f

2026-03-12 21:23:13 -07:00 · 2026-03-08 16:04:29 +01:00
parent aaaa178974
commit 287fcc2332
2 changed files with 29 additions and 0 deletions
--- a/.github/workflows/ci-master-failure-chack-agent-pr.yml
+++ b/.github/workflows/ci-master-failure-chack-agent-pr.yml
@@ -195,6 +195,11 @@ jobs:
            git reset -- chack_failure_summary.txt chack_failure_evidence.txt chack_prompt.txt chack_failed_steps_logs.txt
            # Never include generated regex list updates in automated fixer commits.
            git reset -- build_lists/regexes.yaml || true
+            # Never allow the agent to commit generated linpeas artifacts.
+            git reset -- linpeas.sh linpeas_fat.sh || true
+            while IFS= read -r forbidden_file; do
+              git reset -- "$forbidden_file" || true
+            done < <(git diff --name-only --cached | grep -E '(^|/)(linpeas\.sh|linpeas_fat\.sh)$' || true)
            while IFS= read -r file; do
              case "$file" in
                *.txt|*.md)
@@ -207,6 +212,11 @@ jobs:
              echo "pushed=false" >> "$GITHUB_OUTPUT"
              exit 0
            fi
+            if git diff --cached --name-only | grep -Eq '(^|/)(linpeas\.sh|linpeas_fat\.sh)$'; then
+              echo "Forbidden generated linpeas files are still staged; skipping push."
+              echo "pushed=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
            if ! git diff --cached --quiet; then
              git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
            fi
@@ -256,6 +266,15 @@ jobs:
          git apply --index /tmp/chack_sanitized.patch
          rm -f chack_failure_summary.txt chack_failure_evidence.txt chack_prompt.txt chack_failed_steps_logs.txt
          git reset -- chack_failure_summary.txt chack_failure_evidence.txt chack_prompt.txt chack_failed_steps_logs.txt || true
+          git reset -- linpeas.sh linpeas_fat.sh || true
+          while IFS= read -r forbidden_file; do
+            git reset -- "$forbidden_file" || true
+          done < <(git diff --name-only --cached | grep -E '(^|/)(linpeas\.sh|linpeas_fat\.sh)$' || true)
+          if git diff --cached --name-only | grep -Eq '(^|/)(linpeas\.sh|linpeas_fat\.sh)$'; then
+            echo "Forbidden generated linpeas files remain after sanitizing; skipping push."
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
          if git diff --cached --quiet; then
            echo "No sanitized changes left after filtering."
            echo "pushed=false" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/pr-failure-chack-agent-dispatch.yml
+++ b/.github/workflows/pr-failure-chack-agent-dispatch.yml
@@ -217,6 +217,11 @@ jobs:
            git reset -- chack_failure_summary.txt chack_prompt.txt
            # Never commit generated or regenerated regex list files from this workflow.
            git reset -- build_lists/regexes.yaml || true
+            # Never allow the agent to commit generated linpeas artifacts.
+            git reset -- linpeas.sh linpeas_fat.sh || true
+            while IFS= read -r forbidden_file; do
+              git reset -- "$forbidden_file" || true
+            done < <(git diff --name-only --cached | grep -E '(^|/)(linpeas\.sh|linpeas_fat\.sh)$' || true)
            while IFS= read -r file; do
              case "$file" in
                *.txt|*.md)
@@ -224,6 +229,11 @@ jobs:
                  ;;
              esac
            done < <(git diff --name-only --cached)
+            if git diff --cached --name-only | grep -Eq '(^|/)(linpeas\.sh|linpeas_fat\.sh)$'; then
+              echo "Forbidden generated linpeas files are still staged; skipping push."
+              echo "pushed=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
            if ! git diff --cached --quiet; then
              git commit -m "Fix CI failures for PR #${PR_NUMBER}"
            fi