Bug Description
The coder gate only verifies Go (fmt/vet/build/lint/test), so a coder GO whose diff is entirely non-Go (GitHub Actions workflow YAML, shell scripts, Homebrew/Ruby formulae, docs) reaches GATE-PASS without any meaningful verification of the actual change. The gate is structurally blind to the very content that changed.
Evidence (M2/M3 batch run-20260711-182721)
Proposed Fix
Extend the gate (or add a reviewer stage) to lint/validate non-Go artifacts based on the changed file types:
Environment
- LLMKube version: 0.9.4
- Component: Foreman coder gate
Additional Context
Surfaced by scrutinizing every GO in an M2/M3 batch. Companion to the anti-confab-on-prose finding filed alongside this.
Bug Description
The coder gate only verifies Go (fmt/vet/build/lint/test), so a coder GO whose diff is entirely non-Go (GitHub Actions workflow YAML, shell scripts, Homebrew/Ruby formulae, docs) reaches
GATE-PASSwithout any meaningful verification of the actual change. The gate is structurally blind to the very content that changed.Evidence (M2/M3 batch run-20260711-182721)
uses: slsa-framework/.../generator_container_slsa3.yml@v1.9.0understeps:— a reusable workflow can only be called at job level, so the workflow is invalid.cosign sign --yes(keyless OIDC) added without granting the jobid-token: write, so it fails at runtime.LlmkubeForemanAgentformula definesdef installtwice (dead code /brew audit+ RuboCopLint/DuplicateMethodssmell) — invisible to the Go gate.Proposed Fix
Extend the gate (or add a reviewer stage) to lint/validate non-Go artifacts based on the changed file types:
actionlintfor.github/workflows/*.ymlshellcheckfor shell scriptsbrew style/rubocopfor Homebrew formulaeEnvironment
Additional Context
Surfaced by scrutinizing every GO in an M2/M3 batch. Companion to the anti-confab-on-prose finding filed alongside this.