Skip to content

dedup: import _load_env from helpers + add dupehound CI #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
giattijunior wants to merge 3 commits into
base: main
Choose a base branch
from
Open

dedup: import _load_env from helpers + add dupehound CI #448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0571d89
ci: add Renovate + automated dependency review
May 27, 2026
61ded7f
dedup: import _load_env from helpers + add dupehound CI
Jun 14, 2026
f648fb3
ci: pin actions/checkout to SHA (sha_pinning_required: true)
Jun 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/renovate.json5
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":disableDependencyDashboard",
],
"baseBranchPatterns": ["main"],
"schedule": ["on the 2nd day of the month"],
"timezone": "America/Sao_Paulo",
"prConcurrentLimit": 10,
"prHourlyLimit": 0,
"labels": ["dependencies"],
"separateMajorMinor": false,
"minimumReleaseAge": "14 days",
"internalChecksFilter": "strict",
"commitMessagePrefix": "[RENOVATE]",
"packageRules": [
{
"matchManagers": ["pep621"],
"groupName": "python-deps",
"commitMessagePrefix": "[RENOVATE] [PY]",
"matchUpdateTypes": ["minor", "patch"]
},
{
"matchManagers": ["pep621"],
"matchUpdateTypes": ["major"],
"groupName": "python-major",
"commitMessagePrefix": "[RENOVATE] [PY] [MAJOR]",
"automerge": false
},
{
"matchManagers": ["github-actions"],
"groupName": "github-actions",
"commitMessagePrefix": "[RENOVATE] [CI]",
"pinDigests": true
}
]
}
58 changes: 58 additions & 0 deletions .github/workflows/dupehound.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: dupehound

on:
pull_request:
paths:
- 'src/**'
- 'tests/**'
push:
branches: [main]
paths:
- 'src/**'
- 'tests/**'

permissions:
contents: read

jobs:
check:
name: Block new duplicates
runs-on: ubuntu-latest
timeout-minutes: 5
continue-on-error: true

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Remove the soft-fail from duplicate gate

GitHub's workflow syntax says job-level continue-on-error: true prevents a workflow run from failing when that job fails. Since this is set on the only job that runs dupehound check, a PR that introduces duplicates will still get a passing workflow instead of being blocked by the “Block new duplicates” check; drop this flag if the gate is meant to enforce the check.

Useful? React with 👍 / 👎.

steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Install dupehound
run: |
curl -sL https://github.com/Rafaelpta/dupehound/releases/latest/download/dupehound-x86_64-unknown-linux-gnu.tar.gz | tar xz

@cubic-dev-ai cubic-dev-ai Bot Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Unpinned dupehound binary download without integrity verification introduces supply-chain and reproducibility risk

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/dupehound.yml, line 30:

<comment>Unpinned dupehound binary download without integrity verification introduces supply-chain and reproducibility risk</comment>

<file context>
@@ -0,0 +1,58 @@
+          fetch-depth: 0
+      - name: Install dupehound
+        run: |
+          curl -sL https://github.com/Rafaelpta/dupehound/releases/latest/download/dupehound-x86_64-unknown-linux-gnu.tar.gz | tar xz
+          sudo mv dupehound /usr/local/bin/
+      - name: Block new duplicates vs base
</file context>
Fix with cubic

sudo mv dupehound /usr/local/bin/
- name: Block new duplicates vs base
env:
PR_BASE: ${{ github.event.pull_request.base.ref }}
run: |
if [ -n "$PR_BASE" ]; then
dupehound check --diff "origin/$PR_BASE" .
else
dupehound check --diff HEAD~1 .
fi

scan:
name: Repo slop score
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Install dupehound
run: |
curl -sL https://github.com/Rafaelpta/dupehound/releases/latest/download/dupehound-x86_64-unknown-linux-gnu.tar.gz | tar xz
sudo mv dupehound /usr/local/bin/
- name: Scan
run: |
dupehound scan . | tee /tmp/dh-scan.txt
SCORE=$(grep -oE 'SLOP SCORE[[:space:]]+[0-9.]+%' /tmp/dh-scan.txt | head -1 | grep -oE '[0-9.]+%' || echo "n/a")
echo "## dupehound slop score" >> "$GITHUB_STEP_SUMMARY"
echo "**${SCORE}**" >> "$GITHUB_STEP_SUMMARY"
20 changes: 20 additions & 0 deletions .github/workflows/renovate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Renovate
on:
schedule:
- cron: '0 5 2 * *' # Monthly: 2nd at 05:00 UTC (02:00 BRT)
workflow_dispatch:

jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Self-hosted Renovate
uses: renovatebot/github-action@v41

@cubic-dev-ai cubic-dev-ai Bot Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Third-party GitHub Action renovatebot/github-action is pinned to a mutable tag (@v41) instead of an immutable commit SHA, enabling supply-chain drift. The repo already pins actions to commit SHAs in dupehound.yml; this new workflow should follow the same pattern.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/renovate.yml, line 15:

<comment>Third-party GitHub Action `renovatebot/github-action` is pinned to a mutable tag (`@v41`) instead of an immutable commit SHA, enabling supply-chain drift. The repo already pins actions to commit SHAs in `dupehound.yml`; this new workflow should follow the same pattern.</comment>

<file context>
@@ -0,0 +1,20 @@
+        uses: actions/checkout@v4
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v41
+        with:
+          configurationFile: .github/renovate.json5
</file context>
Fix with cubic

with:
configurationFile: .github/renovate.json5
token: ${{ secrets.GITHUB_TOKEN }}

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use a real Renovate token

I checked renovatebot/github-action's token docs; they state that GITHUB_TOKEN can't be used to authenticate Renovate because PRs it creates do not trigger PR/push CI. In this workflow that means scheduled dependency PRs, including the github-actions manager configured in .github/renovate.json5, can be opened without this repo's test workflows ever running, so use a PAT or GitHub App token secret such as RENOVATE_TOKEN instead.

Useful? React with 👍 / 👎.

env:
LOG_LEVEL: info
22 changes: 1 addition & 21 deletions src/browser_harness/admin.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,7 @@
from pathlib import Path

from . import _ipc as ipc


def _load_env():
repo_root = Path(__file__).resolve().parents[2]
workspace = Path(os.environ.get("BH_AGENT_WORKSPACE", repo_root / "agent-workspace")).expanduser()
for p in (repo_root / ".env", workspace / ".env"):
if not p.exists():
continue
_load_env_file(p)


def _load_env_file(p):
for line in p.read_text().splitlines():
line = line.strip()
if not line or line.startswith("#") or "=" not in line:
continue
k, v = line.split("=", 1)
os.environ.setdefault(k.strip(), v.strip().strip('"').strip("'"))


_load_env()
from .helpers import _load_env, _load_env_file

NAME = os.environ.get("BU_NAME", "default")
BU_API = "https://api.browser-use.com/api/v3"
Expand Down
23 changes: 2 additions & 21 deletions src/browser_harness/daemon.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,9 @@
from pathlib import Path

from . import _ipc as ipc
from cdp_use.client import CDPClient


def _load_env():
repo_root = Path(__file__).resolve().parents[2]
workspace = Path(os.environ.get("BH_AGENT_WORKSPACE", repo_root / "agent-workspace")).expanduser()
for p in (repo_root / ".env", workspace / ".env"):
if not p.exists():
continue
_load_env_file(p)

from .helpers import _load_env, _load_env_file

def _load_env_file(p):
for line in p.read_text().splitlines():
line = line.strip()
if not line or line.startswith("#") or "=" not in line:
continue
k, v = line.split("=", 1)
os.environ.setdefault(k.strip(), v.strip().strip('"').strip("'"))


_load_env()
from cdp_use.client import CDPClient

NAME = os.environ.get("BU_NAME", "default")
SOCK = ipc.sock_addr(NAME)
Expand Down