Skip to content

vale-autofix-rework #570

Merged
jth-nw merged 15 commits intomainfrom
dev
Mar 19, 2026
Merged

vale-autofix-rework #570
jth-nw merged 15 commits intomainfrom
dev

Conversation

@jth-nw
Copy link
Collaborator

@jth-nw jth-nw commented Mar 19, 2026

No description provided.

jth-nw and others added 15 commits March 19, 2026 16:19
@jth-nw @claude
Add design spec for Vale auto-fix rework
0a9b070 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
Add failure handling and concurrency to Vale auto-fix spec
022ff5c 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
feat: add Vale auto-fix implementation plan
5f5d8de 
8-task plan covering script creation, workflow, cleanup,
skill updates, and documentation updates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
fix: address plan review issues
5651ca3 
- Use awk instead of sed for line replacement (avoids | delimiter
  collision in markdown tables)
- Fix expected output typo (by_rule → by_category)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
feat: add Phase 1 Vale auto-fix script
3d97de3 
Deterministic sed-based fixes for 18 mechanical Vale rules:
12 substitution rules and 6 removal rules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
fix: address code review issues in vale-autofix.sh
c07d30e 
- Use temp file for awk line replacement to prevent backslash corruption
- Fix Please rule: skip please-note lines, remove all other please
- Add word boundaries to Checkbox pattern
- Fix stale CODE_BLOCK_LINES on skipped files
- Use mapfile for safe file path iteration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
feat: add Vale auto-fix workflow
adf8c4a 
Two-phase auto-fix: script fixes for mechanical rules, then
Claude for AI-judgment rules. Posts summary comment on PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
remove: delete old Vale linter workflow and pre-push hook
0b185c5 
Replaced by vale-autofix.yml which auto-fixes issues instead of
reporting them.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
update: remove Vale fix logic from doc-pr-fix skill
bdfa214 
Vale issues are now auto-fixed by the vale-autofix workflow.
This skill now handles only Dale and editorial fixes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
update: remove Vale inline comment references from doc-pr skill
032c71a 
Vale issues are now auto-fixed by the vale-autofix workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
update: remove Vale references from doc-pr workflow
867eb8b 
Vale is now handled by vale-autofix workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
docs: update all references to reflect Vale auto-fix flow
8ed9a6a 
Vale issues are now auto-fixed on PRs. Pre-push hook removed.
Inline comments removed. Updated CLAUDE.md, docs/CLAUDE.md,
CONTRIBUTING.md, and README.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
fix: remove duplicate Vale paragraph in docs/CLAUDE.md
3f9cabe 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw @claude
fix: remove stale pre-push hook references from install comments
27a3cb0 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jth-nw
Merge pull request #569 from netwrix/vale-autofix-rework
d52676f 
Vale autofix rework
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 19, 2026
View reviewed changes
.github/workflows/vale-autofix.yml
Comment on lines +25 to +32
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
token: ${{ secrets.PAT_TOKEN }}
fetch-depth: 0

- name: Configure git identity

Check warning

Code scanning / CodeQL

Checkout of untrusted code in trusted context Medium

Potential unsafe checkout of untrusted pull request on privileged workflow.

Copilot Autofix

AI about 14 hours ago

In general, the fix is to avoid performing privileged operations (using powerful tokens or broad write permissions) directly on untrusted PR code. For this workflow, we should remove the use of the personal access token (PAT) for checking out PR code and instead use the default GITHUB_TOKEN with the minimum required permissions. This keeps the PR checkout unprivileged while still letting the workflow commit and push changes when safe. If interaction with forks is undesired, we can also guard write operations with conditions that only allow them on same-repository PRs, but that change goes beyond what’s needed to address the flagged issue.

The minimal change that preserves existing functionality is to delete the token: ${{ secrets.PAT_TOKEN }} line in the checkout step, allowing actions/checkout@v4 to fall back to GITHUB_TOKEN. GITHUB_TOKEN is automatically provided and already governed by the permissions block (contents: write, pull-requests: write), so this should still allow the workflow to push auto-fix commits and update PRs, but removes the explicit use of a potentially over-scoped secret for untrusted code. All other logic (Vale download, file detection, auto-fix/commit steps) remains unchanged.

Concretely, in .github/workflows/vale-autofix.yml at the “Checkout PR branch” step, remove the token: line and keep ref: and fetch-depth: as-is. No additional imports, methods, or definitions are required.

Suggested changeset 1
.github/workflows/vale-autofix.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/vale-autofix.yml b/.github/workflows/vale-autofix.yml
--- a/.github/workflows/vale-autofix.yml
+++ b/.github/workflows/vale-autofix.yml
@@ -26,7 +26,6 @@
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ secrets.PAT_TOKEN }}
           fetch-depth: 0
 
       - name: Configure git identity
EOF
@@ -26,7 +26,6 @@
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
token: ${{ secrets.PAT_TOKEN }}
fetch-depth: 0

- name: Configure git identity
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
.github/workflows/vale-autofix.yml
id: phase2
if: steps.vale-remaining.outputs.remaining > 0
continue-on-error: true
uses: anthropics/claude-code-action@v1

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Vale Auto-Fix' step
Uses Step: phase2
Loading
uses 'anthropics/claude-code-action' with ref 'v1', not a pinned commit hash
@jth-nw jth-nw merged commit 48700d7 into main Mar 19, 2026
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jth-nw