Create Awal README truth checker#1
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8c42bd5ea6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ) | ||
| findings.extend(cd_findings(surface, text, command.line)) | ||
| script = package_script_from_command(text) | ||
| if script is not None and surface.package_scripts: |
There was a problem hiding this comment.
The surface.package_scripts guard suppresses missing_package_script checks whenever package.json is absent or unreadable, so a README command like npm run dev can incorrectly produce a full pass. In a fresh clone, this is a hard setup failure, and the scanner should still emit a high-severity finding instead of silently skipping script validation.
Useful? React with 👍 / 👎.
| match = re.search(r"\byarn\s+([A-Za-z0-9:_-]+)\b", command) | ||
| if match and match.group(1) not in {"add", "install", "global", "dlx"}: | ||
| return match.group(1), match.group(0) |
There was a problem hiding this comment.
yarn run <script> as script invocation
The current Yarn regex captures only the first token after yarn, so yarn run dev is parsed as script run and incorrectly triggers missing_package_script even when dev exists. This creates false blocking results for standard Yarn usage in READMEs and can break CI gating on valid repositories.
Useful? React with 👍 / 👎.
| re.compile(r"\bprocess\.env\[['\"]([A-Z][A-Z0-9_]{2,})['\"]\]"), | ||
| re.compile(r"\bimport\.meta\.env\.([A-Z][A-Z0-9_]{2,})"), | ||
| re.compile(r"\bDeno\.env\.get\(['\"]([A-Z][A-Z0-9_]{2,})['\"]\)"), | ||
| re.compile(r"\bos\.environ(?:\.get)?\(['\"]([A-Z][A-Z0-9_]{2,})['\"]\)"), |
There was a problem hiding this comment.
os.environ[...] env variable reads
Environment usage scanning misses the common Python subscript form os.environ["KEY"], so undocumented env vars in Python code are not reported. That causes false passes for repos that do require undeclared secrets/config, weakening one of the scanner’s core checks.
Useful? React with 👍 / 👎.
|
@justAbdulaziz10 correction on the previous comment: Awal now has GitHub Action support in this PR. New pieces:
Please review the action shape too, not only the CLI. After your review, we can merge, tag v0, and make the public launch cleaner. |
2 participants
Summary
Validation
PRs and edits welcome.