workflow: exclude chack temp artifacts from sanitized master-fix patch

This reverts commit 1e6c83f43b.

.github/workflows/CI-master_tests.yml

@@ -371,8 +371,8 @@ jobs:
       # Build linpeas
       - name: Build macpeas
         run: |
-          python3 -m pip install PyYAML
+          python3 -m pip install PyYAML --break-system-packages
-          python3 -m pip install requests
+          python3 -m pip install requests --break-system-packages
           cd linPEAS
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
       

.github/workflows/PR-tests.yml

@@ -178,8 +178,8 @@ jobs:
       # Build linpeas (macpeas)
       - name: Build macpeas
         run: |
-          python3 -m pip install PyYAML
+          python3 -m pip install PyYAML --break-system-packages
-          python3 -m pip install requests
+          python3 -m pip install requests --break-system-packages
           cd linPEAS
           python3 -m builder.linpeas_builder --all --output linpeas_fat.sh
       

.github/workflows/chack-agent-pr-triage.yml

@@ -30,10 +30,15 @@ jobs:
       - name: Resolve PR context
         id: gate
         env:
+          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
         run: |
-          pr_number="${{ github.event.workflow_run.pull_requests[0].number }}"
+          pr_number="${PR_NUMBER}"
+          if [ -z "$pr_number" ] && [ -n "$HEAD_BRANCH" ]; then
+            pr_number="$(gh pr list --state open --head "$HEAD_BRANCH" --json number --jq '.[0].number')"
+          fi
           if [ -z "$pr_number" ]; then
             echo "No pull request found for this workflow_run; skipping."
             echo "should_run=false" >> "$GITHUB_OUTPUT"

.github/workflows/ci-master-failure-chack-agent-pr.yml

@@ -126,37 +126,72 @@ jobs:
 
       - name: Commit and push fix branch if changed
         id: push_fix
+        env:
+          ORIGINAL_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
         run: |
-          if git diff --quiet; then
+          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
-            echo "No changes to commit."
+
+          pushed=false
+
+          if ! git diff --quiet; then
+            git add -A
+            # Avoid workflow-file pushes with token scopes that cannot write workflows.
+            git reset -- .github/workflows || true
+            git checkout -- .github/workflows || true
+            git clean -fdx -- .github/workflows || true
+            git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+            if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+              echo "Workflow-file changes are still staged; skipping push without workflows permission."
+              echo "pushed=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            if ! git diff --cached --quiet; then
+              git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
+            fi
+          fi
+
+          after_head="$(git rev-parse HEAD)"
+          if [ "$after_head" = "$ORIGINAL_HEAD_SHA" ]; then
+            echo "No commit produced by Chack Agent."
             echo "pushed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+          echo "Sanitizing Chack commit range to non-workflow changes only."
-          git add -A
+          git diff --binary "$ORIGINAL_HEAD_SHA"..HEAD -- \
-          # Avoid workflow-file pushes with token scopes that cannot write workflows.
+            . \
-          git reset -- .github/workflows || true
+            ':(exclude).github/workflows/**' \
-          git checkout -- .github/workflows || true
+            ':(exclude)chack_failure_summary.txt' \
-          git clean -fdx -- .github/workflows || true
+            ':(exclude)chack_prompt.txt' \
-          git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+            ':(exclude)chack_failed_steps_logs.txt' > /tmp/chack_nonworkflow.patch
-          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+          if [ ! -s /tmp/chack_nonworkflow.patch ]; then
-            echo "Workflow-file changes are still staged; skipping push without workflows permission."
+            echo "Only workflow-file changes were produced; skipping push."
             echo "pushed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
+          git reset --hard "$ORIGINAL_HEAD_SHA"
+          git apply --index /tmp/chack_nonworkflow.patch
+          rm -f chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt
+          git reset -- chack_failure_summary.txt chack_prompt.txt chack_failed_steps_logs.txt || true
           if git diff --cached --quiet; then
-            echo "No committable changes left after filtering."
+            echo "No non-workflow changes left after sanitizing."
             echo "pushed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
           git commit -m "Fix CI-master failures for run #${{ github.event.workflow_run.id }}"
+
           if ! git push origin HEAD:"$FIX_BRANCH"; then
             echo "Push failed (likely token workflow permission limits); skipping PR creation."
             echo "pushed=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
-          echo "pushed=true" >> "$GITHUB_OUTPUT"
+          pushed=true
+
+          if [ "$pushed" = "true" ]; then
+            echo "pushed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "pushed=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Create PR to master
         if: ${{ steps.push_fix.outputs.pushed == 'true' }}
@@ -165,15 +200,34 @@ jobs:
           GH_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN || github.token }}
           RUN_URL: ${{ github.event.workflow_run.html_url }}
         run: |
-          pr_url=$(gh pr create \
+          set +e
+          pr_output=$(gh pr create \
             --title "Fix CI-master_test failure (run #${{ github.event.workflow_run.id }})" \
             --body "Automated Chack Agent fix for failing CI-master_test run: ${RUN_URL}" \
             --base "$TARGET_BRANCH" \
-            --head "$FIX_BRANCH")
+            --head "$FIX_BRANCH" 2>&1)
-          echo "url=$pr_url" >> "$GITHUB_OUTPUT"
+          rc=$?
+          set -e
+
+          if [ $rc -eq 0 ]; then
+            echo "url=$pr_output" >> "$GITHUB_OUTPUT"
+            echo "created=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "$pr_output"
+          if echo "$pr_output" | grep -qi "not permitted to create or approve pull requests"; then
+            echo "PR creation blocked by repository Actions policy. Fix branch was pushed: $FIX_BRANCH"
+            echo "url=" >> "$GITHUB_OUTPUT"
+            echo "created=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Unexpected PR creation error."
+          exit $rc
 
       - name: Comment on created PR with Chack Agent result
-        if: ${{ steps.push_fix.outputs.pushed == 'true' && steps.run_chack.outputs.final-message != '' }}
+        if: ${{ steps.push_fix.outputs.pushed == 'true' && steps.create_pr.outputs.created == 'true' && steps.run_chack.outputs.final-message != '' }}
         uses: actions/github-script@v7
         env:
           PR_URL: ${{ steps.create_pr.outputs.url }}

.github/workflows/pr-failure-chack-agent-dispatch.yml

@@ -9,9 +9,7 @@ jobs:
   resolve_pr_context:
     if: >
       ${{ github.event.workflow_run.conclusion == 'failure' &&
-          github.event.workflow_run.pull_requests &&
+          !startsWith(github.event.workflow_run.head_commit.message || '', 'Fix CI failures for PR #') }}
-          github.event.workflow_run.pull_requests[0] &&
-          !startsWith(github.event.workflow_run.head_commit.message, 'Fix CI failures for PR #') }}
     runs-on: ubuntu-latest
     permissions:
       pull-requests: read
@@ -27,8 +25,23 @@ jobs:
         id: pr_context
         env:
           PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
           GH_TOKEN: ${{ github.token }}
         run: |
+          if [ -z "$PR_NUMBER" ] && [ -n "$HEAD_BRANCH" ]; then
+            PR_NUMBER="$(gh pr list --state open --head "$HEAD_BRANCH" --json number --jq '.[0].number')"
+          fi
+          if [ -z "$PR_NUMBER" ]; then
+            echo "No pull request found for workflow_run; skipping."
+            {
+              echo "number="
+              echo "author="
+              echo "head_repo="
+              echo "head_branch=${HEAD_BRANCH}"
+              echo "should_run=false"
+            } >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           pr_author=$(gh api -H "Accept: application/vnd.github+json" \
             /repos/${{ github.repository }}/pulls/${PR_NUMBER} \
             --jq '.user.login')
@@ -63,7 +76,7 @@ jobs:
       contents: write
       pull-requests: write
       issues: write
-      actions: read
+      actions: write
     env:
       CHACK_LOGS_HTTP_URL: ${{ secrets.CHACK_LOGS_HTTP_URL }}
     steps:
@@ -186,31 +199,44 @@ jobs:
         env:
           TARGET_BRANCH: ${{ needs.resolve_pr_context.outputs.head_branch }}
           PR_NUMBER: ${{ needs.resolve_pr_context.outputs.number }}
+          ORIGINAL_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          GH_TOKEN: ${{ github.token }}
         run: |
-          if git diff --quiet; then
-            echo "No changes to commit."
-            exit 0
-          fi
           rm -f chack_failure_summary.txt chack_prompt.txt
-          git add -A
+
-          # Avoid workflow-file pushes with token scopes that cannot write workflows.
+          pushed=false
-          git reset -- .github/workflows || true
+
-          git checkout -- .github/workflows || true
+          if ! git diff --quiet; then
-          git clean -fdx -- .github/workflows || true
+            git add -A
-          git reset -- chack_failure_summary.txt chack_prompt.txt
+            # Avoid workflow-file pushes with token scopes that cannot write workflows.
-          if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+            git reset -- .github/workflows || true
-            echo "Workflow-file changes are still staged; skipping push without workflows permission."
+            git checkout -- .github/workflows || true
+            git clean -fdx -- .github/workflows || true
+            git reset -- chack_failure_summary.txt chack_prompt.txt
+            if git diff --cached --name-only | grep -q '^.github/workflows/'; then
+              echo "Workflow-file changes are still staged; skipping push without workflows permission."
+              exit 0
+            fi
+            if ! git diff --cached --quiet; then
+              git commit -m "Fix CI failures for PR #${PR_NUMBER}"
+            fi
+          fi
+
+          after_head="$(git rev-parse HEAD)"
+          if [ "$after_head" = "$ORIGINAL_HEAD_SHA" ]; then
+            echo "No commit produced by Chack Agent for PR #${PR_NUMBER}."
             exit 0
           fi
-          if git diff --cached --quiet; then
+
-            echo "No committable changes left after filtering."
-            exit 0
-          fi
-          git commit -m "Fix CI failures for PR #${PR_NUMBER}"
           if ! git push origin HEAD:${TARGET_BRANCH}; then
             echo "Push failed (likely token workflow permission limits); leaving run successful without push."
             exit 0
           fi
+          pushed=true
+
+          if [ "$pushed" = "true" ]; then
+            gh workflow run PR-tests.yml --ref "${TARGET_BRANCH}"
+          fi
 
       - name: Comment with Chack Agent result
         if: ${{ steps.run_chack.outputs.final-message != '' }}

linPEAS/builder/src/linpeasBuilder.py

@@ -46,7 +46,7 @@ class LinpeasBuilder:
 
     def build(self):
         print("[+] Building variables...")
-        variables = self.__generate_variables()
+        variables = self.__generate_variabless()
         self.__replace_mark(PEAS_VARIABLES_MARKUP, variables, "")
         
         if len(re.findall(r"PSTORAGE_[a-zA-Z0-9_]+", self.linpeas_sh)) > 1: #Only add storages if there are storages (PSTORAGE_BACKUPS is always there so it doesn't count)