Repository relations

[ArneTR]

Greptile Summary

Adds repository relations feature allowing measurement runs to checkout and mount additional repositories into containers. This enables multi-repository testing scenarios.

Key Changes:

• Added relations jsonb column to runs table to store relation metadata
• New _checkout_relations() method clones related repositories to /tmp/relations/ and mounts them into containers at /tmp/relations/{relation_key}:ro
• Schema validation added for relations with support for URL, optional branch, and optional commit_hash
• Frontend displays relation information with clickable links to repository URLs
• Removed -it flags from docker run commands (now only uses -d)

Issues Found:

• Critical XSS vulnerability: commit_hash field not escaped in frontend HTML insertion (stats.js:162)
• Outdated comment about -it flag that was removed
• Missing URL protocol validation in schema checker - should restrict to git protocols only

[ArneTR]

@greptileai

[greptile-apps]

_{6 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[ribalba]

Why do you do this after the checkout runs?

[ArneTR]

The repository can contain symlinks. e.g. it possible to have a dangling symlink to /etc/passwd in the repo

[github-actions]

Eco CI Output [RUN-ID: 20748001570]:

🌳 CO2 Data:
City: CONSTANT, Lat: , Lon:
IP:
CO₂ from energy is: 1.516667460 g
CO₂ from manufacturing (embodied carbon) is: 0.437263383 g
Carbon Intensity for this location: 231 gCO₂eq/kWh
SCI: 1.953931 gCO₂eq / pipeline run emitted

---

Total cost of whole PR so far:

Label	🖥 avg. CPU utilization [%]	🔋 Total Energy [Joules]	🔌 avg. Power [Watts]	Duration [Seconds]
Measurement #1	31.033	6565.66	4.28	1532.57
Total Run	31.03	6565.66	4.28	1532.57
Additional overhead from Eco CI	N/A	16.06	4.31	3.73