[Chore] ci 수정

[kkh725]

Summary by CodeRabbit

• Chores

  • CI/CD 파이프라인 개선: 전체 히스토리 조회, 변경 검사 방식 개선 및 변경 시 자동 커밋/푸시 흐름 추가
  • 일부 검사 단계 주석 처리(비활성화)
  • 권한 설정 업데이트: 빌드·리포트·리포지토리 API 접근 허용 항목 추가
  • 빌드 구성 정리: 내부 모듈 의존성 제거로 구조 단순화

• Documentation

  • 모듈 의존성 문서 업데이트: 시각화에서 특정 연결 제거

• Style

  • 프로젝트 사전 단어 목록에 새 단어 추가

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@kkh725 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 59 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

.claude/settings.local.json에 권한 항목 5개가 추가되고, .github/workflows/android_ci.yml의 체크아웃 및 의존성 그래프 비교와 자동 커밋 흐름이 변경되었으며, core/data/build.gradle.kts에서 :feature:auth 종속성이 제거되고 docs/module-deps.md의 그래프 엣지가 삭제되었습니다.

Changes

응집도 / 파일(s)	변경 요약
AI 도구 및 권한 설정 ​.claude/settings.local.json	permissions.allow에 5개 항목 추가: Bash(./gradlew clean build:*), Bash(gh run view:*), Bash(gh api:*), mcp__github__get_pull_request, mcp__github__get_pull_request_files
CI/CD 워크플로우 .github/workflows/android_ci.yml	actions/checkout에 fetch-depth: 0 추가 및 ref: ${{ github.event.pull_request.head.sha }} 바인딩; 의존성 그래프 비교 로직을 git diff --quiet 기반으로 변경; 변경 시 자동 커밋·푸시 흐름 추가; 일부 단계(예: KtlintCheck, Test) 주석 처리
Gradle 종속성 core/data/build.gradle.kts	implementation(project(":feature:auth")) 의존성 제거 및 implementation(project(":core:database")) //커밋이 달라졌을까? 주석 유지
문서 및 IDE 설정 docs/module-deps.md, .idea/dictionaries/project.xml	docs/module-deps.md에서 _core_data → _feature_auth 엣지 제거; .idea/dictionaries/project.xml에 noreply 단어 추가

Sequence Diagram(s)

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Checkout as actions/checkout
    participant Git as Git (local)
    participant Repo as Remote GitHub (PR branch)

    rect rgba(135,206,250,0.5)
        Runner->>Checkout: checkout PR head (fetch-depth: 0, ref=head_sha)
        Checkout->>Git: ensure full history fetched
    end

    rect rgba(144,238,144,0.5)
        Runner->>Git: generate dependency graph
        Git->>Git: git diff --quiet origin/target_branch -- docs/dependency-graph
        alt No changes
            Runner->>Runner: echo "No dependency graph changes"
        else Changes detected
            Runner->>Git: configure user, git add/commit updated graph
            Runner->>Repo: push commit to PR head
            Repo->>Runner: confirm push
        end
    end

Loading

예상 코드 리뷰 노력

🎯 3 (Moderate) | ⏱️ ~20분

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	제목이 주요 변경사항을 명확히 설명하지 못함. 'ci 수정'은 너무 일반적이며 구체적인 변경 내용을 전달하지 않음.	제목을 더 구체적으로 수정하여 CI/CD 변경의 핵심 내용을 명확히 표현하세요. 예: '[Chore] GitHub Actions 워크플로우 권한 설정 및 의존성 그래프 자동 커밋'

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/android_ci.yml:
- Around line 57-68: The "Check for changes" step currently assumes
github.base_ref (only set for pull_request) which breaks on push; update this
step to choose the comparison base based on github.event_name: when
github.event_name == 'pull_request' use origin/${{ github.base_ref }}, otherwise
(push) use a suitable push comparator such as origin/${{ github.event.before }}
or origin/${{ github.ref_name }}; implement the conditional logic around the git
fetch/git diff commands in the "Check for changes" step so it doesn't reference
github.base_ref on push and instead uses the fallback comparator depending on
event type.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

push 이벤트 시 github.base_ref가 정의되지 않는 문제

github.base_ref는 pull_request 이벤트에서만 정의됩니다. 이 워크플로우는 push 이벤트에서도 트리거되므로(라인 4-5), master로 직접 push할 때 이 단계가 실패할 수 있습니다.

🔧 권장 수정안: 이벤트 타입에 따른 조건부 처리

             -   name: Check for changes
+                if: github.event_name == 'pull_request'
                 run: |
                     git fetch origin ${{ github.base_ref }}

                     if git diff --exit-code origin/${{ github.base_ref }} -- docs/module-deps.md; then
                       echo "No changes in dependency graph"
                     else
                       echo "Dependency graph has changed. !! Update your module Graph !!"
                       echo ""
                       echo "Diff:"
                       git diff origin/${{ github.base_ref }} -- docs/module-deps.md
                       exit 1
                     fi

또는 push 이벤트에서도 체크가 필요하다면, github.event_name에 따라 다른 비교 대상을 사용하는 방식을 고려해주세요.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Check for changes
	run: |
	git fetch origin ${{ github.base_ref }}
	# master에 파일이 없으면 자동 통과하지 않도록
	if git diff --exit-code origin/${{ github.base_ref }}...HEAD -- docs/module-deps.md; then
	echo "✅ No changes in dependency graph"
	if git diff --exit-code origin/${{ github.base_ref }} -- docs/module-deps.md; then
	echo "No changes in dependency graph"
	else
	echo "❌ Dependency graph has changed or is new"
	echo "Dependency graph has changed. !! Update your module Graph !!"
	echo ""
	echo "Diff:"
	git diff origin/${{ github.base_ref }}...HEAD -- docs/module-deps.md
	git diff origin/${{ github.base_ref }} -- docs/module-deps.md
	exit 1
	- name: Check for changes
	if: github.event_name == 'pull_request'
	run: |
	git fetch origin ${{ github.base_ref }}
	if git diff --exit-code origin/${{ github.base_ref }} -- docs/module-deps.md; then
	echo "No changes in dependency graph"
	else
	echo "Dependency graph has changed. !! Update your module Graph !!"
	echo ""
	echo "Diff:"
	git diff origin/${{ github.base_ref }} -- docs/module-deps.md
	exit 1
	fi

🤖 Prompt for AI Agents

In @.github/workflows/android_ci.yml around lines 57 - 68, The "Check for
changes" step currently assumes github.base_ref (only set for pull_request)
which breaks on push; update this step to choose the comparison base based on
github.event_name: when github.event_name == 'pull_request' use origin/${{
github.base_ref }}, otherwise (push) use a suitable push comparator such as
origin/${{ github.event.before }} or origin/${{ github.ref_name }}; implement
the conditional logic around the git fetch/git diff commands in the "Check for
changes" step so it doesn't reference github.base_ref on push and instead uses
the fallback comparator depending on event type.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/android_ci.yml:
- Around line 69-76: Skip the auto-commit and git push when the workflow runs on
a forked PR by adding a conditional around the commit/push steps: detect whether
the PR head repo is the same as the base repo (e.g., compare
github.event.pull_request.head.repo.full_name to github.repository or
github.event.pull_request.head.repo.owner.login to github.repository_owner) and
only run the git add/git commit and git push commands when they match; ensure
the git commit and git push commands shown in the diff are wrapped with an if:
that prevents execution for forked pull_request events so the read-only
GITHUB_TOKEN on forks won’t be used.
- Around line 75-76: The workflow currently injects github.head_ref and
github.base_ref directly into the run script (used in the git push command and
earlier base ref usage), which risks command injection; instead pass these
values into the job as environment variables (e.g., HEAD_REF and BASE_REF) via
the workflow/env or env: mapping, then inside the shell step reference them as
quoted variables and validate them with a strict whitelist/regex (e.g., only
allow [A-Za-z0-9._/-] and non-empty) before use; finally update the git push
invocation to use the quoted, validated variable (git push origin
HEAD:"$HEAD_REF") and apply the same quoting+validation pattern to where
github.base_ref is used.

♻️ Duplicate comments (1)

.github/workflows/android_ci.yml (1)

62-66: push 이벤트에서 base_ref/head_ref 비어 실패 가능
push 트리거에서도 실행되므로 github.base_ref/github.head_ref가 비어 있어 단계가 실패할 수 있습니다. 이벤트별 분기 처리가 필요합니다.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/android_ci.yml | sed -n '60,85p'

Repository: kkh725/Multi_Module_Template

Length of output: 1188

---

🏁 Script executed:

cat -n .github/workflows/android_ci.yml | head -50

Repository: kkh725/Multi_Module_Template

Length of output: 1945

---

🌐 Web query:

GitHub Actions GITHUB_TOKEN fork pull request write permissions limitations

💡 Result:

What happens with GITHUB_TOKEN on fork pull request workflows

Default limitation (the important bit)

• For workflows triggered by pull_request from a fork, GITHUB_TOKEN is read-only for the base repo, and repo secrets are not provided. This prevents untrusted fork code from writing to your repository. [1]

“But I set permissions: contents: write…”

• In fork PR workflows, you can usually reduce permissions, but you typically can’t grant write via permissions:. [1]

The main exception (repo/enterprise setting)

• For private/internal repos, admins can enable “Send write tokens to workflows from pull requests”, which allows fork PR workflows to receive a write-enabled GITHUB_TOKEN. [1] [2] [3]

The common workaround: pull_request_target (use with care)

• If you use pull_request_target, the workflow runs in the base repo context and GITHUB_TOKEN is granted read/write (and can access secrets), even if the PR comes from a fork. This is powerful but risky—don’t check out/run untrusted PR code in this context (“pwn request” risk). [1] [4]

Related special case: Dependabot PRs

• Workflows triggered by Dependabot PR events are treated like forks: they get a read-only GITHUB_TOKEN and no secrets. [5]

Sources: GitHub Docs on GITHUB_TOKEN/fork behavior and the write-token exception setting [1][2][3], GitHub guidance on pull_request_target risk [4], GitHub changelog for Dependabot read-only behavior [5].

References: [1] (docs.github.com) [2] (docs.github.com) [3] (docs.github.com) [4] (wellarchitected.github.com) [5] (github.blog)

Citations:

• 1: https://docs.github.com/en/actions/reference/github_token-reference?utm_source=openai
• 2: https://docs.github.com/en/enterprise-cloud%40latest/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository?utm_source=openai
• 3: https://docs.github.com/en/enterprise-server%403.15/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise?utm_source=openai
• 4: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/?utm_source=openai
• 5: https://github.blog/changelog/2021-02-18-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/?utm_source=openai

---

포크 PR에서 auto-commit 및 git push 실패 가능

pull_request 이벤트가 포크에서 발생하면 GITHUB_TOKEN이 기본적으로 읽기 전용이 되어 git push가 실패합니다. 워크플로우의 permissions: contents: write 선언은 포크 PR의 토큰 제한을 우회하지 못합니다. 이 단계를 포크 PR에서 건너뛰도록 조건을 추가하세요.

제안 수정안

            -   name: Check for changes
+                if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
                 run: |
                     git fetch origin ${{ github.base_ref }}
                     ...

🤖 Prompt for AI Agents

In @.github/workflows/android_ci.yml around lines 69 - 76, Skip the auto-commit
and git push when the workflow runs on a forked PR by adding a conditional
around the commit/push steps: detect whether the PR head repo is the same as the
base repo (e.g., compare github.event.pull_request.head.repo.full_name to
github.repository or github.event.pull_request.head.repo.owner.login to
github.repository_owner) and only run the git add/git commit and git push
commands when they match; ensure the git commit and git push commands shown in
the diff are wrapped with an if: that prevents execution for forked pull_request
events so the read-only GITHUB_TOKEN on forks won’t be used.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/android_ci.yml | head -100

Repository: kkh725/Multi_Module_Template

Length of output: 2945

---

🌐 Web query:

GitHub Actions context variables security injection risk github.head_ref escaping

💡 Result:

github.head_ref (the PR’s source branch name) is attacker-controlled for PRs (including from forks) and should be treated as untrusted input. (docs.github.com)

What can go wrong (injection)

If you interpolate ${{ github.head_ref }} directly into an executable context (especially a run: script), GitHub Actions will macro-expand it into raw text before the shell runs. A malicious branch name can then become shell syntax (command substitution, quotes/newlines, etc.) and lead to command/script injection. (docs.github.com)

“Can I just escape it?”

Not reliably. The core problem is string concatenation into code (the generated script/command), which is fragile across shells/languages and edge cases. GitHub’s guidance is to avoid ${{ }} interpolation in run: for untrusted values, rather than trying to “escape correctly.” (github.blog)

Safer patterns

1. Pass untrusted context via env: then use normal shell variable quoting (prevents expression-time script construction):

- name: Use head_ref safely
  env:
    HEAD_REF: ${{ github.head_ref }}
  run: |
    echo "$HEAD_REF"

(github.blog)

2. Don’t use head_ref as a security boundary for checkout/execution. If you use PR head refs to fetch/checkout code, prefer immutable identifiers (e.g., a SHA) and avoid patterns that can be swapped/updated unexpectedly (TOCTOU). (securitylab.github.com)

3. Be extra cautious with pull_request_target: it runs with base-repo context and can access secrets; never check out/run untrusted PR code in that mode. (github.blog)

Citations:

• 1: https://docs.github.com/en/enterprise-server%403.14/actions/reference/workflows-and-actions/contexts?utm_source=openai
• 2: https://docs.github.com/en/actions/concepts/security/script-injections?utm_source=openai
• 3: https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/?utm_source=openai
• 4: https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/?utm_source=openai
• 5: https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/?utm_source=openai
• 6: https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes?utm_source=openai

---

🏁 Script executed:

#!/bin/bash

# Test the suggested validation pattern
HEAD_REF="some-valid-branch"
case "$HEAD_REF" in
  (*[!A-Za-z0-9._/-]*|'') echo "Invalid head ref: $HEAD_REF"; exit 1;;
esac
echo "Valid branch: $HEAD_REF"

# Test with invalid characters
HEAD_REF='branch-with-$(echo hack)'
case "$HEAD_REF" in
  (*[!A-Za-z0-9._/-]*|'') echo "Invalid head ref: $HEAD_REF"; exit 1;;
esac
echo "Valid branch: $HEAD_REF"

Repository: kkh725/Multi_Module_Template

Length of output: 146

---

github.head_ref와 github.base_ref를 직접 스크립트에 치환하면 인젝션 위험

PR 브랜치 이름은 공격자가 제어할 수 있으므로, GitHub Actions 표현식을 run: 스크립트에서 직접 사용하지 마세요. 환경 변수로 전달 후 따옴표로 감싸고 유효성을 검증하세요. 이는 57-58번 줄의 github.base_ref 사용과 76번 줄의 github.head_ref 사용 모두에 적용됩니다.

🔒 제안 수정안

-            -   name: Check for changes
-                run: |
-                    git fetch origin ${{ github.base_ref }}
+            -   name: Check for changes
+                env:
+                    BASE_REF: ${{ github.base_ref }}
+                    HEAD_REF: ${{ github.head_ref }}
+                run: |
+                    case "$HEAD_REF" in
+                      (*[!A-Za-z0-9._/-]*|'') echo "Invalid head ref: $HEAD_REF"; exit 1;;
+                    esac
+                    git fetch origin "$BASE_REF"
@@
-                    if git diff --quiet origin/${{ github.base_ref }} -- docs/module-deps.md; then
+                    if git diff --quiet "origin/$BASE_REF" -- docs/module-deps.md; then
@@
-                    git push origin HEAD:${{ github.head_ref }}
+                    git push origin "HEAD:$HEAD_REF"

🤖 Prompt for AI Agents

In @.github/workflows/android_ci.yml around lines 75 - 76, The workflow
currently injects github.head_ref and github.base_ref directly into the run
script (used in the git push command and earlier base ref usage), which risks
command injection; instead pass these values into the job as environment
variables (e.g., HEAD_REF and BASE_REF) via the workflow/env or env: mapping,
then inside the shell step reference them as quoted variables and validate them
with a strict whitelist/regex (e.g., only allow [A-Za-z0-9._/-] and non-empty)
before use; finally update the git push invocation to use the quoted, validated
variable (git push origin HEAD:"$HEAD_REF") and apply the same
quoting+validation pattern to where github.base_ref is used.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/android_ci.yml:
- Around line 65-80: The outer shell if starting with "if git diff --quiet
origin/${{ github.base_ref }} -- docs/module-deps.md; then" is missing its
terminating "fi"; add a closing "fi" after the inner if/else block that ends
with "exit 0" so both the inner "if git commit ..." and the outer "if git diff
..." are properly closed (keep indentation and placement consistent so the outer
block encloses the git config / add / commit / push logic).
- Around line 18-20: The checkout step currently uses github.head_ref which is
empty for push events; update the checkout action configuration (the step
referencing ref and fetch-depth) to choose the ref based on the event type: use
github.head_ref when github.event_name == 'pull_request' and fall back to
github.ref for push (or other events), keeping fetch-depth: 0; implement this
conditional selection so the checkout step uses the correct ref for both
pull_request and push events.

♻️ Duplicate comments (2)

.github/workflows/android_ci.yml (2)

63-75: push 이벤트/포크 PR에서 단계가 실패할 가능성이 남아 있습니다.

• push 이벤트에서는 github.base_ref가 정의되지 않습니다.
• 포크 PR은 GITHUB_TOKEN이 read-only라 git push가 실패합니다.
  이벤트 타입/포크 여부에 따른 조건 분기 추가가 필요합니다.

---

63-75: github.base_ref / github.head_ref 직접 치환은 스크립트 인젝션 위험이 있습니다.

신뢰할 수 없는 입력이므로 env:로 전달 후 따옴표 처리 및 화이트리스트 검증을 권장합니다.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/android_ci.yml | head -40

Repository: kkh725/Multi_Module_Template

Length of output: 1472

---

🌐 Web query:

github.head_ref empty string push event GitHub Actions

💡 Result:

github.head_ref is only set for pull_request / pull_request_target events (it’s the PR’s source branch). On a push-triggered workflow it’s not available, so you’ll see it as an empty string / null. [1] [2]

For push events, use instead:

• Branch/tag ref: ${{ github.ref }} (e.g. refs/heads/main, refs/tags/v1.2.3) [1] [2]
• Short branch/tag name: ${{ github.ref_name }} [2]

If you want one expression that works for both PRs and pushes:

- run: echo "branch=${{ github.head_ref || github.ref_name }}"

---

push 이벤트에서 github.head_ref가 비어 체크아웃이 깨집니다.

워크플로우가 push와 pull_request 이벤트 모두에서 실행되도록 설정되어 있는데, github.head_ref는 pull_request 이벤트에서만 사용 가능합니다. push 이벤트에서는 빈 문자열이므로 체크아웃이 실패하거나 의도하지 않은 ref를 사용하게 됩니다. 이벤트 타입에 따라 ref를 분기하세요.

🔧 수정 제안

             -   uses: actions/checkout@v4
                 with:
-                    ref: ${{ github.head_ref }}
+                    ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
                     fetch-depth: 0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	with:
	ref: ${{ github.head_ref }}
	fetch-depth: 0
	with:
	ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
	fetch-depth: 0

🤖 Prompt for AI Agents

In @.github/workflows/android_ci.yml around lines 18 - 20, The checkout step
currently uses github.head_ref which is empty for push events; update the
checkout action configuration (the step referencing ref and fetch-depth) to
choose the ref based on the event type: use github.head_ref when
github.event_name == 'pull_request' and fall back to github.ref for push (or
other events), keeping fetch-depth: 0; implement this conditional selection so
the checkout step uses the correct ref for both pull_request and push events.