Skip to content

docs(github): prefer gh CLI shallow clones over raw HTTPS#128

Merged
dembrane-sam-bot merged 3 commits into
mainfrom
sam/update-github-shallow-clone-pattern
Jul 1, 2026
Merged

docs(github): prefer gh CLI shallow clones over raw HTTPS#128
dembrane-sam-bot merged 3 commits into
mainfrom
sam/update-github-shallow-clone-pattern

Conversation

@dembrane-sam-bot

Copy link
Copy Markdown
Contributor

What is this change?

Docs update to src/capabilities/github.md directing Sam to prefer gh repo clone <repo> /tmp/<dest> -- --depth 1 over raw HTTPS git clone.

What did Sam notice that led to this?

Experienced multiple massive 300s timeouts on raw HTTPS git clone and git config/fetch in session df7a48a40521, and 63s slow-down in 97d47ce0bbbb during git pull. Clarified that gh CLI shallow clones succeed where raw HTTPS git clones repeatedly timeout, and using --head on gh pr create bypasses the remote branch tracking setup which also avoids slow git fetch issues.

  • Tier: 1 (prose capability)
  • Confidence: High

spashii added a commit that referenced this pull request Jun 28, 2026
…audit) (#130)

## What
Adds `CVE-2026-48818` and `CVE-2026-54283` (starlette HIGH) to
`.trivyignore` with rationale.

## Why
A trivy DB update started flagging `starlette 0.52.1` with two HIGH
CVEs, failing the **container scan** on **every open PR** — including
docs-only PRs (#124, #125, #127, #128) and blocking the merge queue
entirely.

`starlette` is a **transitive** dependency (via `google-adk`'s optional
FastAPI dev-server). Sam imports no starlette and exposes **no
ASGI/FastAPI app** — its only HTTP surface (`/healthz`,
`/github/webhook`) runs on **aiohttp**, and the GitHub edge proxy is a
separate Cloud Function. Both CVE paths (StaticFiles SSRF; starlette
request handling) are unreachable.

A direct bump isn't clean: starlette is capped by `google-adk 1.34.0`'s
fastapi pin. Ignored with rationale (same pattern as the existing
`gh`/krb5 entries); to be dropped when `google-adk` bumps its floor.

## Unblocks
All 6 stuck PRs, and the next deploy of `main` to Cloud Run.

Co-authored-by: sam-dembrane <sam-dembrane@sam2ks-MacBook-Pro.local>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dembrane-sam-bot dembrane-sam-bot added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit 5dadbdd Jul 1, 2026
2 checks passed
@dembrane-sam-bot dembrane-sam-bot deleted the sam/update-github-shallow-clone-pattern branch July 1, 2026 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants