Skip to content

feat: Add version logging to VM scripts for audit trail #951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
canihavesomecoffee merged 1 commit into from
Dec 23, 2025
Merged

feat: Add version logging to VM scripts for audit trail #951

canihavesomecoffee merged 1 commit into from
Dec 23, 2025

Conversation

@cfsmp3
Copy link
Contributor

@cfsmp3 cfsmp3 commented Dec 23, 2025
edited
Loading

Summary

Adds version logging to the CI VM scripts so that test logs include the ccextractor binary version (including Git commit SHA).

Changes:

  • Linux runCI: Logs ./ccextractor --version before running tests
  • Windows runCI.bat: Logs ccextractorwinfull.exe --version before running tests

This allows verification that the correct binary version was tested by checking the test logs.

Security note: This runs in the isolated GCP VMs, not on the platform server, so there's no security risk from executing the binary.

Test plan

  • Verify VM scripts have correct syntax
  • Deploy and verify version appears in test logs

🤖 Generated with Claude Code

@codecov
Copy link

codecov bot commented Dec 23, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 92.10526% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.93%. Comparing base (53b3d7f) to head (e89d17e).

Files with missing lines Patch % Lines
mod_ci/controllers.py 92.10% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #951      +/-   ##
==========================================
+ Coverage   86.88%   86.93%   +0.04%     
==========================================
  Files          35       35              
  Lines        3759     3796      +37     
  Branches      767      774       +7     
==========================================
+ Hits         3266     3300      +34     
- Misses        355      357       +2     
- Partials      138      139       +1
Flag Coverage Δ
unittests 86.93% <92.10%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cfsmp3 cfsmp3 force-pushed the fix/verify-binary-commit-sha branch from e89d17e to 423ae18 Compare December 23, 2025 17:50
@canihavesomecoffee canihavesomecoffee force-pushed the fix/verify-binary-commit-sha branch from 423ae18 to e59ebb2 Compare December 23, 2025 18:45
canihavesomecoffee
canihavesomecoffee requested changes Dec 23, 2025
View reviewed changes
@cfsmp3 cfsmp3 force-pushed the fix/verify-binary-commit-sha branch from e59ebb2 to 652c9a5 Compare December 23, 2025 19:13
@cfsmp3
Copy link
Contributor Author

cfsmp3 commented Dec 23, 2025

Thanks for the feedback @canihavesomecoffee! You're absolutely right about the security concern.

I've updated the PR to remove all server-side binary execution:

Removed:

  • _verify_binary_commit function that executed binaries on the server
  • subprocess import
  • os.chmod call to make binary executable
  • Related tests

Kept:

  • Version logging in runCI scripts (runs in isolated GCP VMs)
  • Logging of expected commit SHA for audit trail

The VM-based approach is secure because each test runs in a fresh, disposable VM that gets destroyed after the test completes. The runCI scripts already log ccextractor --version output for verification in the test logs.

@canihavesomecoffee
Copy link
Member

canihavesomecoffee commented Dec 23, 2025

@cfsmp3 it seems that this PR conflicts a little with the previous one I merged. Care to rebase and fix the merge conflict (if one arises)?

@cfsmp3 cfsmp3 force-pushed the fix/verify-binary-commit-sha branch from 652c9a5 to aef892c Compare December 23, 2025 19:29
@cfsmp3 cfsmp3 changed the title feat: Verify binary commit SHA before running tests feat: Add version logging to VM scripts for audit trail Dec 23, 2025
@cfsmp3 @claude @canihavesomecoffee
feat: Add version logging to VM scripts for audit trail
a90ade0 
- Update Linux runCI to log ccextractor --version before tests
- Update Windows runCI.bat to log ccextractorwinfull.exe --version

This ensures the binary version (including Git commit SHA) appears in
the test logs, allowing verification that the correct binary is being
tested. This runs safely in the isolated GCP VMs, not on the platform
server.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@canihavesomecoffee canihavesomecoffee force-pushed the fix/verify-binary-commit-sha branch from aef892c to a90ade0 Compare December 23, 2025 19:34
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 23, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@canihavesomecoffee canihavesomecoffee merged commit bec3f33 into master Dec 23, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@canihavesomecoffee canihavesomecoffee canihavesomecoffee approved these changes

@thealphadollar thealphadollar Awaiting requested review from thealphadollar thealphadollar is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cfsmp3 @canihavesomecoffee