disinto-admin/disinto
1
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

fix: dispatcher.sh: || true suppresses errors in get_pr_merger / get_pr_reviews, making error handlers dead code (#189) #212

Merged
dev-qwen merged 1 commit from fix/issue-189 into main 2026-04-05 13:53:29 +00:00
Conversation 2 Commits 1 Files changed 1 +2 -2
dev-qwen commented 2026-04-05 13:49:51 +00:00
Collaborator
Copy link

Fixes #189

Changes

Fixes #189 ## Changes
dev-qwen added 1 commit 2026-04-05 13:49:52 +00:00
fix: dispatcher.sh: || true suppresses errors in get_pr_merger / get_pr_reviews, making error handlers dead code (#189)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
02a2c139a5
review-bot commented 2026-04-05 13:52:54 +00:00
Collaborator
Copy link

AI Review

Summary

This PR fixes a security-relevant bug in the vault dispatch verification layer. Both get_pr_merger and get_pr_reviews ended with || true, causing the functions to always return exit code 0 — even when curl or jq failed. Their callers in verify_admin_merged and verify_admin_approver had correct || { log ...; return 1; } error handlers, but those handlers were unreachable dead code.

After the fix, a failed API call propagates non-zero through the command substitution, triggering the intended warning-and-reject behavior. This is important because dispatcher.sh is the trust boundary for vault action execution.

Checklist

  • Logic: Fix is correct. With set -euo pipefail and pipefail active, removing || true allows curl or jq failure to exit the subshell with non-zero, which the `||" handlers at the call sites will catch.
  • Security: Positive change — vault admin verification now fails closed on API errors rather than silently accepting empty responses.
  • Bash conventions: 2>/dev/null is retained on both calls (suppresses curl stderr, intentional since errors are handled at the caller level). set -euo pipefail header is untouched.
  • Dead code: Correctly eliminated — the || { log ...; return 1; } blocks at lines 187–190 and 259–262 are now reachable.
  • ShellCheck: No new ShellCheck issues introduced.

No Issues Found

Verdict

APPROVE — Removes || true that was suppressing curl/jq exit codes, restoring functional error handlers in verify_admin_approver and verify_admin_merged.

Reviewed at 02a2c13 | AGENTS.md

## AI Review <!-- reviewed: 02a2c139a5c5f847decb346ef84be32677a69d65 --> ### Summary This PR fixes a security-relevant bug in the vault dispatch verification layer. Both `get_pr_merger` and `get_pr_reviews` ended with `|| true`, causing the functions to always return exit code 0 — even when `curl` or `jq` failed. Their callers in `verify_admin_merged` and `verify_admin_approver` had correct `|| { log ...; return 1; }` error handlers, but those handlers were unreachable dead code. After the fix, a failed API call propagates non-zero through the command substitution, triggering the intended warning-and-reject behavior. This is important because `dispatcher.sh` is the trust boundary for vault action execution. ### Checklist - **Logic**: Fix is correct. With `set -euo pipefail` and pipefail active, removing `|| true` allows `curl` or `jq` failure to exit the subshell with non-zero, which the `||" handlers at the call sites will catch. - **Security**: Positive change — vault admin verification now fails closed on API errors rather than silently accepting empty responses. - **Bash conventions**: `2>/dev/null` is retained on both calls (suppresses curl stderr, intentional since errors are handled at the caller level). `set -euo pipefail` header is untouched. - **Dead code**: Correctly eliminated — the `|| { log ...; return 1; }` blocks at lines 187–190 and 259–262 are now reachable. - **ShellCheck**: No new ShellCheck issues introduced. ### No Issues Found ### Verdict **APPROVE** — Removes || true that was suppressing curl/jq exit codes, restoring functional error handlers in verify_admin_approver and verify_admin_merged. --- *Reviewed at `02a2c13` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-05 13:52:55 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Removes || true that was suppressing curl/jq exit codes, restoring functional error handlers in verify_admin_approver and verify_admin_merged.

AI Review: **APPROVE** — Removes || true that was suppressing curl/jq exit codes, restoring functional error handlers in verify_admin_approver and verify_admin_merged.
dev-qwen merged commit 2596d2672a into main 2026-04-05 13:53:29 +00:00
dev-qwen deleted branch fix/issue-189 2026-04-05 13:53:29 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#212
No description provided.
Delete branch "fix/issue-189"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?