[codex] Harden compatibility CI isolation

[SegaraRai]

Summary

• run Compatibility CI with no job token permissions and no setup-vp dependency cache
• verify the compatibility container cannot see host runner processes, effective capabilities, or the Docker socket before running untrusted compatibility commands
• start vp run test:compat with a clean environment and make the compat runner fail if GitHub Actions runtime cache credentials are present
• scrub token and Actions runtime credentials from child processes spawned by compatibility fixtures

Validation

• vp run check
• node ./examples/compat/compat-matrix.ts --list
• confirmed the compat runner fails when ACTIONS_RUNTIME_TOKEN is present

Summary by CodeRabbit

• Chores

  • Updated wasm-pack dev dependency to ^0.15.0
  • Pinned fflate to 0.8.2 via workspace overrides
  • Tightened CI workflow job permissions

• Tests

  • Run compatibility tests inside an isolated sandboxed container for stronger environment isolation
  • Added pre-test validation to ensure no CI/runtime credentials are present
  • Sanitize spawned test process environments to remove forbidden runtime keys

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 504d3a4c-4dd0-4ef0-85ac-9f24cf8f205c

📥 Commits

Reviewing files that changed from the base of the PR and between 2f1c530 and cf932bf.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• pnpm-workspace.yaml

✅ Files skipped from review due to trivial changes (1)

• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Harden compatibility tests: detect and fail on GitHub Actions runtime credentials at test start, sanitize child-process environments, run tests inside a sandboxed action with job-level empty permissions, and update two dependency pins.

Changes

Security Hardening for Compatibility Tests

Layer / File(s)	Summary
Runtime credential validation examples/compat/scripts/security.ts	New module exports assertNoActionsRuntimeCredentials() which detects and rejects forbidden GitHub Actions runtime environment variables by throwing an error with the list of found keys.
Child process environment sanitization examples/compat/scripts/command.ts	Adds BLOCKED_CHILD_ENV_KEYS set and sanitizedProcessEnv() helper that clones process.env, removes blocked keys (case-insensitive), and applies the sanitized environment to spawnSync calls.
Test runner security checkpoint examples/compat/scripts/runner.ts	Imports and invokes assertNoActionsRuntimeCredentials() at the start of main() to enforce credential validation before running compatibility cases.
CI sandbox execution and permissions .github/workflows/ci.yml	Tightens the compatibility job with permissions: {} at job level and replaces inline test steps with a SegaraRai/gha-sandbox-probes action that unpacks the build, installs Vite Plus, selects the runtime via vp env use, installs deps, and runs vp run test:compat --case "${{ matrix.case }}".

Dependency Version Update

Layer / File(s)	Summary
wasm-pack version update package.json	Bumps wasm-pack devDependency from ^0.14.0 to ^0.15.0.
pnpm fflate override pnpm-workspace.yaml	Pins fflate to 0.8.2 via overrides.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 In CI burrows tests now sleep,

Tokens scrubbed, no secrets creep.
Runner checks and children clean,
Sandbox hops, a safer scene.
🌱

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[codex] Harden compatibility CI isolation' directly reflects the main objective of the PR: hardening CI isolation for compatibility tests by preventing credential leakage.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/harden-compatibility-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

examples/compat/scripts/command.ts (1)

10-22: ⚡ Quick win

Share the Actions runtime-key list with security.ts.

This re-declares the same ACTIONS_* keys the startup guard uses. If those lists drift, the parent process and child-process scrubber will enforce different credential policies. Export the runtime-key constant from security.ts and extend it here with the extra package-manager tokens.

Possible direction

+import { FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS } from "./security.ts";
+
 const BLOCKED_CHILD_ENV_KEYS = new Set([
-  "ACTIONS_CACHE_SERVICE_V2",
-  "ACTIONS_CACHE_URL",
-  "ACTIONS_ID_TOKEN_REQUEST_TOKEN",
-  "ACTIONS_ID_TOKEN_REQUEST_URL",
-  "ACTIONS_RESULTS_URL",
-  "ACTIONS_RUNTIME_TOKEN",
-  "ACTIONS_RUNTIME_URL",
+  ...FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS,
   "GH_TOKEN",
   "GITHUB_TOKEN",
   "NODE_AUTH_TOKEN",
   "NPM_TOKEN",
 ]);

// examples/compat/scripts/security.ts
export const FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS = [
  // ...
] as const;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/compat/scripts/command.ts` around lines 10 - 22, Replace the
duplicated ACTIONS_* list by importing the canonical array from security.ts and
extending it with the package-manager tokens: import
FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS from security.ts, then build
BLOCKED_CHILD_ENV_KEYS as new Set([...FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS,
"GH_TOKEN", "GITHUB_TOKEN", "NODE_AUTH_TOKEN", "NPM_TOKEN"]). Ensure you
reference the existing symbol BLOCKED_CHILD_ENV_KEYS in this file and the
exported FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS symbol in security.ts so both parent
and child scrubbing use the same runtime-key source.

.github/workflows/ci.yml (1)

225-228: ⚡ Quick win

Use the official setup-vp GitHub Action instead of piping the install script.

curl ... | bash makes this job depend on whatever viteplus.dev/install.sh serves at runtime, weakening reproducibility. Vite+ provides an official GitHub Action, voidzero-dev/setup-vp, designed for CI environments that supports version pinning:

- uses: voidzero-dev/setup-vp@v1
  with:
    version: "1.2.3"  # Pin to a specific version

This is the documented best practice for CI installations and avoids the security and reproducibility concerns of piping scripts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 225 - 228, Replace the insecure
curl|bash installer with the official GitHub Action by removing the lines that
call the remote install script and source "$HOME/.vite-plus/env" and instead use
the voidzero-dev/setup-vp action in the workflow; ensure you call the action
(voidzero-dev/setup-vp@v1) and pass a pinned version (e.g., version: "1.2.3") so
subsequent steps like invoking vp env use "$(cat .node-version)" continue to
work against a reproducible, pinned Vite+ installation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@examples/compat/scripts/security.ts`:
- Around line 12-14: The filter for presentKeys currently treats only truthy
values as present, so empty strings are missed; update the predicate used with
FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS (where presentKeys is computed) to check for
presence using process.env[key] !== undefined (or similar explicit undefined
check) instead of relying on truthiness, so variables like
ACTIONS_RUNTIME_TOKEN="" are considered present by the guard.

In `@package.json`:
- Line 33: Replace the unpublished version spec for the wasm-pack dependency in
package.json by changing the "wasm-pack" entry (currently "^0.15.0") to the
official stable release "0.14.0" (or "^0.14.0" if you want caret semantics) so
the project uses the published stable wasm-pack version.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 225-228: Replace the insecure curl|bash installer with the
official GitHub Action by removing the lines that call the remote install script
and source "$HOME/.vite-plus/env" and instead use the voidzero-dev/setup-vp
action in the workflow; ensure you call the action (voidzero-dev/setup-vp@v1)
and pass a pinned version (e.g., version: "1.2.3") so subsequent steps like
invoking vp env use "$(cat .node-version)" continue to work against a
reproducible, pinned Vite+ installation.

In `@examples/compat/scripts/command.ts`:
- Around line 10-22: Replace the duplicated ACTIONS_* list by importing the
canonical array from security.ts and extending it with the package-manager
tokens: import FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS from security.ts, then build
BLOCKED_CHILD_ENV_KEYS as new Set([...FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS,
"GH_TOKEN", "GITHUB_TOKEN", "NODE_AUTH_TOKEN", "NPM_TOKEN"]). Ensure you
reference the existing symbol BLOCKED_CHILD_ENV_KEYS in this file and the
exported FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS symbol in security.ts so both parent
and child scrubbing use the same runtime-key source.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad8e20f6-a309-4e46-9ad7-551be32ecc7c

📥 Commits

Reviewing files that changed from the base of the PR and between ff52946 and 712c43e.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• examples/compat/scripts/command.ts
• examples/compat/scripts/runner.ts
• examples/compat/scripts/security.ts
• package.json

[coderabbitai]

♻️ Duplicate comments (1)

examples/compat/scripts/security.ts (1)

12-14: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Check env key presence by definition, not truthiness.

Line 13 treats only truthy values as present, so ACTIONS_RUNTIME_TOKEN="" bypasses the guard. Use an explicit undefined check to enforce the intended fail-fast behavior.

Proposed fix

 export function assertNoActionsRuntimeCredentials(): void {
   const presentKeys = FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS.filter((key) => {
-    return process.env[key];
+    return process.env[key] !== undefined;
   });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/compat/scripts/security.ts` around lines 12 - 14, The presentKeys
calculation is checking truthiness which allows empty-string env values to pass;
change the filter in the FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS check to test for
undefined explicitly (e.g., using process.env[key] !== undefined or typeof
process.env[key] !== 'undefined') so that keys set to an empty string are
treated as present and trigger the guard; update the expression that defines
presentKeys accordingly (referencing FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS and the
presentKeys variable).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@examples/compat/scripts/security.ts`:
- Around line 12-14: The presentKeys calculation is checking truthiness which
allows empty-string env values to pass; change the filter in the
FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS check to test for undefined explicitly (e.g.,
using process.env[key] !== undefined or typeof process.env[key] !== 'undefined')
so that keys set to an empty string are treated as present and trigger the
guard; update the expression that defines presentKeys accordingly (referencing
FORBIDDEN_ACTIONS_RUNTIME_ENV_KEYS and the presentKeys variable).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc1facce-2cf7-4a42-bb0d-12c64cdf43e6

📥 Commits

Reviewing files that changed from the base of the PR and between 712c43e and 2f1c530.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• examples/compat/scripts/command.ts
• examples/compat/scripts/security.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• examples/compat/scripts/command.ts