docs(github): prefer gh CLI shallow clones over raw HTTPS#128
Merged
Conversation
spashii
added a commit
that referenced
this pull request
Jun 28, 2026
…audit) (#130) ## What Adds `CVE-2026-48818` and `CVE-2026-54283` (starlette HIGH) to `.trivyignore` with rationale. ## Why A trivy DB update started flagging `starlette 0.52.1` with two HIGH CVEs, failing the **container scan** on **every open PR** — including docs-only PRs (#124, #125, #127, #128) and blocking the merge queue entirely. `starlette` is a **transitive** dependency (via `google-adk`'s optional FastAPI dev-server). Sam imports no starlette and exposes **no ASGI/FastAPI app** — its only HTTP surface (`/healthz`, `/github/webhook`) runs on **aiohttp**, and the GitHub edge proxy is a separate Cloud Function. Both CVE paths (StaticFiles SSRF; starlette request handling) are unreachable. A direct bump isn't clean: starlette is capped by `google-adk 1.34.0`'s fastapi pin. Ignored with rationale (same pattern as the existing `gh`/krb5 entries); to be dropped when `google-adk` bumps its floor. ## Unblocks All 6 stuck PRs, and the next deploy of `main` to Cloud Run. Co-authored-by: sam-dembrane <sam-dembrane@sam2ks-MacBook-Pro.local> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
spashii
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this change?
Docs update to
src/capabilities/github.mddirecting Sam to prefergh repo clone <repo> /tmp/<dest> -- --depth 1over raw HTTPSgit clone.What did Sam notice that led to this?
Experienced multiple massive 300s timeouts on raw HTTPS
git cloneandgit config/fetchin sessiondf7a48a40521, and 63s slow-down in97d47ce0bbbbduringgit pull. Clarified thatghCLI shallow clones succeed where raw HTTPS git clones repeatedly timeout, and using--headongh pr createbypasses the remote branch tracking setup which also avoids slowgit fetchissues.