chore(codex): bootstrap tests and docs defaults#25
Conversation
- Add a lean dev entrypoint that uses temporary cache paths and cleans up on exit - Add targeted and full cleanup scripts for reproducible local artifacts - Make Vite/Tauri dev port and Vite cache path configurable for safe local overrides - Document normal vs lean dev flow and cleanup tradeoffs in README Tests: npm run lint && npm run build
Summary of ChangesHello @saagar210, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request establishes foundational quality and developer experience standards for new repositories. It introduces automated enforcement for comprehensive testing and up-to-date documentation, ensuring that all code changes meet predefined criteria. Additionally, it enhances the development workflow by providing options for disk-space-efficient development and robust cleanup utilities, aiming to streamline local development and maintain a clean project environment. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b1034d4b56
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| version: 9 | ||
|
|
||
| - name: Install dependencies | ||
| run: pnpm install --frozen-lockfile |
There was a problem hiding this comment.
The new workflow will fail on every run at dependency installation because it executes pnpm install --frozen-lockfile in a repo that ships package-lock.json and no pnpm-lock.yaml; pnpm errors with ERR_PNPM_NO_LOCKFILE (Cannot install with "frozen-lockfile" because pnpm-lock.yaml is absent). This blocks all subsequent quality gates from running.
Useful? React with 👍 / 👎.
| @@ -0,0 +1,7 @@ | |||
| pnpm lint | |||
| pnpm typecheck | |||
There was a problem hiding this comment.
The verify command list references scripts that are not defined in package.json (typecheck, test:coverage, test:integration, test:e2e:smoke, docs:generate, docs:check), so the run_verify_commands.sh step aborts immediately with ERR_PNPM_NO_SCRIPT (for example, Missing script: typecheck). As written, the quality workflow cannot pass even after dependencies install.
Useful? React with 👍 / 👎.
| .map((line) => line.trim()) | ||
| .filter(Boolean); | ||
|
|
||
| const isProdCode = (file) => /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file); |
There was a problem hiding this comment.
The production-code detector only matches src|app|server|api, so changes under src-tauri/ are never treated as production changes and can merge without any test updates despite the repository policy requiring tests for production changes. This creates a policy enforcement gap for backend Rust code in this project.
Useful? React with 👍 / 👎.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request bootstraps the repository with default configurations for enforcing tests and documentation, introducing several scripts for lean development and cleanup, and CI checks. A critical issue identified is a high-severity command injection vulnerability in scripts/ci/require-tests-and-docs.mjs due to the unsafe use of execSync with an unsanitized environment variable. Please address this vulnerability. Furthermore, the .github/workflows/quality-gates.yml workflow file, which is central to the new quality gate process, is missing and needs to be included to complete the implementation. Also, ensure to review the comment regarding a hardcoded user path in a configuration file.
| })(); | ||
|
|
||
| const baseRef = process.env.GITHUB_BASE_REF ? `origin/${process.env.GITHUB_BASE_REF}` : defaultBaseRef; | ||
| const diff = execSync(`git diff --name-only ${baseRef}...HEAD`, { encoding: 'utf8' }) |
There was a problem hiding this comment.
The script uses execSync with a template string that incorporates the baseRef variable, which is derived from the GITHUB_BASE_REF environment variable. GITHUB_BASE_REF is the name of the base branch in a pull request. If an attacker can influence the name of a branch in the repository (e.g., by creating a branch with a malicious name like main; touch /tmp/pwned), they could execute arbitrary commands on the CI runner when this script is executed. This could lead to the exfiltration of sensitive environment variables or secrets stored in the CI environment.
| const diff = execSync(`git diff --name-only ${baseRef}...HEAD`, { encoding: 'utf8' }) | |
| const diff = execSync(`git diff --name-only ${baseRef.replace(/[^\w./-]/g, '')}...HEAD`, { encoding: 'utf8' }) |
.codex/bootstrap/tests-docs.v1.json
Outdated
| "generated_at": "2026-02-17T05:38:27.096Z", | ||
| "generated_by": "/Users/d/.codex/scripts/bootstrap/global_tests_docs_bootstrap.mjs", |
There was a problem hiding this comment.
The generated_at field contains a future timestamp, and generated_by contains a hardcoded absolute path to a user's local machine. This exposes private user information and makes the configuration brittle. These fields should be removed or replaced with generic, non-user-specific placeholders if they are needed for auditing.
| "generated_at": "2026-02-17T05:38:27.096Z", | |
| "generated_by": "/Users/d/.codex/scripts/bootstrap/global_tests_docs_bootstrap.mjs", | |
| "generated_at": "", | |
| "generated_by": "", |
1 participant
What
Why
Testing
Risk / Notes