Merged
Conversation
Signed-off-by: Paulo Gomes <[email protected]>
Signed-off-by: Paulo Gomes <[email protected]>
Signed-off-by: Paulo Gomes <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds integrity validation for Git pack/idx handling by verifying checksums and cross-file consistency (pack hash ↔ idx pack checksum), with new regression tests covering corrupted pack/idx scenarios.
Changes:
- Validate pack trailer checksum during pack scanning and surface “malformed PACK” errors on corruption.
- Validate idx checksum during idx decoding and verify idx pack checksum matches the target pack hash in filesystem storage.
- Add new tests for checksum mismatches and pack/idx mismatch behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
storage/filesystem/object_test.go |
Adds test that an idx file belonging to a different pack triggers a malformed idx error. |
storage/filesystem/object.go |
Adds packfile/idx cross-check (idx’s recorded pack checksum must match target pack hash). |
plumbing/format/packfile/scanner.go |
Adds running hash computation and checksum verification for pack trailer. |
plumbing/format/packfile/parser_test.go |
Adds tests for pack checksum mismatch and truncated pack behavior. |
plumbing/format/packfile/parser.go |
Wraps EOF-related errors as malformed PACK errors. |
plumbing/format/idxfile/decoder_test.go |
Adds test for idx checksum mismatch. |
plumbing/format/idxfile/decoder.go |
Adds idx checksum verification during decode (via TeeReader hashing). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hiddeco
approved these changes
Feb 9, 2026
arthurzam
pushed a commit
to gentoo-golang-dist/forgejo-runner
that referenced
this pull request
Feb 19, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.16.4` -> `v5.16.5` |  |  | --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.16.5`](https://github.com/go-git/go-git/releases/tag/v5.16.5) [Compare Source](go-git/go-git@v5.16.4...v5.16.5) #### What's Changed - build: Update module golang.org/x/crypto to v0.45.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#​1744](go-git/go-git#1744) - build: Bump Go test versions to 1.23-1.25 (v5) by [@​pjbgf](https://github.com/pjbgf) in [#​1746](go-git/go-git#1746) - \[v5] git: worktree, Don't delete local untracked files when resetting worktree by [@​Ch00k](https://github.com/Ch00k) in [#​1800](go-git/go-git#1800) - Expand packfile checks by [@​pjbgf](https://github.com/pjbgf) in [#​1836](go-git/go-git#1836) **Full Changelog**: <go-git/go-git@v5.16.4...v5.16.5> </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIktpbmQvRGVwZW5kZW5jeVVwZGF0ZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIl19--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1365 Reviewed-by: Mathieu Fenniak <[email protected]> Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces additional checks across pack and idx files.