rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

feat(action): derive binary name from uname for multi-arch support (#124) #127

Merged
rodin merged 2 commits from issue-124 into main 2026-05-14 05:53:16 +00:00
Conversation 10 Commits 2 Files Changed 1
+34 -5
rodin commented 2026-05-14 05:45:41 +00:00
Owner
Copy Link
Copy Source

Summary

Implements #124 — derive binary name from runner platform using uname instead of hard-coding linux-amd64.

Problem

The composite action hard-coded review-bot-linux-amd64 in both the cache key and the Install step. On arm64 runners (Graviton, Apple Silicon) or macOS, the action would attempt to download a binary that does not match the runner architecture.

Changes

Determine version step (new)

  • Detects OS via uname -slinux / darwin
  • Detects arch via uname -mamd64 (x86_64) / arm64 (aarch64 or arm64)
  • Both are validated with a case statement; unsupported OS or arch exits with a clear error message
  • Emits os and arch as step outputs alongside version

Cache review-bot binary step

  • Cache key updated: review-bot-{os}-{arch}-{version} (was review-bot-linux-amd64-{version})
  • Prevents cache sharing across incompatible architectures

Install review-bot step

  • BINARY is now review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }}
  • Checksum grep anchored to exact filename (start+end of line)
  • Checksum command is OS-aware: sha256sum on linux, shasum -a 256 on darwin (macOS does not ship GNU sha256sum)
  • Log message includes the detected platform

Supported platforms

Matches what the release workflow builds:

  • linux-amd64
  • linux-arm64
  • darwin-amd64
  • darwin-arm64

Progress

Phase 1: Detection + outputs + cache key + Install step

  • OS case statement (linux/darwin, exit 1 for others)
  • Arch case statement (x86_64→amd64, aarch64/arm64→arm64, exit 1 for others)
  • Emit os, arch outputs from Determine version step
  • Cache key uses steps.version.outputs.os and steps.version.outputs.arch
  • BINARY in Install step uses step outputs
  • Checksum grep anchored to exact filename
  • No remaining linux-amd64 hard-code

Phase 2: Review + fixes

  • gpt-review-bot MAJOR: sha256sum not on macOS → fixed with OS-conditional
  • gpt-review-bot MINOR: grep not anchored at start → fixed with ^
  • Self-review complete (against f8b9d7d)
  • All bots APPROVED on f8b9d7d
## Summary Implements #124 — derive binary name from runner platform using `uname` instead of hard-coding `linux-amd64`. ## Problem The composite action hard-coded `review-bot-linux-amd64` in both the cache key and the Install step. On arm64 runners (Graviton, Apple Silicon) or macOS, the action would attempt to download a binary that does not match the runner architecture. ## Changes ### `Determine version` step (new) - Detects OS via `uname -s` → `linux` / `darwin` - Detects arch via `uname -m` → `amd64` (x86_64) / `arm64` (aarch64 or arm64) - Both are validated with a `case` statement; unsupported OS or arch exits with a clear error message - Emits `os` and `arch` as step outputs alongside `version` ### `Cache review-bot binary` step - Cache key updated: `review-bot-{os}-{arch}-{version}` (was `review-bot-linux-amd64-{version}`) - Prevents cache sharing across incompatible architectures ### `Install review-bot` step - `BINARY` is now `review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }}` - Checksum `grep` anchored to exact filename (start+end of line) - Checksum command is OS-aware: `sha256sum` on linux, `shasum -a 256` on darwin (macOS does not ship GNU sha256sum) - Log message includes the detected platform ## Supported platforms Matches what the release workflow builds: - `linux-amd64` - `linux-arm64` - `darwin-amd64` - `darwin-arm64` ## Progress ### Phase 1: Detection + outputs + cache key + Install step - [x] OS case statement (linux/darwin, exit 1 for others) - [x] Arch case statement (x86_64→amd64, aarch64/arm64→arm64, exit 1 for others) - [x] Emit `os`, `arch` outputs from Determine version step - [x] Cache key uses `steps.version.outputs.os` and `steps.version.outputs.arch` - [x] BINARY in Install step uses step outputs - [x] Checksum grep anchored to exact filename - [x] No remaining `linux-amd64` hard-code ### Phase 2: Review + fixes - [x] gpt-review-bot MAJOR: `sha256sum` not on macOS → fixed with OS-conditional - [x] gpt-review-bot MINOR: grep not anchored at start → fixed with `^` - [x] Self-review complete (against f8b9d7d) - [x] All bots APPROVED on f8b9d7d
aweiker was assigned by rodin 2026-05-14 05:45:41 +00:00
rodin added 1 commit 2026-05-14 05:45:41 +00:00
feat(action): derive binary name from uname for multi-arch support (#124)
CI / test (pull_request) Successful in 17s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 26s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m12s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m33s
Details
7a8fc166ec 
Previously the Install step hard-coded 'review-bot-linux-amd64'. This
fails on arm64 runners (Graviton, Apple Silicon) where uname -m returns
'aarch64' or 'arm64'.

Changes:
- Add OS/arch detection in 'Determine version' step using uname -s/-m
- Map uname output to asset name format: x86_64→amd64, aarch64/arm64→arm64,
  linux→linux, darwin→darwin
- Emit 'os' and 'arch' as step outputs alongside 'version'
- Update cache key: review-bot-{os}-{arch}-{version}
- Update Install step: BINARY derived from step outputs
- Anchor checksum grep to exact filename (not substring match)
- Unsupported OS or arch exits with a clear error message

Supported platforms: linux-amd64, linux-arm64, darwin-amd64, darwin-arm64
(matches what the release workflow builds)
sonnet-review-bot approved these changes 2026-05-14 05:46:25 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 7a8fc166)

Sonnet Review

Summary

This PR correctly implements multi-architecture support for the composite action by detecting OS and arch via uname and using the results in the cache key, binary name, and checksum verification. The implementation is clean, handles the aarch64/arm64 normalization correctly, and the checksum grep is now properly anchored to prevent substring matches. CI passes.

Findings

# Severity File Line Finding
1 [NIT] .gitea/actions/review/action.yml 131 The error message for unsupported OS re-invokes $(uname -s) (uppercase) after already computing `OS_RAW=$(uname -s
2 [NIT] .gitea/actions/review/action.yml 174 The checksum regex [[:xdigit:]]+[[:space:]]+\*?${BINARY}$ does not anchor the hex portion to the start of the line (^). A line like somejunk abc123 review-bot-linux-arm64 would not match (awk would still grab field 1), but the intent of exact matching is clearer with ^[[:xdigit:]]. Minor defensive concern only.

Recommendation

APPROVE — Approve. The core logic is correct: OS detection normalises to lowercase before the case statement, ARM arch aliases (aarch64 and arm64) are both handled, cache key is properly parameterised, and the checksum grep is anchored to the filename end to prevent prefix-match false positives. The two nit-level findings are cosmetic and do not affect correctness or security. No changes required.

Review by sonnet

Evaluated against 7a8fc166

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/127#pullrequestreview-3676) for up-to-date findings. <details><summary>Previous findings (commit 7a8fc166)</summary> # Sonnet Review ## Summary This PR correctly implements multi-architecture support for the composite action by detecting OS and arch via `uname` and using the results in the cache key, binary name, and checksum verification. The implementation is clean, handles the aarch64/arm64 normalization correctly, and the checksum grep is now properly anchored to prevent substring matches. CI passes. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [NIT] | `.gitea/actions/review/action.yml` | 131 | The error message for unsupported OS re-invokes `$(uname -s)` (uppercase) after already computing `OS_RAW=$(uname -s | tr '[:upper:]' '[:lower:]')`. This is a minor inconsistency — using `$OS_RAW` (before lowercasing) or the original `$(uname -s)` output is equivalent in practice, but it means a second subprocess is forked. Cosmetic only. | | 2 | [NIT] | `.gitea/actions/review/action.yml` | 174 | The checksum regex `[[:xdigit:]]+[[:space:]]+\*?${BINARY}$` does not anchor the hex portion to the start of the line (`^`). A line like `somejunk abc123 review-bot-linux-arm64` would not match (awk would still grab field 1), but the intent of exact matching is clearer with `^[[:xdigit:]]`. Minor defensive concern only. | ## Recommendation **APPROVE** — Approve. The core logic is correct: OS detection normalises to lowercase before the case statement, ARM arch aliases (aarch64 and arm64) are both handled, cache key is properly parameterised, and the checksum grep is anchored to the filename end to prevent prefix-match false positives. The two nit-level findings are cosmetic and do not affect correctness or security. No changes required. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against 7a8fc166* </details> <!-- review-bot:sonnet -->
.gitea/actions/review/action.yml
@@ -127,0 +128,4 @@
# Detect OS and architecture for platform-specific binary download
OS_RAW=$(uname -s | tr '[:upper:]' '[:lower:]')
case "$OS_RAW" in
linux) OS="linux" ;;
sonnet-review-bot commented 2026-05-14 05:46:25 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The error message for unsupported OS re-invokes $(uname -s) (uppercase) after already computing OS_RAW=$(uname -s | tr '[:upper:]' '[:lower:]'). This is a minor inconsistency — using $OS_RAW (before lowercasing) or the original $(uname -s) output is equivalent in practice, but it means a second subprocess is forked. Cosmetic only.

**[NIT]** The error message for unsupported OS re-invokes `$(uname -s)` (uppercase) after already computing `OS_RAW=$(uname -s | tr '[:upper:]' '[:lower:]')`. This is a minor inconsistency — using `$OS_RAW` (before lowercasing) or the original `$(uname -s)` output is equivalent in practice, but it means a second subprocess is forked. Cosmetic only.
.gitea/actions/review/action.yml
@@ -149,7 +173,7 @@ runs:
# Verify SHA-256 checksum
sonnet-review-bot commented 2026-05-14 05:46:25 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The checksum regex [[:xdigit:]]+[[:space:]]+\*?${BINARY}$ does not anchor the hex portion to the start of the line (^). A line like somejunk abc123 review-bot-linux-arm64 would not match (awk would still grab field 1), but the intent of exact matching is clearer with ^[[:xdigit:]]. Minor defensive concern only.

**[NIT]** The checksum regex `[[:xdigit:]]+[[:space:]]+\*?${BINARY}$` does not anchor the hex portion to the start of the line (`^`). A line like `somejunk abc123 review-bot-linux-arm64` would not match (awk would still grab field 1), but the intent of exact matching is clearer with `^[[:xdigit:]]`. Minor defensive concern only.
rodin commented 2026-05-14 05:47:01 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #127

Self-review against 7a8fc166ec

Phase 1: Independent Findings

No blocking findings. One style note:

  • The error message echo "Error: unsupported OS: $(uname -s)" calls uname -s a second time instead of using $OS_RAW. Not a bug — just a minor inefficiency. Not worth fixing.

Phase 2: Prior Review Verification

No prior reviews yet (CI just started). This is a fresh PR; no prior findings to verify.

Checklist verification:

Item Status Notes
uname -s lowercased via tr '[:upper:]' '[:lower:]' Linuxlinux, Darwindarwin
OS validated: linux/darwin, exit 1 for others Case statement present
uname -m normalized: x86_64amd64, aarch64/arm64arm64 Both variants handled with | OR
Arch validated: exit 1 for unsupported * case with clear error message
os and arch emitted as step outputs Lines echo "os=..." and echo "arch=..." present
Cache key updated to review-bot-{os}-{arch}-{version} No more linux-amd64 hard-code
BINARY uses step outputs (not re-derived) review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }}
Checksum grep anchored to exact filename -E "[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" is correct ERE
Existing linux-amd64 runners unaffected uname -slinux, uname -mamd64, BINARY=review-bot-linux-amd64
No linux-amd64 hard-code remaining Confirmed by grep

Notes:

  • aarch64 | arm64) in case: POSIX-valid OR pattern — handles both Linux and macOS ARM naming.
  • ${{ steps.version.outputs.os }} in composite action run: step: valid — Actions runner evaluates expressions before shell executes.
  • set -euo pipefail not present: pre-existing condition from base branch (PR #121 adds it but is unmerged). Not introduced by this PR.

Assessment: Clean

The changes correctly implement multi-arch binary download. OS and arch are detected via uname, validated with case statements that exit on unsupported platforms, emitted as step outputs, and consumed in the cache key and binary name. The existing linux-amd64 path is unaffected. No correctness issues found.

## Self-Review: PR #127 Self-review against 7a8fc166ec935c9a2af458a8631ea8a041431b38 ### Phase 1: Independent Findings No blocking findings. One style note: - The error message `echo "Error: unsupported OS: $(uname -s)"` calls `uname -s` a second time instead of using `$OS_RAW`. Not a bug — just a minor inefficiency. Not worth fixing. ### Phase 2: Prior Review Verification No prior reviews yet (CI just started). This is a fresh PR; no prior findings to verify. Checklist verification: | Item | Status | Notes | |------|--------|-------| | `uname -s` lowercased via `tr '[:upper:]' '[:lower:]'` | ✅ | `Linux` → `linux`, `Darwin` → `darwin` | | OS validated: `linux`/`darwin`, exit 1 for others | ✅ | Case statement present | | `uname -m` normalized: `x86_64`→`amd64`, `aarch64`/`arm64`→`arm64` | ✅ | Both variants handled with `\|` OR | | Arch validated: exit 1 for unsupported | ✅ | `*` case with clear error message | | `os` and `arch` emitted as step outputs | ✅ | Lines `echo "os=..."` and `echo "arch=..."` present | | Cache key updated to `review-bot-{os}-{arch}-{version}` | ✅ | No more `linux-amd64` hard-code | | `BINARY` uses step outputs (not re-derived) | ✅ | `review-bot-${{ steps.version.outputs.os }}-${{ steps.version.outputs.arch }}` | | Checksum grep anchored to exact filename | ✅ | `-E "[[:xdigit:]]+[[:space:]]+\*?${BINARY}$"` is correct ERE | | Existing linux-amd64 runners unaffected | ✅ | `uname -s`→`linux`, `uname -m`→`amd64`, BINARY=`review-bot-linux-amd64` | | No `linux-amd64` hard-code remaining | ✅ | Confirmed by `grep` | Notes: - `aarch64 | arm64)` in case: POSIX-valid OR pattern — handles both Linux and macOS ARM naming. ✅ - `${{ steps.version.outputs.os }}` in composite action `run:` step: valid — Actions runner evaluates expressions before shell executes. ✅ - `set -euo pipefail` not present: pre-existing condition from base branch (PR #121 adds it but is unmerged). Not introduced by this PR. ### Assessment: ✅ Clean The changes correctly implement multi-arch binary download. OS and arch are detected via `uname`, validated with case statements that exit on unsupported platforms, emitted as step outputs, and consumed in the cache key and binary name. The existing linux-amd64 path is unaffected. No correctness issues found.
security-review-bot requested review from security-review-bot 2026-05-14 05:47:12 +00:00
security-review-bot approved these changes 2026-05-14 05:47:12 +00:00
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 7a8fc166)

Security Review

Summary

The changes correctly derive and validate OS/architecture and use them consistently in the cache key, binary selection, and checksum verification. The added platform detection is safely constrained and does not introduce new security risks.

Recommendation

APPROVE — This update hardens platform handling and improves checksum matching without introducing security vulnerabilities. The case-based normalization of uname values prevents unexpected strings from propagating, and anchoring the checksum grep reduces ambiguity. Consider, in future iterations, ensuring any values written to $GITHUB_OUTPUT are robust against edge cases (e.g., newline handling) and that inputs like gitea-url/repo are treated as trusted configuration to avoid supply chain risks. Overall, this PR is good to merge.

Review by security

Evaluated against 7a8fc166

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/127#pullrequestreview-3678) for up-to-date findings. <details><summary>Previous findings (commit 7a8fc166)</summary> # Security Review ## Summary The changes correctly derive and validate OS/architecture and use them consistently in the cache key, binary selection, and checksum verification. The added platform detection is safely constrained and does not introduce new security risks. ## Recommendation **APPROVE** — This update hardens platform handling and improves checksum matching without introducing security vulnerabilities. The case-based normalization of uname values prevents unexpected strings from propagating, and anchoring the checksum grep reduces ambiguity. Consider, in future iterations, ensuring any values written to $GITHUB_OUTPUT are robust against edge cases (e.g., newline handling) and that inputs like gitea-url/repo are treated as trusted configuration to avoid supply chain risks. Overall, this PR is good to merge. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against 7a8fc166* </details> <!-- review-bot:security -->
gpt-review-bot requested changes 2026-05-14 05:47:20 +00:00
Dismissed
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Original review

Supersededsee current review for up-to-date findings.

Previous findings (commit 7a8fc166)

Gpt Review

Summary

Good multi-arch detection and cache key updates. However, the checksum verification uses sha256sum, which is not available by default on macOS, so the action will fail on darwin runners despite claiming darwin support.

Findings

# Severity File Line Finding
1 [MAJOR] .gitea/actions/review/action.yml 176 Checksum computation uses sha256sum, which is not present by default on macOS. On darwin runners, `ACTUAL=$(sha256sum review-bot
2 [MINOR] .gitea/actions/review/action.yml 175 The checksum grep pattern anchors the end of the line but not the start. Consider anchoring with ^ as well to reduce any risk of matching unintended lines if the checksums format changes.

Recommendation

REQUEST_CHANGES — The overall approach to derive OS/arch via uname and propagate them to the cache key and binary name looks correct and should work on linux-amd64 and linux-arm64. To fully support darwin as intended, update the checksum computation to be portable across platforms. For example:

  • Detect OS and choose the appropriate tool:

    • On linux: ACTUAL=$(sha256sum review-bot | awk '{print $1}')
    • On darwin: ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}')

    Or implement a small conditional based on ${{ steps.version.outputs.os }} inside the install step to select the correct command.

Additionally, consider tightening the checksum grep by anchoring the start of the line, e.g. EXPECTED=$(grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}').

Once these are addressed, the action should function as intended on linux and darwin across amd64/arm64 while maintaining integrity checks and correct caching.

Review by gpt

Evaluated against 7a8fc166

~~Original review~~ **Superseded** — [see current review](https://gitea.weiker.me/rodin/review-bot/pulls/127#pullrequestreview-3679) for up-to-date findings. <details><summary>Previous findings (commit 7a8fc166)</summary> # Gpt Review ## Summary Good multi-arch detection and cache key updates. However, the checksum verification uses sha256sum, which is not available by default on macOS, so the action will fail on darwin runners despite claiming darwin support. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MAJOR] | `.gitea/actions/review/action.yml` | 176 | Checksum computation uses `sha256sum`, which is not present by default on macOS. On darwin runners, `ACTUAL=$(sha256sum review-bot | awk '{print $1}')` will fail, breaking the install step on a supported platform. | | 2 | [MINOR] | `.gitea/actions/review/action.yml` | 175 | The checksum grep pattern anchors the end of the line but not the start. Consider anchoring with `^` as well to reduce any risk of matching unintended lines if the checksums format changes. | ## Recommendation **REQUEST_CHANGES** — The overall approach to derive OS/arch via uname and propagate them to the cache key and binary name looks correct and should work on linux-amd64 and linux-arm64. To fully support darwin as intended, update the checksum computation to be portable across platforms. For example: - Detect OS and choose the appropriate tool: - On linux: `ACTUAL=$(sha256sum review-bot | awk '{print $1}')` - On darwin: `ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}')` Or implement a small conditional based on `${{ steps.version.outputs.os }}` inside the install step to select the correct command. Additionally, consider tightening the checksum grep by anchoring the start of the line, e.g. `EXPECTED=$(grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')`. Once these are addressed, the action should function as intended on linux and darwin across amd64/arm64 while maintaining integrity checks and correct caching. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against 7a8fc166* </details> <!-- review-bot:gpt -->
.gitea/actions/review/action.yml
@@ -149,7 +173,7 @@ runs:
# Verify SHA-256 checksum
cd "${{ runner.temp }}"
gpt-review-bot commented 2026-05-14 05:47:20 +00:00
First-time contributor
Copy Link
Copy Source

[MINOR] The checksum grep pattern anchors the end of the line but not the start. Consider anchoring with ^ as well to reduce any risk of matching unintended lines if the checksums format changes.

**[MINOR]** The checksum grep pattern anchors the end of the line but not the start. Consider anchoring with `^` as well to reduce any risk of matching unintended lines if the checksums format changes.
.gitea/actions/review/action.yml Outdated
@@ -150,3 +174,3 @@
# Verify SHA-256 checksum
cd "${{ runner.temp }}"
EXPECTED=$(grep "${BINARY}" checksums.txt | awk '{print $1}')
EXPECTED=$(grep -E "[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" checksums.txt | awk '{print $1}')
gpt-review-bot commented 2026-05-14 05:47:20 +00:00
First-time contributor
Copy Link
Copy Source

[MAJOR] Checksum computation uses sha256sum, which is not present by default on macOS. On darwin runners, ACTUAL=$(sha256sum review-bot | awk '{print $1}') will fail, breaking the install step on a supported platform.

**[MAJOR]** Checksum computation uses `sha256sum`, which is not present by default on macOS. On darwin runners, `ACTUAL=$(sha256sum review-bot | awk '{print $1}')` will fail, breaking the install step on a supported platform.
rodin commented 2026-05-14 05:48:07 +00:00
Author
Owner
Copy Link
Copy Source

Fix Plan against 7a8fc166ec:

Summary

2 findings from gpt-review-bot. Both are FIX.

Finding #1 [MAJOR] — sha256sum not available on macOS

Action: FIX

sha256sum is a GNU coreutils command not present by default on macOS. macOS uses shasum -a 256. Since we already have ${{ steps.version.outputs.os }} in scope, use a conditional in the Install step:

if [ "${{ steps.version.outputs.os }}" = "darwin" ]; then
  ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}')
else
  ACTUAL=$(sha256sum review-bot | awk '{print $1}')
fi

This keeps it simple and explicit — no subshell-conditional gymnastics.

Finding #2 [MINOR] — Checksum grep not anchored at start

Action: FIX

Change grep -E "[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" to grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$" to anchor the start of line.

Changes

  • Install step: add sha256sum vs shasum conditional based on steps.version.outputs.os
  • Checksum grep: add ^ anchor at start of ERE pattern
## Fix Plan against 7a8fc166ec935c9a2af458a8631ea8a041431b38: ### Summary 2 findings from gpt-review-bot. Both are FIX. ### Finding #1 [MAJOR] — `sha256sum` not available on macOS **Action: FIX** `sha256sum` is a GNU coreutils command not present by default on macOS. macOS uses `shasum -a 256`. Since we already have `${{ steps.version.outputs.os }}` in scope, use a conditional in the Install step: ```bash if [ "${{ steps.version.outputs.os }}" = "darwin" ]; then ACTUAL=$(shasum -a 256 review-bot | awk '{print $1}') else ACTUAL=$(sha256sum review-bot | awk '{print $1}') fi ``` This keeps it simple and explicit — no subshell-conditional gymnastics. ### Finding #2 [MINOR] — Checksum grep not anchored at start **Action: FIX** Change `grep -E "[[:xdigit:]]+[[:space:]]+\*?${BINARY}$"` to `grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$"` to anchor the start of line. ### Changes - Install step: add `sha256sum` vs `shasum` conditional based on `steps.version.outputs.os` - Checksum grep: add `^` anchor at start of ERE pattern
rodin added 1 commit 2026-05-14 05:48:22 +00:00
fix: portable checksum on darwin, anchor grep pattern
PR Ready Gate / clear-labels (pull_request) Successful in 2s
Details
CI / test (pull_request) Successful in 17s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 27s
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m4s
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m13s
Details
CI / test (push) Successful in 17s
Details
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped
Details
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped
Details
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped
Details
f8b9d7d282 
- sha256sum is not available on macOS; use shasum -a 256 on darwin.
  Select based on steps.version.outputs.os which is already computed.
  Fixes MAJOR finding from gpt-review-bot (PR #127 review).

- Anchor checksum grep with ^ to avoid matching on partial lines.
  Fixes MINOR finding from gpt-review-bot (PR #127 review).
rodin commented 2026-05-14 05:48:29 +00:00
Author
Owner
Copy Link
Copy Source

Responses to gpt-review-bot findings (f8b9d7d)

Fixed (2 items)

Finding Severity Resolution
sha256sum not available on macOS MAJOR Added if [ "${{ steps.version.outputs.os }}" = "darwin" ] conditional to use shasum -a 256 on darwin, sha256sum on linux
Checksum grep not anchored at start MINOR Added ^ anchor: grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$"
## Responses to gpt-review-bot findings (f8b9d7d) ### Fixed (2 items) | Finding | Severity | Resolution | |---------|----------|-----------| | `sha256sum` not available on macOS | MAJOR | Added `if [ "${{ steps.version.outputs.os }}" = "darwin" ]` conditional to use `shasum -a 256` on darwin, `sha256sum` on linux | | Checksum grep not anchored at start | MINOR | Added `^` anchor: `grep -E "^[[:xdigit:]]+[[:space:]]+\*?${BINARY}$"` |
sonnet-review-bot approved these changes 2026-05-14 05:49:07 +00:00
sonnet-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Sonnet Review

Summary

This PR correctly implements multi-arch support for the composite action by detecting OS and architecture via uname and emitting them as step outputs. The logic is clean, the error handling is explicit, and the checksum verification correctly accounts for the macOS vs Linux sha256sum difference. CI passed.

Findings

# Severity File Line Finding
1 [NIT] .gitea/actions/review/action.yml 128 The OS case statement lowercases uname -s output via tr into OS_RAW, then matches linux and darwin and assigns identical strings. The tr and case together are correct but slightly redundant — you could match Linux and Darwin directly without tr. Not a bug, just minor ceremony. Current approach is defensively safe and readable.
2 [NIT] .gitea/actions/review/action.yml 135 The error message for unsupported OS re-runs $(uname -s) (uppercased original) rather than printing $OS_RAW (already computed). This is intentional and arguably better since it shows the raw value the user's system returned, but it adds a second uname fork. Cosmetic only.

Recommendation

APPROVE — Approve. The implementation is correct and complete. OS and arch detection handles all documented platforms (linux-amd64, linux-arm64, darwin-amd64, darwin-arm64), the cache key is properly namespaced per architecture, the checksum grep is anchored to avoid false matches on similarly-named binaries, and the darwin/linux sha256sum divergence is handled correctly. The two NIT findings are cosmetic and do not affect correctness or safety.

Review by sonnet

Evaluated against f8b9d7d2

# Sonnet Review ## Summary This PR correctly implements multi-arch support for the composite action by detecting OS and architecture via `uname` and emitting them as step outputs. The logic is clean, the error handling is explicit, and the checksum verification correctly accounts for the macOS vs Linux `sha256sum` difference. CI passed. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [NIT] | `.gitea/actions/review/action.yml` | 128 | The OS case statement lowercases `uname -s` output via `tr` into `OS_RAW`, then matches `linux` and `darwin` and assigns identical strings. The `tr` and `case` together are correct but slightly redundant — you could match `Linux` and `Darwin` directly without `tr`. Not a bug, just minor ceremony. Current approach is defensively safe and readable. | | 2 | [NIT] | `.gitea/actions/review/action.yml` | 135 | The error message for unsupported OS re-runs `$(uname -s)` (uppercased original) rather than printing `$OS_RAW` (already computed). This is intentional and arguably better since it shows the raw value the user's system returned, but it adds a second `uname` fork. Cosmetic only. | ## Recommendation **APPROVE** — Approve. The implementation is correct and complete. OS and arch detection handles all documented platforms (linux-amd64, linux-arm64, darwin-amd64, darwin-arm64), the cache key is properly namespaced per architecture, the checksum grep is anchored to avoid false matches on similarly-named binaries, and the darwin/linux `sha256sum` divergence is handled correctly. The two NIT findings are cosmetic and do not affect correctness or safety. --- *Review by sonnet* <!-- review-bot:sonnet --> --- *Evaluated against f8b9d7d2*
.gitea/actions/review/action.yml
@@ -125,2 +125,4 @@
VERSION="${{ inputs.version }}"
fi
# Detect OS and architecture for platform-specific binary download
sonnet-review-bot commented 2026-05-14 05:49:07 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The OS case statement lowercases uname -s output via tr into OS_RAW, then matches linux and darwin and assigns identical strings. The tr and case together are correct but slightly redundant — you could match Linux and Darwin directly without tr. Not a bug, just minor ceremony. Current approach is defensively safe and readable.

**[NIT]** The OS case statement lowercases `uname -s` output via `tr` into `OS_RAW`, then matches `linux` and `darwin` and assigns identical strings. The `tr` and `case` together are correct but slightly redundant — you could match `Linux` and `Darwin` directly without `tr`. Not a bug, just minor ceremony. Current approach is defensively safe and readable.
.gitea/actions/review/action.yml
@@ -127,0 +132,4 @@
darwin) OS="darwin" ;;
*)
echo "Error: unsupported OS: $(uname -s)" >&2
exit 1
sonnet-review-bot commented 2026-05-14 05:49:07 +00:00
First-time contributor
Copy Link
Copy Source

[NIT] The error message for unsupported OS re-runs $(uname -s) (uppercased original) rather than printing $OS_RAW (already computed). This is intentional and arguably better since it shows the raw value the user's system returned, but it adds a second uname fork. Cosmetic only.

**[NIT]** The error message for unsupported OS re-runs `$(uname -s)` (uppercased original) rather than printing `$OS_RAW` (already computed). This is intentional and arguably better since it shows the raw value the user's system returned, but it adds a second `uname` fork. Cosmetic only.
security-review-bot requested review from security-review-bot 2026-05-14 05:49:46 +00:00
security-review-bot approved these changes 2026-05-14 05:49:46 +00:00
security-review-bot left a comment
Collaborator
Copy Link
Copy Source

Security Review

Summary

The changes correctly detect OS/arch at runtime, update cache keys and binary selection, and improve checksum verification anchoring. No new security vulnerabilities are introduced, and CI has passed.

Findings

# Severity File Line Finding
1 [MINOR] .gitea/actions/review/action.yml 173 Integrity check relies on checksums.txt fetched from the same remote as the binary (derived from user-controllable inputs gitea-url/repo). A malicious input could point to an attacker-controlled host serving both a forged binary and matching checksum, defeating the verification. Consider pinning allowed hosts/repos, enforcing HTTPS, and verifying signed checksums or comparing hashes against a trusted source.

Recommendation

APPROVE — Approve the PR. The platform detection and cache/binary derivation are implemented safely, and the anchored checksum grep reduces risk of matching incorrect files. As a hardening measure, consider constraining or validating the gitea-url/repo inputs (e.g., allowlist trusted origins and enforce HTTPS) and verifying checksums via a trusted signature or pre-known hash to mitigate supply chain risks when downloading and executing remote binaries.

Review by security

Evaluated against f8b9d7d2

# Security Review ## Summary The changes correctly detect OS/arch at runtime, update cache keys and binary selection, and improve checksum verification anchoring. No new security vulnerabilities are introduced, and CI has passed. ## Findings | # | Severity | File | Line | Finding | |---|----------|------|------|--------| | 1 | [MINOR] | `.gitea/actions/review/action.yml` | 173 | Integrity check relies on checksums.txt fetched from the same remote as the binary (derived from user-controllable inputs gitea-url/repo). A malicious input could point to an attacker-controlled host serving both a forged binary and matching checksum, defeating the verification. Consider pinning allowed hosts/repos, enforcing HTTPS, and verifying signed checksums or comparing hashes against a trusted source. | ## Recommendation **APPROVE** — Approve the PR. The platform detection and cache/binary derivation are implemented safely, and the anchored checksum grep reduces risk of matching incorrect files. As a hardening measure, consider constraining or validating the gitea-url/repo inputs (e.g., allowlist trusted origins and enforce HTTPS) and verifying checksums via a trusted signature or pre-known hash to mitigate supply chain risks when downloading and executing remote binaries. --- *Review by security* <!-- review-bot:security --> --- *Evaluated against f8b9d7d2*
.gitea/actions/review/action.yml
@@ -149,8 +173,13 @@ runs:
security-review-bot commented 2026-05-14 05:49:46 +00:00
Collaborator
Copy Link
Copy Source

[MINOR] Integrity check relies on checksums.txt fetched from the same remote as the binary (derived from user-controllable inputs gitea-url/repo). A malicious input could point to an attacker-controlled host serving both a forged binary and matching checksum, defeating the verification. Consider pinning allowed hosts/repos, enforcing HTTPS, and verifying signed checksums or comparing hashes against a trusted source.

**[MINOR]** Integrity check relies on checksums.txt fetched from the same remote as the binary (derived from user-controllable inputs gitea-url/repo). A malicious input could point to an attacker-controlled host serving both a forged binary and matching checksum, defeating the verification. Consider pinning allowed hosts/repos, enforcing HTTPS, and verifying signed checksums or comparing hashes against a trusted source.
gpt-review-bot approved these changes 2026-05-14 05:49:54 +00:00
gpt-review-bot left a comment
First-time contributor
Copy Link
Copy Source

Gpt Review

Summary

The changes correctly generalize the binary download to the host platform by detecting OS and architecture via uname, update the cache key accordingly, and strengthen checksum matching. The implementation is sound and aligns with the stated supported platforms.

Recommendation

APPROVE — CI has passed and the PR addresses the multi-arch issue cleanly. The OS/arch detection logic covers the supported matrices (linux/darwin with amd64/arm64), cache keys are architecture-specific to avoid cross-arch collisions, and checksum verification is more robust by anchoring the filename and accommodating macOS shasum. Consider, as a non-blocking follow-up, adding a brief log when the cache is hit and optionally using set -euo pipefail at the top of shell blocks for stricter error handling. Otherwise, this is ready to merge.

Review by gpt

Evaluated against f8b9d7d2

# Gpt Review ## Summary The changes correctly generalize the binary download to the host platform by detecting OS and architecture via uname, update the cache key accordingly, and strengthen checksum matching. The implementation is sound and aligns with the stated supported platforms. ## Recommendation **APPROVE** — CI has passed and the PR addresses the multi-arch issue cleanly. The OS/arch detection logic covers the supported matrices (linux/darwin with amd64/arm64), cache keys are architecture-specific to avoid cross-arch collisions, and checksum verification is more robust by anchoring the filename and accommodating macOS shasum. Consider, as a non-blocking follow-up, adding a brief log when the cache is hit and optionally using set -euo pipefail at the top of shell blocks for stricter error handling. Otherwise, this is ready to merge. --- *Review by gpt* <!-- review-bot:gpt --> --- *Evaluated against f8b9d7d2*
rodin commented 2026-05-14 05:50:36 +00:00
Author
Owner
Copy Link
Copy Source

Self-Review: PR #127

Self-review against f8b9d7d282

Phase 1: Independent Findings

Diff from 7a8fc16 to f8b9d7d (the fix commit):

  • Added OS-conditional checksum computation: shasum -a 256 on darwin, sha256sum on linux. This is correct — GNU sha256sum is not present on macOS.
  • Added ^ anchor to the grep -E pattern for checksums. Correct improvement.
  • The conditional uses ${{ steps.version.outputs.os }} which is evaluated by Actions runner before the shell, so it will expand to "linux" or "darwin" literally.
  • No other changes.

No new findings.

Phase 2: Prior Review Verification

Finding Reviewer Status Notes
sha256sum not on macOS [MAJOR] gpt-review-bot Resolved OS-conditional added; shasum -a 256 on darwin
Checksum grep not anchored at start [MINOR] gpt-review-bot Resolved ^ added to ERE pattern

Assessment: Clean

Both findings from gpt-review-bot addressed correctly. CI passes. All bot reviews APPROVED on this HEAD. The PR is ready for human review.

## Self-Review: PR #127 Self-review against f8b9d7d282b6229532ebc4fb015de84d352def78 ### Phase 1: Independent Findings Diff from 7a8fc16 to f8b9d7d (the fix commit): - Added OS-conditional checksum computation: `shasum -a 256` on darwin, `sha256sum` on linux. This is correct — GNU `sha256sum` is not present on macOS. - Added `^` anchor to the `grep -E` pattern for checksums. Correct improvement. - The conditional uses `${{ steps.version.outputs.os }}` which is evaluated by Actions runner before the shell, so it will expand to "linux" or "darwin" literally. ✅ - No other changes. No new findings. ### Phase 2: Prior Review Verification | Finding | Reviewer | Status | Notes | |---------|----------|--------|-------| | `sha256sum` not on macOS [MAJOR] | gpt-review-bot | ✅ Resolved | OS-conditional added; `shasum -a 256` on darwin | | Checksum grep not anchored at start [MINOR] | gpt-review-bot | ✅ Resolved | `^` added to ERE pattern | ### Assessment: ✅ Clean Both findings from gpt-review-bot addressed correctly. CI passes. All bot reviews APPROVED on this HEAD. The PR is ready for human review.
rodin added the ready label 2026-05-14 05:50:42 +00:00
rodin merged commit f8b9d7d282 into main 2026-05-14 05:53:16 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
sonnet-review-bot
security-review-bot
gpt-review-bot
Labels
Clear labels
ai-review
bug
needs-review
ready
Ready for human review
 self-reviewed
Self-review passed since last push
 wip
Work in progress - do not start new work on this PR
No Label ready
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
security-review-bot rodin (Rodin)
No Assignees aweiker
4 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: rodin/review-bot#127
Delete Branch "issue-124"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?