From 3272450ec557b5f61ecb01347ca46fb3a5c87f45 Mon Sep 17 00:00:00 2001 From: Matteo Cherubini Date: Fri, 5 Jun 2026 09:59:18 +0200 Subject: [PATCH] fix(ingest): Scope git operations and add curl timeouts in open-pr.sh --- skills/ingest/scripts/open-pr.sh | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/skills/ingest/scripts/open-pr.sh b/skills/ingest/scripts/open-pr.sh index 9ea4a9b..8f8f23b 100644 --- a/skills/ingest/scripts/open-pr.sh +++ b/skills/ingest/scripts/open-pr.sh @@ -39,11 +39,13 @@ repo="$(basename -s .git "$(git config --get remote.origin.url)")" # 1. Branch + commit + push (AGENTS.md rule 5: never commit to main) git switch -c "$branch" 2>/dev/null || git switch "$branch" git add wiki/ -if git diff --cached --quiet; then +# Scope BOTH the emptiness check and the commit to wiki/ — never commit anything that +# happened to be staged outside wiki/ (a stray hook, an aborted prior run, etc.). +if git diff --cached --quiet -- wiki/; then echo "open-pr: nothing staged under wiki/ — aborting" >&2 exit 1 fi -git commit -m "$title" +git commit -m "$title" -- wiki/ git push -u origin "$branch" # DRY_RUN: local git work done; skip the Forgejo API (offline tests). @@ -53,19 +55,23 @@ if [[ -n "${DRY_RUN:-}" ]]; then fi # 2. Open the PR via Forgejo API (jq builds the JSON safely) +# TODO: Forgejo-only. When registry.sh/globals.env sets PROVIDER=github, branch on +# $PROVIDER here and delegate to providers/github.sh (same token + http_code contract). body="$(cat "$body_file")" payload="$(jq -n --arg head "$branch" --arg base "$base" \ --arg title "$title" --arg body "$body" \ '{head:$head, base:$base, title:$title, body:$body}')" -resp="$(curl -s -w '\n%{http_code}' \ +resp="$(curl --max-time 30 -s -w '\n%{http_code}' \ -H "Authorization: token ${FORGEJO_TOKEN}" \ -H "Content-Type: application/json" \ -X POST "${FORGEJO_URL}/api/v1/repos/${FORGEJO_USER}/${repo}/pulls" \ -d "$payload")" -code="$(printf '%s' "$resp" | tail -n1)" -json="$(printf '%s' "$resp" | sed '$d')" +# curl -w appends '\n' AFTER the body, so the code is always the final line and the +# body is everything before it. Parameter expansion (no subshells), robust to multi-line JSON. +code="${resp##*$'\n'}" +json="${resp%$'\n'*}" case "$code" in 201) @@ -89,11 +95,11 @@ esac # 3. Optional label (e.g. CONFLICT). Best-effort; non-fatal. if [[ -n "$label" && -n "${number:-}" ]]; then - label_id="$(curl -s -H "Authorization: token ${FORGEJO_TOKEN}" \ + label_id="$(curl --max-time 15 -s -H "Authorization: token ${FORGEJO_TOKEN}" \ "${FORGEJO_URL}/api/v1/repos/${FORGEJO_USER}/${repo}/labels" \ | jq -r --arg n "$label" '.[] | select(.name==$n) | .id' | head -n1)" if [[ -n "$label_id" && "$label_id" != "null" ]]; then - curl -s -o /dev/null \ + curl --max-time 15 -s -o /dev/null \ -H "Authorization: token ${FORGEJO_TOKEN}" -H "Content-Type: application/json" \ -X POST "${FORGEJO_URL}/api/v1/repos/${FORGEJO_USER}/${repo}/issues/${number}/labels" \ -d "{\"labels\":[${label_id}]}" \