260+
# author because its host step extracts only login-shaped tokens — a strict whitelist; module-risk's
261+
# output is free-form.)
242262
module-risk:
243263
runs-on: [self-hosted, normal]
244264
# Dedup rapid pushes for THIS job only (a new event cancels the in-flight briefing run).
@@ -248,57 +268,85 @@ jobs:
248268
group: ai-sr-skills-module-risk-${{ github.event.number }}
249269
cancel-in-progress: true
250270
continue-on-error: true
271+
# READ-only token: this job runs the model on untrusted PR content, so it must NOT hold a
272+
# write-capable token (see SECURITY above). The sibling module-risk-comment job does the posting.
273+
permissions:
274+
contents: read
275+
pull-requests: read
251276
if: >
252277
(github.event.action == 'opened' || github.event.action == 'reopened' ||
253278
github.event.action == 'synchronize' || github.event.action == 'ready_for_review') &&
254279
!startsWith(github.head_ref, 'mergify/') &&
255280
!contains(github.head_ref, '-sync-pr-') &&
256-
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)
281+
github.event.pull_request.user.type != 'Bot'
282+
outputs:
283+
# base64 of the marker-to-EOF briefing (empty when there is nothing to post). base64 keeps the
284+
# untrusted body to a single [A-Za-z0-9+/=] line so it can neither forge the job-output framing
285+
# nor inject anything when the comment job consumes it.
286+
body: ${{ steps.brief.outputs.body }}
257287
env:
258288
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
259289
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
260290
PR_URL: ${{ github.event.pull_request.html_url }}
261-
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
262291
steps:
263292
- name: Module-risk briefing (AI, read-only)
293+
id: brief
264294
run: |
265295
# Namespaced plugin command (a bare /review would NOT resolve in headless -p — it would be
266-
# treated as prompt text and silently no-op). tee captures stdout for the upsert step.
296+
# treated as prompt text and silently no-op). tee captures stdout for extraction below.
267297
docker exec -i -u claudeuser \
268298
-e GITHUB_TOKEN="${GITHUB_TOKEN}" \
269299
-e CLAUDE_CODE_OAUTH_TOKEN="${CLAUDE_CODE_OAUTH_TOKEN}" \
270300
claude-cli claude --dangerously-skip-permissions \
271301
-p "/github-pr-module-risk:review ${PR_URL} --comment" 2>&1 | tee "${RUNNER_TEMP}/module_risk.txt" || true
302+
# The skill emits the briefing starting at the marker line, or "MODULE-RISK: none" (no
303+
# marker) when nothing clears the confidence gate. Take from the marker to EOF as the body
304+
# (empty for no marker / sentinel / error => the comment job posts nothing); sed from the
305+
# marker also strips any claude preamble before it. Hand it to the comment job base64-encoded
306+
# on a single line (see the `outputs:` note above).
307+
out="${RUNNER_TEMP}/module_risk.txt"
308+
marker="<!-- module-risk-briefing -->"
309+
b64=""
310+
[ -f "$out" ] && b64="$(sed -n "/$marker/,\$p" "$out" 2>/dev/null | base64 -w0 || true)"
311+
echo "body=${b64}" >> "$GITHUB_OUTPUT"
272312
313+
module-risk-comment:
314+
needs: module-risk
315+
runs-on: [self-hosted, normal]
316+
continue-on-error: true
317+
# Holds the write token and does the posting; it never runs the model, so untrusted PR content
318+
# never meets a write-capable token. Skipped when the brief produced no briefing (empty output),
319+
# and (via `needs`) when the brief job itself was gated out.
320+
permissions:
321+
pull-requests: write
322+
if: ${{ needs.module-risk.outputs.body != '' }}
323+
env:
324+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
325+
PR: ${{ github.event.number }}
326+
REPO: ${{ github.repository }}
327+
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
328+
# Untrusted (model-produced) body, base64. Passed via env, never spliced into a command via
329+
# ${{ }}, so a prompt-injected body cannot inject shell.
330+
BODY_B64: ${{ needs.module-risk.outputs.body }}
331+
steps:
273332
- name: Upsert sticky comment
274-
env:
275-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
276-
PR: ${{ github.event.number }}
277-
REPO: ${{ github.repository }}
278333
run: |
279-
out="${RUNNER_TEMP}/module_risk.txt"
280334
marker="<!-- module-risk-briefing -->"
281-
[ -f "$out" ] || { echo "no skill output, skip"; exit 0; }
282-
# The skill emits the briefing starting at the marker line, or "MODULE-RISK: none" (no
283-
# marker) when nothing clears the confidence gate. Take from the marker to EOF as the body;
284-
# empty (no marker / sentinel / error) => post nothing. sed from the marker also strips any
285-
# claude preamble before it.
286-
body="$(sed -n "/$marker/,\$p" "$out" 2>/dev/null || true)"
335+
body="$(printf '%s' "$BODY_B64" | base64 -d 2>/dev/null || true)"
287336
if [ -z "$body" ]; then
288337
echo "no high-confidence, diff-aligned module risk — not commenting"
289338
exit 0
290339
fi
291-
# Stamp the PR head SHA as line 2 (right after the marker, which sed guaranteed is line 1)
292-
# so reviewers can detect a briefing that predates the latest push. awk avoids sed escaping
293-
# pitfalls; the SHA is hex so it is injection-safe. Applies to both the real briefing and the
294-
# incomplete-coverage caveat (both carry the marker as line 1).
340+
# Stamp the PR head SHA as line 2 (right after the marker, which the brief job's sed
341+
# guaranteed is line 1) so reviewers can detect a briefing that predates the latest push.
342+
# awk avoids sed escaping pitfalls; the SHA is hex so it is injection-safe.
295343
sha_line="<!-- module-risk-head-sha: ${PR_HEAD_SHA} -->"
296344
printf '%s\n' "$body" \
297345
| awk -v s="$sha_line" 'NR==1{print; print s; next} {print}' \
298346
> "${RUNNER_TEMP}/mr_body.md"
299347
# Sticky: edit our existing marked comment if present, else create one. Idempotent across
300-
# reopen / workflow rerun (the marker identifies our comment; gh is host-side, not in the
301-
# container). PATCH body is JSON-built with jq so markdown is escaped correctly.
348+
# reopen / workflow rerun (the marker identifies our comment). PATCH body is JSON-built with
349+
# jq so markdown is escaped correctly.
302350
existing="$(gh api --paginate "repos/$REPO/issues/$PR/comments" \
303351
--jq ".[] | select(.body | contains(\"$marker\")) | .id" 2>/dev/null | head -1 || true)"
304352
if [ -n "$existing" ]; then

.github/workflows/inspection-pipeline.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,13 @@
11
name: INSPECTION PIPELINE
22

33
on:
4-
schedule:
5-
- cron: "0 0 * * 1-5"
6-
- cron: "30 4 * * 1-5"
7-
- cron: "0 11 * * 1,3,5"
8-
- cron: "0 11 * * 2,4"
4+
# Scheduled inspection runs disabled 2026-07-08: the runs are not currently
5+
# meaningful. Kept here (commented) for easy re-enable. Manual dispatch stays.
6+
# schedule:
7+
# - cron: "0 0 * * 1-5"
8+
# - cron: "30 4 * * 1-5"
9+
# - cron: "0 11 * * 1,3,5"
10+
# - cron: "0 11 * * 2,4"
911
workflow_dispatch:
1012
inputs:
1113
BRANCH:

be/AGENTS.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -199,15 +199,15 @@ Format module for core format primitives and concrete CSV, JSON, Avro, ORC, and
199199
- Remediation: Keep format code inside the Format module; move connector orchestration and higher execution policy upward.
200200

201201
### StoragePrimitive (`storageprimitive`)
202-
Shared storage-access primitives, predicate contracts, predicate trees, iterator contracts, and value/schema types used by Storage, Exec, Connector, Format, and ComputeEnv without concrete Storage engine, tablet, rowset, lake, service, or full Exec coupling.
202+
Shared storage-access primitives, predicate contracts, predicate trees, iterator/merge/aggregation helpers, and value/schema types used by Storage, Exec, Connector, Format, and ComputeEnv without concrete Storage engine, tablet, rowset, lake, service, or full Exec coupling.
203203
- Targets: `StoragePrimitive`
204204
- Allowed internal include prefixes: `storage_primitive/`, `exprs/`, `runtime/`, `column/`, `types/`, `common/`, `base/`, `gutil/`, `gen_cpp/`
205-
- Allowed target deps: `Expr`, `Runtime`, `ChunkCore`, `ColumnCore`, `Types`, `Common`, `Base`, `Gutil`, `StarRocksGen`
205+
- Allowed target deps: `Expr`, `Runtime`, `ColumnSortCore`, `ChunkCore`, `ColumnCore`, `Types`, `Common`, `Base`, `Gutil`, `StarRocksGen`
206206
- Core tests: `storage_primitive_test`
207-
- Remediation: Keep StoragePrimitive limited to reusable storage-access contracts, predicate contracts, predicate trees, iterator contracts, and value/schema types; move concrete storage engine, tablet, rowset, lake, service, concrete connector, and full Exec integration upward.
207+
- Remediation: Keep StoragePrimitive limited to reusable storage-access contracts, predicate contracts, predicate trees, iterator/merge/aggregation helpers, and value/schema types; move concrete storage engine, tablet, rowset, lake, service, concrete connector, and full Exec integration upward.
208208

209209
### StorageBase (`storagebase`)
210-
Base storage algorithms and mask-buffer helpers above StoragePrimitive and ComputeEnv without concrete Storage engine, tablet, rowset, lake, service, or full Exec coupling.
210+
Base storage algorithms above StoragePrimitive and ComputeEnv without concrete Storage engine, tablet, rowset, lake, service, or full Exec coupling.
211211
- Targets: `StorageBase`
212212
- Allowed internal include prefixes: `storage/base/`, `storage_primitive/`, `column/`, `types/`, `common/`, `base/`, `gutil/`, `gen_cpp/`
213213
- Allowed target deps: `ComputeEnv`, `StoragePrimitive`, `Runtime`, `ColumnSortCore`, `ChunkCore`, `ColumnCore`, `Types`, `Common`, `Base`, `Gutil`, `StarRocksGen`
@@ -269,12 +269,12 @@ Operator-tree execution framework for query and fragment contexts, driver lifecy
269269
- Remediation: Keep ExecRuntime limited to the operator-tree execution framework and runtime behavior that can be expressed through ComputeEnv and ExecPrimitive contracts; move concrete operators, storage, service, connector, cache, HTTP, and broad Exec integration upward.
270270

271271
### ConnectorPrimitive (`connectorprimitive`)
272-
Read-side connector contracts, DataSource, and DataSourceProvider default mechanics without concrete connectors, sinks, registry composition, storage, service, or full Exec coupling.
272+
Connector contracts, DataSource, DataSourceProvider default mechanics, and primitive connector sink commit/profile types without concrete connectors, sinks, registry composition, storage, service, or full Exec coupling.
273273
- Targets: `ConnectorPrimitive`
274-
- Allowed internal include prefixes: `connector_primitive/`, `exec_primitive/`, `exprs/`, `runtime/`, `column/`, `types/`, `common/`, `base/`, `gutil/`, `gen_cpp/`
275-
- Allowed target deps: `ExecPrimitive`, `Expr`, `Runtime`, `ChunkCore`, `ColumnCore`, `Types`, `Common`, `Base`, `Gutil`, `StarRocksGen`
274+
- Allowed internal include prefixes: `connector_primitive/`, `exec_primitive/`, `exprs/`, `runtime/`, `formats/`, `column/`, `types/`, `common/`, `base/`, `gutil/`, `gen_cpp/`
275+
- Allowed target deps: `FormatCore`, `ExecPrimitive`, `Expr`, `Runtime`, `ChunkCore`, `ColumnCore`, `Types`, `Common`, `Base`, `Gutil`, `StarRocksGen`
276276
- Core tests: `connector_primitive_test`
277-
- Remediation: Keep ConnectorPrimitive limited to read-side connector contracts and default scan-range-to-morsel mechanics; move concrete connectors, sinks, registry wiring, storage, service, and full Exec integration upward.
277+
- Remediation: Keep ConnectorPrimitive limited to connector contracts, default scan-range-to-morsel mechanics, and primitive sink commit/profile types; move concrete connectors, concrete sinks, registry wiring, storage, service, and full Exec integration upward.
278278

279279
### ConnectorBuiltinRegistry (`connectorbuiltinregistry`)
280280
Top-level built-in connector registration composition above connector contracts and concrete connector libraries.

be/CMakeLists.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -649,6 +649,7 @@ set(STARROCKS_DEPENDENCIES
649649
zstd
650650
streamvbyte
651651
arrow
652+
arrow_testing
652653
arrow_flight
653654
arrow_flight_sql
654655
gRPC::grpc

0 commit comments

Comments
 (0)