ci: integrate typos spell-checker into CI pipeline#7077
ci: integrate typos spell-checker into CI pipeline#7077sirrodgepodge wants to merge 1 commit intoprojectdiscovery:devfrom
Conversation
- Add new GitHub Actions workflow (.github/workflows/typos.yaml) using the official crate-ci/typos action to catch typos in PRs and pushes - Add _typos.toml configuration to suppress false positives from: - Non-English README translations (CN, ES, ID, JP, KR, PT-BR, TR) - Base64-encoded test data and security payloads - SQL injection test strings - Existing Go identifiers that cannot be renamed without breaking API - CLI flag names in help output - Fix genuine typos found by typos: - server.go: PostReuestsHandlerRequest -> PostRequestsHandlerRequest - config.go: fiter -> filter - flow_executor_test.go: thant -> that Closes projectdiscovery#6532
Neo Security AuditMedium: 1 Highlights
Medium (1)
Security ImpactGitHub Action pinned to mutable branch reference ( Attack ExamplesGitHub Action pinned to mutable branch reference ( Suggested FixesGitHub Action pinned to mutable branch reference ( Hardening Notes
Comment |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Organization UI Review profile: CHILL Plan: Pro ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
WalkthroughThis PR adds a typos tool configuration file with exclusion patterns and word mappings, and fixes four minor typos in code comments across three existing files. The changes support automated typo detection in the CI pipeline. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![neo-by-projectdiscovery-dev[bot]](https://avatars.githubusercontent.com/in/2878468?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: crate-ci/typos@master |
There was a problem hiding this comment.
🟡 GitHub Action pinned to mutable branch reference (CWE-829) — The crate-ci/typos action is pinned to @master, a mutable branch reference that can change without notice. An attacker who compromises the upstream repository could inject malicious code that would execute in this workflow.
Attack Example
1. Attacker compromises crate-ci/typos repository
2. Attacker pushes malicious code to master branch
3. Next workflow run pulls malicious code
4. Malicious code executes with workflow permissions
Suggested Fix
Pin to a specific commit SHA or immutable tag version:
- uses: crate-ci/typos@v1.28.3
or
- uses: crate-ci/typos@7ad296c10fa701265c8dbf73d4d2a450cd0e9fac
There was a problem hiding this comment.
Pull request overview
Integrates the typos spell-checker into the GitHub Actions CI pipeline and adds repository-level configuration to reduce false positives, along with a few typo fixes in comments.
Changes:
- Added a new GitHub Actions workflow to run
typoson pushes todev, PRs, and manual dispatch. - Added
_typos.tomlto exclude known-noisy paths and allow known/intentional words. - Fixed a few comment typos in Go source/test files.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/typos.yaml |
Adds CI job to run typos on pushes/PRs. |
_typos.toml |
Configures exclusions and allowed words to suppress false positives. |
internal/server/server.go |
Fixes a typo in a type comment. |
lib/config.go |
Fixes a typo in a struct field comment. |
pkg/tmplexec/flow/flow_executor_test.go |
Fixes a typo in a test comment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if: ${{ !endsWith(github.actor, '[bot]') }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
actions/checkout is pinned to v4 here, but the rest of the repository’s workflows use actions/checkout@v6. Aligning on the same major version reduces drift and avoids subtle CI differences between workflows.
| - uses: actions/checkout@v4 | |
| - uses: actions/checkout@v6 |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: crate-ci/typos@master |
There was a problem hiding this comment.
Using crate-ci/typos@master makes the workflow depend on a moving branch, which is a supply-chain risk and can cause unexpected CI breakages. Pin the action to a stable release tag (or, ideally, a commit SHA) instead.
| - uses: crate-ci/typos@master | |
| - uses: crate-ci/typos@v1.16.26 |
Summary
Integrates the typos spell-checking tool into the CI pipeline to automatically catch typos in future PRs.
Changes
.github/workflows/typos.yaml): Runs the officialcrate-ci/typosGitHub Action on pushes todev, PRs, and manual dispatch_typos.toml): Suppresses false positives from:PostReuestsHandlerRequest→PostRequestsHandlerRequest(comment in server.go)fiter→filter(comment in config.go)thant→that(comment in flow_executor_test.go)References
Summary by CodeRabbit
Release Notes