Skip to content

[codex] Apply audit remediation #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Pigbibi merged 1 commit into from
Jun 10, 2026
Merged

[codex] Apply audit remediation #114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,13 @@ on:
branches: [ main ]
pull_request:

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -49,7 +53,7 @@ jobs:
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: "3.11"
python-version: "3.12"

- name: Install dependencies
run: |
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/dependabot_auto_merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jobs:
auto-merge:
if: github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'dependabot/')
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
pull-requests: write
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/execution-report-heartbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,15 @@ env:
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/401309731911/locations/global/workloadIdentityPools/github-actions/providers/github-main
GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: schwab-platform-deploy@charlesschwabquant.iam.gserviceaccount.com

concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: false

jobs:
heartbeat:
name: Check execution report heartbeat
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
id-token: write
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/runtime-guard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,15 @@ env:
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/401309731911/locations/global/workloadIdentityPools/github-actions/providers/github-main
GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: schwab-platform-deploy@charlesschwabquant.iam.gserviceaccount.com

concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: false

jobs:
guard:
name: Check Cloud Run runtime
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
id-token: write
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/sync-cloud-run-env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,15 @@ env:
GCP_RUNTIME_SERVICE_ACCOUNT: schwab-platform-runtime@charlesschwabquant.iam.gserviceaccount.com
GCP_ARTIFACT_REGISTRY_REPOSITORY: cloud-run-source-deploy

concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: false

jobs:
sync-cloud-run-env:
name: Deploy / Sync Cloud Run
runs-on: ubuntu-latest
timeout-minutes: 20

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Raise deploy job timeout above wait loop

When ENABLE_GITHUB_ENV_SYNC is true, this same job can enter the existing “Wait for Cloud Run deployment of current commit” step, which sets deadline=$((SECONDS + 1800)) and sleeps until another deployment lands the current SHA. The new 20-minute job timeout will kill the workflow before that 30-minute wait can complete, and it also has to cover checkout, dependency installation, auth, and any optional image build first, so legitimate env-sync runs can now fail before their own timeout/error handling is reached.

Useful? React with 👍 / 👎.

permissions:
contents: read
id-token: write
Expand Down
1 change: 1 addition & 0 deletions .python-version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
3.12
13 changes: 13 additions & 0 deletions tests/test_request_handling.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,19 @@ def load_module(*, strategy_plugin_mounts_json=None, notify_lang="en"):


class RequestHandlingTests(unittest.TestCase):
def test_cloud_run_route_contracts_are_registered(self):
module = load_module()

self.assertIs(module.app._routes[("/", ("POST", "GET"))], module.handle_schwab)
self.assertIs(
module.app._routes[("/precheck", ("POST", "GET"))],
module.handle_schwab_precheck,
)
self.assertIs(
module.app._routes[("/probe", ("POST", "GET"))],
module.handle_schwab_probe,
)

def test_handle_schwab_returns_market_closed(self):
module = load_module()
module.get_client_from_secret = lambda *args, **kwargs: object()
Expand Down