dedup: import _load_env from helpers + add dupehound CI

[giattijunior]

Summary

First pass of dupehound integration: import _load_env from the existing canonical source in helpers.py, and add the CI workflow from upstream docs/ci.md.

Changes

Source

• src/browser_harness/admin.py: remove local _load_env and _load_env_file definitions, import from helpers (was duplicated, identical 18-line body at admin.py:12-30).
• src/browser_harness/daemon.py: same change (was duplicated at daemon.py:10-28).

helpers.py was already the canonical source — both _load_env and _load_env_file were defined there, and module-level _load_env() was called as a side effect on import.

CI

• .github/workflows/dupehound.yml: scan (slop score) and check (--diff against base) jobs. check runs with continue-on-error: true — promote to gate after FP rate <10% over ~10 PRs.

Metrics

	Before	After
Slop score	0.9%	0.0%
Clusters	4	0
Deletable lines	18	0

Validation

• pytest tests/unit/: 40/40 pass
• dupehound check --diff fork/main . on this branch: clean (no new duplicates introduced)

---

Summary by cubic

Deduplicated env loading by importing _load_env from helpers in the harness. Added dupehound CI to flag new duplicates and set up Renovate for monthly dependency updates.

• Refactors

  • Removed local _load_env and _load_env_file from src/browser_harness/admin.py and src/browser_harness/daemon.py; import both from helpers to use the canonical implementation.

• CI

  • Added .github/workflows/dupehound.yml with check (diff vs base, continue-on-error) and scan (slop score) jobs; actions/checkout pinned to a commit.
  • Added self-hosted Renovate via .github/workflows/renovate.yml and .github/renovate.json5 (monthly run, pep621 and github-actions managers, 14-day minimum age, dependencies label).

^{Written for commit f648fb3. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 5 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/dupehound.yml">

<violation number="1" location=".github/workflows/dupehound.yml:30">
P2: Unpinned dupehound binary download without integrity verification introduces supply-chain and reproducibility risk</violation>
</file>

<file name=".github/workflows/renovate.yml">

<violation number="1" location=".github/workflows/renovate.yml:15">
P1: Third-party GitHub Action `renovatebot/github-action` is pinned to a mutable tag (`@v41`) instead of an immutable commit SHA, enabling supply-chain drift. The repo already pins actions to commit SHAs in `dupehound.yml`; this new workflow should follow the same pattern.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

P1: Third-party GitHub Action renovatebot/github-action is pinned to a mutable tag (@v41) instead of an immutable commit SHA, enabling supply-chain drift. The repo already pins actions to commit SHAs in dupehound.yml; this new workflow should follow the same pattern.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/renovate.yml, line 15:

<comment>Third-party GitHub Action `renovatebot/github-action` is pinned to a mutable tag (`@v41`) instead of an immutable commit SHA, enabling supply-chain drift. The repo already pins actions to commit SHAs in `dupehound.yml`; this new workflow should follow the same pattern.</comment>

<file context>
@@ -0,0 +1,20 @@
+        uses: actions/checkout@v4
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v41
+        with:
+          configurationFile: .github/renovate.json5
</file context>

[cubic-dev-ai]

P2: Unpinned dupehound binary download without integrity verification introduces supply-chain and reproducibility risk

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/dupehound.yml, line 30:

<comment>Unpinned dupehound binary download without integrity verification introduces supply-chain and reproducibility risk</comment>

<file context>
@@ -0,0 +1,58 @@
+          fetch-depth: 0
+      - name: Install dupehound
+        run: |
+          curl -sL https://github.com/Rafaelpta/dupehound/releases/latest/download/dupehound-x86_64-unknown-linux-gnu.tar.gz | tar xz
+          sudo mv dupehound /usr/local/bin/
+      - name: Block new duplicates vs base
</file context>

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f648fb3ffd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a real Renovate token

I checked renovatebot/github-action's token docs; they state that GITHUB_TOKEN can't be used to authenticate Renovate because PRs it creates do not trigger PR/push CI. In this workflow that means scheduled dependency PRs, including the github-actions manager configured in .github/renovate.json5, can be opened without this repo's test workflows ever running, so use a PAT or GitHub App token secret such as RENOVATE_TOKEN instead.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove the soft-fail from duplicate gate

GitHub's workflow syntax says job-level continue-on-error: true prevents a workflow run from failing when that job fails. Since this is set on the only job that runs dupehound check, a PR that introduces duplicates will still get a passing workflow instead of being blocked by the “Block new duplicates” check; drop this flag if the gate is meant to enforce the check.

Useful? React with 👍 / 👎.