autonomic-bot
d38a695fa3
- tests/repo-local-approved.txt (empty ⇒ default-deny); CCCI_REPO_LOCAL_APPROVED_FILE override. - discovery: repo_local_approved()/_gated() centralize the gate; resolve_overlay_op + generic_op (HC3 additive split); custom_tests/install_steps/pre_op_hook all honor the gate. - unit tests rewritten for approved-vs-not + the generic floor. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
14 lines
782 B
Plaintext
14 lines
782 B
Plaintext
# cc-ci repo-local approval allowlist (Phase 1e HC2) — DEFAULT-DENY.
|
|
#
|
|
# PR-author-controlled code in a recipe repo's own tests/ dir (repo-local `test_*.py`,
|
|
# `install_steps.sh`, `ops.py`) runs on the CI host with /run/secrets/* present, so it is an
|
|
# untrusted-code risk. By default the harness runs ONLY cc-ci-authored overlays (tests/<recipe>/...)
|
|
# + the generic floor. Repo-local code is discovered-but-NOT-executed unless its recipe is listed
|
|
# below.
|
|
#
|
|
# To approve a recipe: a cc-ci maintainer reviews that recipe's repo-local tests, then adds the
|
|
# recipe name here in a cc-ci PR (one name per line; `#` comments + blank lines ignored). A lone `*`
|
|
# is NOT a wildcard — every recipe must be listed explicitly.
|
|
#
|
|
# (default: empty — no recipe trusts repo-local code)
|