https://github.com/lilithhafner/bisect.jl
https://github.com/lilithhafner/bisect.jl
Last synced: 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/lilithhafner/bisect.jl
- Owner: LilithHafner
- License: gpl-3.0
- Created: 2023-11-28T17:03:33.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-02-02T16:08:01.000Z (over 1 year ago)
- Last Synced: 2025-01-21T04:41:49.300Z (4 months ago)
- Language: Julia
- Size: 208 KB
- Stars: 6
- Watchers: 2
- Forks: 0
- Open Issues: 10
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Bisect
[](https://github.com/LilithHafner/Bisect.jl/actions/workflows/CI.yml?query=branch%3Amain)
[](https://codecov.io/gh/LilithHafner/Bisect.jl)
[](https://github.com/JuliaTesting/Aqua.jl)
## Development status: stable
As far as I can tell, this tool is fully functional, tested, and ready for widespread use.
I will attempt to avoid making any breaking changes going forward.
# Usage
If you have a snippet of Julia code that you suspect behaves differently on different
versions of a repo, you can post that code in a comment on github and ask
@LilithHafnerBot to figure out exactly which commit changed its behavior. The robot will run
a bisection and respond with its results.
## Who can use this tool
Everyone with a github account who is interested in open source software! You do not
need any permissions to invoke a bisection. You may execute arbitrary bisection code
on any public repository, whether or not you have any permissions in that repository.
See [Security](#security) for how we make this possible.
## Installation
None required. @LilithHafnerBot is already watching all github repositories. Open an
issue if you would like to opt out.
## Invocation syntax
An invocation is a github comment with a trigger and a code block. For example,
````
Let's try to bisect this.
@LilithHafnerBot bisect(new=main, old=v1.0.0)
```julia
using Statistics
mean([1, 2, 3]) == 2
```
````
The trigger must take the form `@LilithHafnerBot bisect()` where `` is
a (possibly empty) comma separated list of arguments. Each argument must be of the form
`=`. Supported keys are
- `new`: the new end of the bisection
- `old`: the old end of the bisection
Any value that can be interpreted as a revision by `git checkout ` can be used
as the value for `new` and `old`. For example, commit hashes, branch names, and tags
are all valid values.
Line breaks and `)` characters are not permitted in the argument list.
The code block must be a Julia code block, beginning with
```` ```julia ```` and ending with ```` ``` ````. The trigger and code block must be in
the same comment.
### Default values for `old` and `new`
The default value for `new` is "HEAD", which for issues, points to the head of hhe default
branch and for pull requests, points to the head of the pull request branch (even if that
pull request is from a fork!)
The default value for `old` is more complicated. We attempt to find the oldest release on
the current breaking version (e.g. "v1.0.0"). The exact details are subject to change, but the current
implementation is
- Filter down to tags that can be parsed by `VersionString`
- If possible, filter out any tags that have a prerelease component
- If there's any tag with a nonzero major version, keep only tags with the highest major version
and otherwise keep only tags with the highest minor version (prefer v1.0.0 over both 0.7.4 and
1.1.2)
- Of the remaining tags, take the earliest according to symbolic version comparison breaking
ties lexicographically (e.g. if your repo has both a 1.0.0 tag and a v1.0.0 tag, this will
prefer 1.0.0)
If no tags are found, the default value for `old` is the oldest commit with no parents.
## Security Model
The @LilithHafnerBot GitHub account sends it's notifications to `@proxiedmail.com`.
proxiedmail.com forwards those emails to [email protected] and sends an HTTP post request to
https://lilithhafner.com/lilithhafnerbot/trigger_1.php containing their content.
The servers at lilithhafner.com check that the post request contains `` with the regex
match `(\w{60})@proxiedmail.com` and then verifies that the hash
of the remianing 60 digits is equal to a known hash. After verifying authentication, those servers
check to see if the body of the message includes the string `@LilithHfanerBot bisect`. If so, it
uses the `gh` command line tool and an authentication token for the `@LilithHafnerBot` github account
to trigger a workflow run at https://github.com/LilithHafnerBot/bisect. It sends that workflow a
freshly genereated, single use `` and the URL of the comment that triggered the notification,
and saves that url and key and a timestamp localy. Then the servers add an :eyes: reaction to the
triggering comment.
GitHub actions automatically publically logs all arguments to the workflow trigger including ``
with no way to disable that logging. The workflow itself downloads the triggering comment's content,
parses it, runs a bisection if able, and produces a comment in response. It then posts back to
https://lilithahfner.com/lilithhafnerbot/trigger_2.php a request containing the key, comment URL,
and response message.
The servers at lilithhafner.com verify that the url and key exist in it's local logs with a
timestamp from the last 4 hours, verifies the message format looks plausible (notably including
a check that the length is not too long), checks that that comment url has not been responded to
before, checks that the comment contains the string `@LilithHafnerBot bisect`, logs that comment
url as having been responded to, and posts the message to github.
### Security claims
- lilithhafner.com is not vulnerable to remote code execution
- The @LilithHafnerBot github account is secure
- @LilithHafnerBot cannot be sock-puppetted except for when someone invoked `@LilithHafnerBot bisect` in the last 4 hours
### Attack models
TODO
### DOS attacks
This service runs on free github action runners. It's trivial to DOS this service,
please don't do that intentionally.
### Reporting vulnerabilities
Please report security vulnerabilities to [email protected]