Dismiss CodeQL #14 with documented rationale + guard test

CodeQL alert #14 (untrusted-checkout-toctou/critical) is the third
re-fire of the same rule family on this workflow (#11/#12 → #13 → #14).
PR #427's fork-skip gate was load-bearing for #11/#12 but the rule
re-classified as #14 at a shifted line range with escalated severity.

A structural fix (checkout BASE_SHA only; `git show` for PR-head reads)
would close the rule cleanly but degrade reviewer quality: pr_review.md
explicitly instructs Codex to `grep -n "pattern" diff_diff/*.py` for
pattern-consistency checks, and Codex's `sandbox: read-only` lets it
inspect workspace files. Under restructure, those operations would
search BASE content, missing patterns added in the PR.

Workarounds that materialize PR-head content via non-`actions/checkout`
mechanisms (git worktree, overlay) satisfy CodeQL's pattern matcher
without changing runtime risk — security theater dressed up.

The honest path: dismiss with documented rationale + guard test.

The actual threat model accepted by the dismissal:
- Codex runs with sandbox: read-only — can read PR-head files, cannot
  execute or write them
- head_sha is API-pinned in the resolve-pr step before checkout; TOCTOU
  window is sub-second and bounded by the is_fork gate
- Same-repo PR contributors who can push to PR head branches already
  have write access to push to main; the checkout doesn't expand
  attack surface
- Fork PRs are skipped entirely (PR #427 fork-skip gate)

The dismissal becomes invalid only if a future workflow edit adds a
step that EXECUTES PR-head content. Guard test
TestWorkflowDoesNotExecutePRHeadCode in tests/test_openai_review.py
fails CI on any of: pip install, pytest, npm install, cargo run/test,
make, ./configure, maturin develop/build, poetry install/run, pdm,
uv sync/run, tox, setup.py, etc. The maturin entries are load-bearing
for this repo (Rust build per CLAUDE.md is the most likely future
regression vector).

The dismissal API call (gh api PATCH .../code-scanning/alerts/14) will
be run post-merge, separately from this PR.

Author: igerber

.github/workflows/ai_pr_review.yml

@@ -55,6 +55,40 @@ jobs:
       )
 
     steps:
+      # ─────────────────────────────────────────────────────────────────
+      # CodeQL alert #14 (untrusted-checkout-toctou/critical) was
+      # dismissed on 2026-05-14 as "won't fix" with the rationale
+      # documented below. The dismissal is valid ONLY while ALL of
+      # the following hold:
+      #   1. The Codex action runs with sandbox: read-only (see the
+      #      Run Codex step below). No step EXECUTES PR-head FILE
+      #      BYTES — no `pip install -e .`, `pytest`, `npm install`,
+      #      `cargo run`, `make`, `./configure`, `maturin develop`,
+      #      or `python3 <pr-file>.py` against checked-out PR-head
+      #      files. Inline `python3 -c '...'` invocations operating
+      #      on sanitized environment variables (PR_TITLE, PR_BODY,
+      #      PREV_REVIEW) are SAFE — the script body comes from base,
+      #      not from PR head.
+      #   2. The fork-skip gate (`is_fork == 'false'`) gates every
+      #      post-resolve step, including both actions/checkout
+      #      invocations.
+      #   3. The author_association check on issue_comment /
+      #      review-comment events restricts triggers to
+      #      OWNER/MEMBER/COLLABORATOR.
+      #   4. head_sha is API-pinned in this resolve-pr step before
+      #      checkout.
+      #
+      # If you are adding a step that VIOLATES any of these
+      # invariants, this dismissal is invalid. Either remove the
+      # offending step OR restructure the workflow to checkout
+      # BASE_SHA only and use `git show` for PR-head reads (degrades
+      # reviewer quality — see plan archive).
+      #
+      # Guard test: tests/test_openai_review.py
+      #   ::TestWorkflowDoesNotExecutePRHeadCode
+      # CI fails closed if a forbidden execution pattern is
+      # introduced.
+      # ─────────────────────────────────────────────────────────────────
       - name: Resolve PR number + metadata
         id: pr
         uses: actions/github-script@v9

tests/test_openai_review.py

@@ -2665,6 +2665,103 @@ def test_workflow_post_resolve_steps_gated_on_is_fork(self, workflow_text):
         )
 
 
+class TestWorkflowDoesNotExecutePRHeadCode:
+    """Guards CodeQL #14 dismissal — see the workflow comment block above
+    the resolve-pr step in `.github/workflows/ai_pr_review.yml` for the
+    full rationale and invalidation conditions. The dismissal accepts
+    that the workflow CHECKS OUT PR-head content but is valid only
+    while the workflow does not EXECUTE that content."""
+
+    FORBIDDEN_EXECUTION_PATTERNS = (
+        "pip install",
+        "pytest",
+        "npm install",
+        "yarn install",
+        "cargo run",
+        "cargo test",
+        "make ",
+        "./configure",
+        "bundle exec",
+        "rake ",
+        "go test",
+        "go run",
+        "maturin develop",
+        "maturin build",
+        "poetry install",
+        "poetry run",
+        "pdm install",
+        "pdm run",
+        "uv sync",
+        "uv run",
+        "tox",
+        "setup.py",
+    )
+
+    @pytest.fixture
+    def workflow_text(self):
+        assert _SCRIPT_PATH is not None
+        repo_root = _SCRIPT_PATH.parent.parent.parent
+        wf = repo_root / ".github" / "workflows" / "ai_pr_review.yml"
+        if not wf.exists():
+            pytest.skip("workflow not found")
+        return wf.read_text()
+
+    def test_workflow_run_blocks_have_no_forbidden_execution_patterns(
+        self, workflow_text
+    ):
+        """If this fails, the CodeQL #14 dismissal is invalid. Either
+        remove the offending step or restructure per the dismissed plan
+        (checkout BASE_SHA only + git show for PR-head)."""
+        import re
+
+        # Match every `run: |` block's body. The body is the indented
+        # content following `run: |` until the next step (next `      - `
+        # at 6-space indent) or end of file. Body lines are at 10+ space
+        # indent (the `run: |` itself is at 8-space step-property indent;
+        # block scalars indent further).
+        run_block_re = re.compile(
+            r"^\s+run:\s*\|\s*\n((?:^(?:[ ]{8,}|\s*$).*\n?)*)",
+            re.MULTILINE,
+        )
+        run_blocks = run_block_re.findall(workflow_text)
+        assert run_blocks, "No `run:` blocks found — extraction regex broke"
+
+        violations = []
+        for i, block in enumerate(run_blocks):
+            for pattern in self.FORBIDDEN_EXECUTION_PATTERNS:
+                if pattern in block:
+                    snippet = next(
+                        (line for line in block.splitlines() if pattern in line),
+                        "",
+                    ).strip()
+                    violations.append(
+                        f"run-block #{i}: forbidden pattern {pattern!r} in: {snippet}"
+                    )
+        assert not violations, (
+            "CodeQL #14 dismissal invalidated by forbidden execution "
+            "patterns in workflow run blocks:\n" + "\n".join(violations)
+            + "\nSee `.github/workflows/ai_pr_review.yml` comment block "
+            "above the resolve-pr step for context."
+        )
+
+    def test_workflow_dismissal_comment_block_present(self, workflow_text):
+        """The comment block that documents the #14 dismissal must stay
+        attached to the workflow file. If a future edit removes it, the
+        rationale lives only in the GitHub Security UI's
+        dismissed_comment field — easy to lose track of."""
+        assert "CodeQL alert #14" in workflow_text, (
+            "Workflow must keep the #14 dismissal rationale comment "
+            "block above the resolve-pr step."
+        )
+        assert "won't fix" in workflow_text, (
+            "Comment block must cite the dismissal reason for grep-ability."
+        )
+        assert "TestWorkflowDoesNotExecutePRHeadCode" in workflow_text, (
+            "Workflow comment must reference this guard test by name so "
+            "future maintainers can find it."
+        )
+
+
 class TestExtractResponseText:
     def test_prefers_output_text_field(self, review_mod):
         result = {"output_text": "Direct text.", "output": []}