Handle dirty worktrees better and warn about running scripts/review.sh on untrusted code. (#21791)

2026-04-21 13:37:17 +00:00 · 2026-03-10 09:38:26 -07:00 · 2026-03-10 09:38:26 -07:00 · 49ea9b0457
commit 49ea9b0457
parent 556825f81c
2 changed files with 8 additions and 2 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -77,6 +77,10 @@ You can run the review tool in two ways:
    ./scripts/review.sh <PR_NUMBER> [model]
    ```

+    **Warning:** If you run `scripts/review.sh`, you must have first verified
+    that the code for the PR being reviewed is safe to run and does not contain
+    data exfiltration attacks.
+
    **Authors are strongly encouraged to run this script on their own PRs**
    immediately after creation. This allows you to catch and fix simple issues
    locally before a maintainer performs a full review.
--- a/scripts/review.sh
+++ b/scripts/review.sh
@ -70,8 +70,10 @@ echo "review: Changing directory to $WORKTREE_PATH"
 cd "$WORKTREE_PATH" || exit 1

 # 4. Checkout the PR
-echo "review: Checking out PR $pr..."
-gh pr checkout "$pr" -f -R "$REPO"
+echo "review: Cleaning worktree and checking out PR $pr..."
+git reset --hard
+git clean -fd
+gh pr checkout "$pr" --branch "review-$pr" -f -R "$REPO"

 # 5. Clean and Build
 echo "review: Clearing possibly stale node_modules..."