Skip to content

Commit aefdcce

Browse files
roli-lpciclaude
roli-lpci
and
claude
committed
Fix CONTRIBUTING.md clone path and SECURITY.md validation claim
CONTRIBUTING.md: cd pygate → cd quick-gate-python (matches clone dir) SECURITY.md: correct false claim that max-attempts is validated as positive integer — it passes through to argparse without positivity check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent a22a0aa commit aefdcce

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

CONTRIBUTING.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ Thank you for your interest in contributing to PyGate! This guide will help you
1515

1616
```bash
1717
git clone https://github.com/roli-lpci/quick-gate-python.git
18-
cd pygate
18+
cd quick-gate-python
1919
python -m venv .venv
2020
source .venv/bin/activate
2121
pip install -e ".[dev]"

SECURITY.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ PyGate executes external tools (`ruff`, `pyright`, `pytest`) via subprocess. Sec
4242

4343
### GitHub Actions Composite Action
4444

45-
- **Input validation**: The composite action validates the `mode` input against an allowlist (`canary` or `full`) before passing it to the CLI. The `max-attempts` input is validated as a positive integer. All inputs are passed via environment variables rather than string interpolation to prevent injection.
45+
- **Input validation**: The composite action validates the `mode` input against an allowlist (`canary` or `full`) before passing it to the CLI. The `max-attempts` input is passed through to the CLI's argparse, which validates it as an integer; negative values are not rejected at the action layer. All inputs are passed via environment variables rather than string interpolation to prevent injection.
4646
- **Supply chain pinning**: All third-party actions in CI workflows and the composite action are pinned to SHA digests with version comments (e.g., `actions/checkout@<sha> # v4`). This prevents compromised upstream tags from injecting malicious code.
4747
- **Permissions**: The composite action requires only `contents: read` by default. The optional PR comment feature requires `pull-requests: write`. No other permissions are requested.
4848
- **Artifact trust**: Artifacts uploaded to `.pygate/` contain command output (stdout/stderr) from the target project. Downstream consumers should treat these as untrusted data and validate before rendering in security-sensitive contexts.

0 commit comments

Comments
 (0)