[Safe Outputs Conformance] Conformance script exits prematurely due to arithmetic expansion bug with set -euo pipefail #17757
Description
Conformance Check Failure
Check ID: Script Infrastructure Bug
Severity: HIGH
Category: Implementation
Problem Description
The conformance checker script scripts/check-safe-outputs-conformance.sh uses set -euo pipefail alongside ((VAR++)) arithmetic expressions in its logging functions. In bash, ((VAR++)) evaluates to the old value of VAR as its exit code. When VAR is 0, ((VAR++)) evaluates to 0 (falsy), causing set -e to terminate the entire script immediately after the first counter increment.
This means the script halts after the first failure is logged — before completing SEC-004, SEC-005, USE-001 through USE-003, REQ-001 through REQ-003, IMP-001 through IMP-003 — and exits with code 1 (indicating HIGH failures) even when no HIGH failures exist, purely due to the arithmetic exit code.
Secondary issues in the same script:
IMP-002check searches forcomputePermissionsForSafeOutputs(camelCase) but the actual exported Go function isComputePermissionsForSafeOutputs(PascalCase), causing a permanent false positive.SEC-003check applies the max-limit pattern to all*.cjsfiles (including fuzz harnesses, utility files, and test helpers) rather than scoping to safe-output handlers only. Additionally, the actual limit enforcement functions (enforceArrayLimit,tryEnforceArrayLimit) inlimit_enforcement_helpers.cjsare not matched by the check pattern, creating false positives for any file that imports and delegates to that module.
Affected Components
- Files:
scripts/check-safe-outputs-conformance.sh(lines 22–40: logging functions; line 92:check_validation_ordering; line 115:check_max_limits; line 344:check_permission_computation)
Current Behavior
# These logging functions exit the script when the counter is 0:
log_medium() {
echo -e "\$\{YELLOW}[MEDIUM]\$\{NC} $1"
((MEDIUM_FAILURES++)) # exits 1 when MEDIUM_FAILURES was 0
}When log_medium is first called, ((MEDIUM_FAILURES++)) returns exit code 1 (the old value 0 is falsy), and set -e terminates the script. All subsequent checks are skipped, and HIGH/CRITICAL failures go undetected.
Expected Behavior
All 13 conformance checks (SEC-001 through IMP-003) should run to completion. Counter increments should not cause early termination.
Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
- Replace all
((VAR++))arithmetic expressions in logging functions withVAR=$((VAR+1))(POSIX-safe increment that always returns exit 0):((CRITICAL_FAILURES++))→CRITICAL_FAILURES=$((CRITICAL_FAILURES+1))((HIGH_FAILURES++))→HIGH_FAILURES=$((HIGH_FAILURES+1))((MEDIUM_FAILURES++))→MEDIUM_FAILURES=$((MEDIUM_FAILURES+1))((LOW_FAILURES++))→LOW_FAILURES=$((LOW_FAILURES+1))((sections_found++))→sections_found=$((sections_found+1))
- Fix the
IMP-002check (line ~345) to use the correct PascalCase function name: changecomputePermissionsForSafeOutputstoComputePermissionsForSafeOutputs. - Fix the
SEC-003check to exclude non-handler files. Add filter patterns for fuzz harnesses, test files, and utilities (e.g.,fuzz_,_helpers,constants,error_,messages,sanitize_), or maintain an explicit allowlist of files that require max limit enforcement. - Update the
SEC-003check pattern to also recognizeenforceArrayLimit\|tryEnforceArrayLimit(the actual functions exported fromlimit_enforcement_helpers.cjs).
Verification
After remediation, verify by running:
bash scripts/check-safe-outputs-conformance.shThe script should run all 13 checks to completion, exit with the correct code, and not false-positive on IMP-002 or the utility files in SEC-003.
References
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh - Limit enforcement module:
actions/setup/js/limit_enforcement_helpers.cjs - Permission computation:
pkg/workflow/safe_outputs_permissions.go(function:ComputePermissionsForSafeOutputs) - Run ID: §22281286232
- Date: 2026-02-22
Generated by Daily Safe Outputs Conformance Checker
- expires on Feb 23, 2026, 5:01 PM UTC