Skip to content

Commit a826b56

Browse files
Copilotlevalleux-ludo
Copilot
and
levalleux-ludo
committed
ci: separate stderr from stdout in gh run list and validate numeric run IDs
Co-authored-by: levalleux-ludo <7184124+levalleux-ludo@users.noreply.github.com>
1 parent bebaf6b commit a826b56

1 file changed

Lines changed: 14 additions & 4 deletions

File tree

.github/hooks/session_end.sh

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -69,23 +69,33 @@ while [ "$POLL_ELAPSED" -lt "$POLL_MAX" ]; do
6969
# Find workflow runs that require manual approval for this branch.
7070
# Only consider allowlisted CI workflows, safe event types, and runs
7171
# triggered by the Copilot bot to avoid auto-approving untrusted code.
72+
# Capture stdout and stderr separately so gh warnings don't appear as run IDs.
73+
_gh_stderr=$(mktemp 2>/dev/null || echo "/tmp/gh_run_list_stderr.$$")
7274
RUN_LIST_OUTPUT=$(gh run list \
7375
--branch "$BRANCH" \
7476
--status "action_required" \
7577
--json "databaseId,workflowName,event,actor" \
76-
--jq ".[] | select((.event == \"pull_request\" or .event == \"push\") and (.workflowName == \"CI\" or .workflowName == \"Lint PR\") and .actor.login == \"${COPILOT_BOT_ACTOR}\") | .databaseId" 2>&1)
78+
--jq ".[] | select((.event == \"pull_request\" or .event == \"push\") and (.workflowName == \"CI\" or .workflowName == \"Lint PR\") and .actor.login == \"${COPILOT_BOT_ACTOR}\") | .databaseId" 2>"$_gh_stderr")
7779
GH_RUN_LIST_STATUS=$?
7880

7981
if [ "$GH_RUN_LIST_STATUS" -ne 0 ]; then
8082
echo "Error querying workflow runs for branch '$BRANCH':"
81-
echo "$RUN_LIST_OUTPUT"
83+
[ -f "$_gh_stderr" ] && cat "$_gh_stderr"
84+
rm -f "$_gh_stderr"
8285
echo "Skipping workflow auto-approval for branch '$BRANCH' due to GitHub CLI/API error"
8386
exit 0
8487
fi
88+
[ -s "$_gh_stderr" ] && echo "gh run list warnings: $(cat "$_gh_stderr")"
89+
rm -f "$_gh_stderr"
8590

86-
# Approve any newly found runs (skip ones we already approved)
91+
# Approve any newly found runs (skip ones we already approved).
92+
# Validate each RUN_ID is numeric to guard against any unexpected non-numeric output.
8793
while IFS= read -r RUN_ID; do
88-
if [ -n "$RUN_ID" ] && ! echo "$APPROVED_IDS" | grep -qx "$RUN_ID"; then
94+
if [[ ! "$RUN_ID" =~ ^[0-9]+$ ]]; then
95+
[ -n "$RUN_ID" ] && echo "Skipping unexpected non-numeric run ID: $RUN_ID"
96+
continue
97+
fi
98+
if ! echo "$APPROVED_IDS" | grep -qx "$RUN_ID"; then
8999
echo "Approving workflow run: $RUN_ID"
90100
if gh run approve "$RUN_ID"; then
91101
echo "Successfully approved run: $RUN_ID"

0 commit comments

Comments
 (0)