From 287fcc23324ef3c7cf33f2e553d71d0ff891c350 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Sun, 8 Mar 2026 16:04:29 +0100 Subject: [PATCH] f --- .../ci-master-failure-chack-agent-pr.yml | 19 +++++++++++++++++++ .../pr-failure-chack-agent-dispatch.yml | 10 ++++++++++ 2 files changed, 29 insertions(+) diff --git a/.github/workflows/ci-master-failure-chack-agent-pr.yml b/.github/workflows/ci-master-failure-chack-agent-pr.yml index c86e24e..4b8ea8a 100644 --- a/.github/workflows/ci-master-failure-chack-agent-pr.yml +++ b/.github/workflows/ci-master-failure-chack-agent-pr.yml @@ -195,6 +195,11 @@ jobs: git reset -- chack_failure_summary.txt chack_failure_evidence.txt chack_prompt.txt chack_failed_steps_logs.txt # Never include generated regex list updates in automated fixer commits. git reset -- build_lists/regexes.yaml || true + # Never allow the agent to commit generated linpeas artifacts. + git reset -- linpeas.sh linpeas_fat.sh || true + while IFS= read -r forbidden_file; do + git reset -- "$forbidden_file" || true + done < <(git diff --name-only --cached | grep -E '(^|/)(linpeas\.sh|linpeas_fat\.sh)$' || true) while IFS= read -r file; do case "$file" in *.txt|*.md) @@ -207,6 +212,11 @@ jobs: echo "pushed=false" >> "$GITHUB_OUTPUT" exit 0 fi + if git diff --cached --name-only | grep -Eq '(^|/)(linpeas\.sh|linpeas_fat\.sh)$'; then + echo "Forbidden generated linpeas files are still staged; skipping push." + echo "pushed=false" >> "$GITHUB_OUTPUT" + exit 0 + fi if ! git diff --cached --quiet; then git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}" fi @@ -256,6 +266,15 @@ jobs: git apply --index /tmp/chack_sanitized.patch rm -f chack_failure_summary.txt chack_failure_evidence.txt chack_prompt.txt chack_failed_steps_logs.txt git reset -- chack_failure_summary.txt chack_failure_evidence.txt chack_prompt.txt chack_failed_steps_logs.txt || true + git reset -- linpeas.sh linpeas_fat.sh || true + while IFS= read -r forbidden_file; do + git reset -- "$forbidden_file" || true + done < <(git diff --name-only --cached | grep -E '(^|/)(linpeas\.sh|linpeas_fat\.sh)$' || true) + if git diff --cached --name-only | grep -Eq '(^|/)(linpeas\.sh|linpeas_fat\.sh)$'; then + echo "Forbidden generated linpeas files remain after sanitizing; skipping push." + echo "pushed=false" >> "$GITHUB_OUTPUT" + exit 0 + fi if git diff --cached --quiet; then echo "No sanitized changes left after filtering." echo "pushed=false" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/pr-failure-chack-agent-dispatch.yml b/.github/workflows/pr-failure-chack-agent-dispatch.yml index 87f7442..26ce631 100644 --- a/.github/workflows/pr-failure-chack-agent-dispatch.yml +++ b/.github/workflows/pr-failure-chack-agent-dispatch.yml @@ -217,6 +217,11 @@ jobs: git reset -- chack_failure_summary.txt chack_prompt.txt # Never commit generated or regenerated regex list files from this workflow. git reset -- build_lists/regexes.yaml || true + # Never allow the agent to commit generated linpeas artifacts. + git reset -- linpeas.sh linpeas_fat.sh || true + while IFS= read -r forbidden_file; do + git reset -- "$forbidden_file" || true + done < <(git diff --name-only --cached | grep -E '(^|/)(linpeas\.sh|linpeas_fat\.sh)$' || true) while IFS= read -r file; do case "$file" in *.txt|*.md) @@ -224,6 +229,11 @@ jobs: ;; esac done < <(git diff --name-only --cached) + if git diff --cached --name-only | grep -Eq '(^|/)(linpeas\.sh|linpeas_fat\.sh)$'; then + echo "Forbidden generated linpeas files are still staged; skipping push." + echo "pushed=false" >> "$GITHUB_OUTPUT" + exit 0 + fi if ! git diff --cached --quiet; then git commit -m "Fix CI failures for PR #${PR_NUMBER}" fi