Skip to content

fix(ci): surface refresh-baselines HTTP error body and status code #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mmmprod merged 3 commits into from
Apr 19, 2026
Merged

fix(ci): surface refresh-baselines HTTP error body and status code #161

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dfbb0e3
fix(ci): surface refresh-baselines HTTP error body and status code
mmmprod Apr 19, 2026
7992e37
fix(ci): harden refresh-baselines step against curl/HTTP edge cases
mmmprod Apr 19, 2026
45bef78
Merge branch 'main' into fix/refresh-baselines-error-visibility
mmmprod Apr 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions .github/workflows/refresh-baselines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,18 @@ jobs:
ANON_KEY: ${{ secrets.SUPABASE_ANON_KEY }}
SECRET: ${{ secrets.REFRESH_SECRET }}
run: |
curl -s -f -X POST \
response=$(mktemp)
Copy link

Copilot AI Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mktemp response file is never removed. Add a trap (e.g., on EXIT) to rm -f "$response" so repeated scheduled runs don’t accumulate temp files on the runner (and to keep logs/behavior consistent if the script exits early).

Suggested change
response=$(mktemp)
response=$(mktemp)
trap 'rm -f "$response"' EXIT

Copilot uses AI. Check for mistakes.
http_code=$(curl -sS -X POST \
-o "${response}" \
-w "%{http_code}" \
"${FUNCTION_URL}/refresh-baselines" \
-H "Authorization: Bearer ${ANON_KEY}" \
-H "x-refresh-secret: ${SECRET}" \
-H "Content-Type: application/json"
-H "Content-Type: application/json")
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/refresh-baselines.yml

Repository: mmmprod/claude-eta

Length of output: 1177

🌐 Web query:

curl timeouts best practices GitHub Actions workflow

💡 Result:

Best practices for handling curl timeouts in GitHub Actions workflows: 1. Use curl's built-in timeout flags: - --connect-timeout SECONDS: Limits connection time (e.g., 10s for connect, recommended 5-30s based on network). - --max-time SECONDS: Total operation timeout (e.g., 60s for APIs, longer for large downloads). Example: - name: Fetch data run: curl --connect-timeout 10 --max-time 60 --retry 3 --retry-delay 5 https://example.com/api/data 2. Add retries with exponential backoff using --retry and --retry-delay. 3. Set step-level timeouts with timeout-minutes: - name: Curl step timeout-minutes: 5 run: curl ... 4. Set job-level timeouts: jobs: fetch: timeout-minutes: 30 steps: - run: curl ... 5. For large downloads or slow networks, increase --max-time and use job timeouts. Default job timeout is 360 minutes. 6. Use dedicated curl actions like indiesdev/curl@v1 which support timeout and retries natively: - uses: indiesdev/curl@v1 with: url: https://example.com timeout: 30000 # ms retries: 3 curl has no timeout by default, so always specify. Test values based on expected response times + network variability. Monitor logs for timeout error 28.

Citations:

Ajoutez des timeouts explicites à curl.

Sans --connect-timeout et --max-time, ce job planifié peut rester bloqué indéfiniment en cas de latence réseau ou de fonction lente. Selon les bonnes pratiques curl, il est essentiel de définir des limites de temps pour les appels externes.

Patch proposé 
-          http_code=$(curl -sS -X POST \
+          http_code=$(curl -sS -X POST \
+            --connect-timeout 10 \
+            --max-time 60 \
             -o "${response}" \
             -w "%{http_code}" \
             "${FUNCTION_URL}/refresh-baselines" \
             -H "Authorization: Bearer ${ANON_KEY}" \
             -H "x-refresh-secret: ${SECRET}" \
             -H "Content-Type: application/json")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
http_code=$(curl -sS -X POST \
-o "${response}" \
-w "%{http_code}" \
"${FUNCTION_URL}/refresh-baselines" \
-H "Authorization: Bearer ${ANON_KEY}" \
-H "x-refresh-secret: ${SECRET}" \
-H "Content-Type: application/json"
-H "Content-Type: application/json")
http_code=$(curl -sS -X POST \
--connect-timeout 10 \
--max-time 60 \
-o "${response}" \
-w "%{http_code}" \
"${FUNCTION_URL}/refresh-baselines" \
-H "Authorization: Bearer ${ANON_KEY}" \
-H "x-refresh-secret: ${SECRET}" \
-H "Content-Type: application/json")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/refresh-baselines.yml around lines 18 - 24, La commande
curl utilisée pour remplir la variable http_code (la substitution qui POSTe vers
"${FUNCTION_URL}/refresh-baselines") n'a pas de timeouts explicites; ajoutez des
options comme --connect-timeout <seconds> et --max-time <seconds> à cet appel
curl (par ex. --connect-timeout 10 --max-time 30) afin d'éviter que le job
planifié ne reste bloqué en cas de latence réseau ou de fonction lente.

echo "HTTP ${http_code}"
echo "Response body:"
cat "${response}"
echo
if [ "${http_code}" -ge 400 ]; then
Copy link

Copilot AI Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script always prints the full response body, even on success. Consider only dumping the body when http_code is >= 400 (or truncating it), to avoid noisy logs and potential accidental leakage if the endpoint ever returns verbose/internal error details on 2xx responses.

Suggested change
echo "Response body:"
cat "${response}"
echo
if [ "${http_code}" -ge 400 ]; then
if [ "${http_code}" -ge 400 ]; then
echo "Response body:"
cat "${response}"
echo

Copilot uses AI. Check for mistakes.
exit 1
Comment on lines +36 to +40
Copy link

Copilot AI Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If curl fails before producing an HTTP code (e.g., DNS/TLS error), http_code may be empty/non-numeric and [ "${http_code}" -ge 400 ] will error with “integer expression expected”. Guard for a numeric code (or treat empty as failure) so the step fails with a clearer message.

Copilot uses AI. Check for mistakes.
fi
Comment on lines +17 to +41
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the workflow file
find . -name "refresh-baselines.yml" -type f

Repository: mmmprod/claude-eta

Length of output: 103

🏁 Script executed:

# Check the full context of the workflow file
if [ -f ".github/workflows/refresh-baselines.yml" ]; then
  cat -n ".github/workflows/refresh-baselines.yml"
fi

Repository: mmmprod/claude-eta

Length of output: 1177

🏁 Script executed:

# Verify the shell syntax of the proposed patch by checking if it's valid bash
python3 << 'EOF'
import subprocess
import tempfile

# Test the proposed patch logic
test_script = '''#!/bin/bash
set -e

response=$(mktemp)
trap 'rm -f "${response}"' EXIT
set +e
http_code=$(curl -sS -X POST \
  -o "${response}" \
  -w "%{http_code}" \
  "http://httpbin.org/status/200" \
  -H "Content-Type: application/json")
curl_exit=$?
set -e

echo "HTTP ${http_code}"
echo "Response body:"
cat "${response}"
echo

if [ "${curl_exit}" -ne 0 ]; then
  echo "curl transport error: exit ${curl_exit}"
  exit "${curl_exit}"
fi
if [ "${http_code}" -ge 400 ]; then
  exit 1
fi
'''

# Check if bash can parse it
result = subprocess.run(['bash', '-n'], input=test_script.encode(), capture_output=True)
if result.returncode == 0:
    print("✓ Proposed patch syntax is valid")
else:
    print("✗ Syntax error in proposed patch:")
    print(result.stderr.decode())
EOF

Repository: mmmprod/claude-eta

Length of output: 94

Gérez explicitement les erreurs de transport curl pour préserver les diagnostics.

Si curl rencontre une erreur de transport (DNS, TLS, timeout), le script s'arrête immédiatement avant d'afficher les logs. Cela élimine les diagnostics que ce PR vise à exposer.

Patch proposé 
-          response=$(mktemp)
-          http_code=$(curl -sS -X POST \
+          response=$(mktemp)
+          trap 'rm -f "${response}"' EXIT
+          set +e
+          http_code=$(curl -sS -X POST \
             -o "${response}" \
             -w "%{http_code}" \
             "${FUNCTION_URL}/refresh-baselines" \
             -H "Authorization: Bearer ${ANON_KEY}" \
             -H "x-refresh-secret: ${SECRET}" \
             -H "Content-Type: application/json")
+          curl_exit=$?
+          set -e
           echo "HTTP ${http_code}"
           echo "Response body:"
           cat "${response}"
           echo
+          if [ "${curl_exit}" -ne 0 ]; then
+            echo "curl transport error: exit ${curl_exit}"
+            exit "${curl_exit}"
+          fi
           if [ "${http_code}" -ge 400 ]; then
             exit 1
           fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
response=$(mktemp)
http_code=$(curl -sS -X POST \
-o "${response}" \
-w "%{http_code}" \
"${FUNCTION_URL}/refresh-baselines" \
-H "Authorization: Bearer ${ANON_KEY}" \
-H "x-refresh-secret: ${SECRET}" \
-H "Content-Type: application/json"
-H "Content-Type: application/json")
echo "HTTP ${http_code}"
echo "Response body:"
cat "${response}"
echo
if [ "${http_code}" -ge 400 ]; then
exit 1
fi
response=$(mktemp)
trap 'rm -f "${response}"' EXIT
set +e
http_code=$(curl -sS -X POST \
-o "${response}" \
-w "%{http_code}" \
"${FUNCTION_URL}/refresh-baselines" \
-H "Authorization: Bearer ${ANON_KEY}" \
-H "x-refresh-secret: ${SECRET}" \
-H "Content-Type: application/json")
curl_exit=$?
set -e
echo "HTTP ${http_code}"
echo "Response body:"
cat "${response}"
echo
if [ "${curl_exit}" -ne 0 ]; then
echo "curl transport error: exit ${curl_exit}"
exit "${curl_exit}"
fi
if [ "${http_code}" -ge 400 ]; then
exit 1
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/refresh-baselines.yml around lines 17 - 31, Le script
actuel appelle curl into http_code=$(curl -sS -X POST -o "${response}" -w
"%{http_code}" ...) but n'expose pas les erreurs de transport (DNS/TLS/timeout)
si curl échoue; modifiez l'appel pour capturer aussi la sortie d'erreur de curl
(rediriger stderr vers un second fichier temporaire), ne pas laisser le shell
aborter prématurément, puis vérifier le code de sortie de curl ($?) après
l'appel; si curl a échoué, afficher "Response body:" et le contenu de
"${response}" ainsi que le fichier d'erreur stderr, puis exit 1; conservez
l'utilisation de "${FUNCTION_URL}", "${ANON_KEY}", "${SECRET}" et la variable
http_code pour les réponses HTTP valides.

Loading