Skip to content

chore: Cherry-picked changes from upstream #119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Raj-StepSecurity merged 17 commits into from
Dec 16, 2025
Merged

chore: Cherry-picked changes from upstream #119

Raj-StepSecurity merged 17 commits into from
Dec 16, 2025
+219 −299

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 2, 2025

Cherry-picked changes from upstream.

github-actions bot added 15 commits December 2, 2025 05:09
@github-actions
Fix missing extension in temporary tarball path
1a0b53d 
For some reason, this was breaking archive extraction on Windows only on
Forgejo Actions (not GitHub Actions).
@github-actions
Fix missing extension in temporary tarball path
8485036 
For some reason, this was breaking archive extraction on Windows only on
Forgejo Actions (not GitHub Actions).
@github-actions
Use correct file extension everywhere
04cbd5d 
Rather than trying to exhaustively list platforms, we can just specify
the singular special case (Windows using ZIP) and use tar.gz everywhere
else.
@github-actions
Update ARM architecture name
4488382
@github-actions
set Zig cache directories to the workspace-local .zig-cache
689ea9e 
This accomplishes two things:

* It prevents unbounded growth in disk space usage on self-hosted runners.
* It prevents races with other jobs when clearing the cache.
@github-actions
set Zig cache directories to the workspace-local .zig-cache
a8687c8 
This accomplishes two things:

* It prevents unbounded growth in disk space usage on self-hosted runners.
* It prevents races with other jobs when clearing the cache.
@github-actions
set Zig cache directories to the workspace-local .zig-cache
162e6ad 
This accomplishes two things:

* It prevents unbounded growth in disk space usage on self-hosted runners.
* It prevents races with other jobs when clearing the cache.
@github-actions
set Zig cache directories to the workspace-local .zig-cache
be6cfbe 
This accomplishes two things:

* It prevents unbounded growth in disk space usage on self-hosted runners.
* It prevents races with other jobs when clearing the cache.
@github-actions
remove aix tarball name handling
7481614 
Zig does not support AIX: ziglang/zig#25731
@github-actions
map sunos to illumos rather than solaris in tarball names
4d98473 
Zig will never support Solaris: ziglang/zig#25706
@github-actions
handle netbsd in tarball names
995ce77
@github-actions
fix: apply code build script
ac8b7c6
@github-actions
fix: apply code build script
fc17fca
@github-actions
fix: apply code build script
264e833
@github-actions
fix: apply code build script
64e73aa
@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 2, 2025
edited by Raj-StepSecurity
Loading

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v2.1.0
📋 Previous Release Version: v2.0.5

❗ Missing Files:

  • .forgejo/workflows/test.yml
  • .github/README.md

❌ Conflicting Files:

  • README.md from commit 9715a6f4ca78d7e8f4a834d00ab0bf37c76de7bc

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 2, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.5...v2.1.0

📋 File-by-File Analysis:

.forgejo/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 54 additions, 0 deletions)

.github/README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 21 additions, 0 deletions)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ Cherry-pick incomplete (+17 -9) | Missing 16 additions | Missing 8 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

common.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+48 -94)

main.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -5)

📊 Summary:

  • Total files changed upstream: 6
  • Files present in PR: 3/6
  • Files with matching changes: 3/6

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 2, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.5...v2.1.0

📋 File-by-File Analysis:

.forgejo/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 54 additions, 0 deletions)

.github/README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 21 additions, 0 deletions)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ Cherry-pick incomplete (+17 -9) | Missing 16 additions | Missing 8 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

common.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+48 -94)

main.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -5)

📊 Summary:

  • Total files changed upstream: 6
  • Files present in PR: 3/6
  • Files with matching changes: 3/6

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@claude
Copy link

claude bot commented Dec 2, 2025
edited
Loading

Claude finished @github-actions[bot]'s task —— View job

🔍 PR Review Complete

📋 Review Checklist:

  • Read and analyze all changed files
  • Verify cherry-pick completeness against verification reports
  • Check for security vulnerabilities in code changes
  • Review missing files and incomplete changes
  • Provide comprehensive feedback and recommendations

🚨 Critical Issues Found

1. Critical Bug in parseVersion Function

Location: common.js:186-189

return {
  major: parseInt(match[0]),  // ❌ Should be match[1]
  minor: parseInt(match[1]),  // ❌ Should be match[2] 
  patch: parseInt(match[2]),  // ❌ Should be match[3]
  dev: match[3] === null ? null : parseInt(match[3]),  // ❌ Should be match[4]
};

Impact: This will cause incorrect version parsing, potentially leading to wrong version comparisons and failures in version selection logic.

2. Incomplete Cherry-Pick

The verification report confirms missing changes:

  • Missing files:

    • .forgejo/workflows/test.yml (54 additions missing)
    • .github/README.md (21 additions missing)

  • Incomplete file:

    • README.md - Missing 16 additions and 8 deletions from upstream

3. Security Concerns

Subscription Validation Function (main.js:107-122):

  • Makes external API calls to https://agent.api.stepsecurity.io
  • Uses process.env.GITHUB_REPOSITORY in URL construction
  • Could expose repository information to external services
  • process.exit(1) on 403 errors may cause unexpected workflow termination

✅ Positive Changes

  1. Improved Code Structure: Significant refactoring with 142 lines removed from common.js
  2. Updated Action Version: Changed from node16 to node20 in action.yml
  3. Enhanced Test Coverage: New workflow file .github/workflows/test.yml with comprehensive version testing

📋 Recommendations

Immediate Actions Required:

  1. Fix the parseVersion bug - Critical for proper functionality
  2. Complete the cherry-pick by adding missing files and changes
  3. Review subscription validation security implications

Cherry-Pick Completion:

  • Add .forgejo/workflows/test.yml
  • Add .github/README.md
  • Apply remaining README.md changes (compare with upstream)

Security Review:

  • Validate the necessity of the validateSubscription function
  • Consider adding input validation for the API URL
  • Review error handling to prevent information disclosure

🔒 Security Assessment

Overall Risk: Medium

  • No malicious code detected
  • External API calls present security considerations
  • Critical parsing bug could cause unexpected behavior

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 2, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.5...v2.1.0

📋 File-by-File Analysis:

.forgejo/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 54 additions, 0 deletions)

.github/README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 21 additions, 0 deletions)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ Cherry-pick incomplete (+17 -9) | Missing 16 additions | Missing 8 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

common.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+48 -94)

main.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -5)

📊 Summary:

  • Total files changed upstream: 6
  • Files present in PR: 3/6
  • Files with matching changes: 3/6

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@claude
Copy link

claude bot commented Dec 16, 2025
edited
Loading

Claude finished @github-actions[bot]'s task —— View job

🔍 PR Review Complete

Comprehensive review of cherry-picked changes from upstream v2.0.5 → v2.1.0

📋 Review Checklist:

  • Read and analyze all changed files
  • Verify cherry-pick completeness against verification reports
  • Check if previously identified parseVersion bug is fixed
  • Review missing files status (.forgejo/workflows/test.yml, .github/README.md)
  • Scan for security vulnerabilities in all code changes
  • Review main.js subscription validation security implications
  • Verify README.md changes are complete
  • Provide comprehensive feedback and recommendations

🚨 CRITICAL ISSUES IDENTIFIED

1. CRITICAL BUG: parseVersion Function Still Broken

Location: common.js:185-190 and dist/index.js:191-196

return {
  major: parseInt(match[0]),  // ❌ WRONG: match[0] is full string, should be match[1]
  minor: parseInt(match[1]),  // ❌ WRONG: should be match[2]  
  patch: parseInt(match[2]),  // ❌ WRONG: should be match[3]
  dev: match[3] === null ? null : parseInt(match[3]),  // ❌ WRONG: should be match[4]
};

Impact: This bug causes ALL version parsing to fail with incorrect values:

  • major gets the entire version string (e.g., "1.2.3") → parseInt("1.2.3") = 1 (partial success but wrong)
  • minor gets major instead of minor
  • patch gets minor instead of patch
  • Only dev is correctly indexed (by coincidence)

Status:UNCHANGED FROM PREVIOUS REVIEW - This critical bug exists in both source AND compiled dist files.

2. SECURITY VULNERABILITIES: validateSubscription Function

Location: main.js:107-122

Multiple security issues identified:

Environment Variable Injection Risk

const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
  • Risk: GITHUB_REPOSITORY is used without validation in URL construction
  • Impact: Potential for URL manipulation attacks

Forced Process Termination

process.exit(1); // Line 117
  • Risk: Provides denial-of-service vector on 403 responses
  • Impact: Can terminate entire workflow execution

Insufficient Error Handling

  • Treats all non-403 errors as benign, potentially masking security issues
  • Could allow bypass of subscription validation

3. Cherry-Pick Still Incomplete

Missing Files (confirmed absent):

  • .forgejo/workflows/test.yml - Expected 54 additions
  • .github/README.md - Expected 21 additions

Files Present:

  • .github/workflows/test.yml - Now properly included (+54 lines)
  • README.md - Changes applied (+2/-2 lines)
  • action.yml - Updated from node16 to node20
  • common.js - Refactored with +48/-94 changes
  • main.js - Enhanced with subscription validation (+7/-5)

POSITIVE CHANGES REVIEWED

  1. Action Runtime Upgrade: Updated from node16 to node20 in action.yml
  2. Enhanced Testing: New comprehensive test workflow with multiple Zig versions
  3. Code Refactoring: Significant cleanup in common.js (-94 lines, +48 additions)
  4. Documentation Updates: README.md properly updated with current usage examples
  5. Distributed Files: All dist/ files properly updated with source changes

📋 RECOMMENDATIONS

🔥 IMMEDIATE CRITICAL FIXES REQUIRED:

  1. Fix parseVersion Bug (Critical Priority):
// CORRECT implementation:
return {
  major: parseInt(match[1]),  // ✅ First capture group
  minor: parseInt(match[2]),  // ✅ Second capture group  
  patch: parseInt(match[3]),  // ✅ Third capture group
  dev: match[4] === null ? null : parseInt(match[4]),  // ✅ Fourth capture group
};

  1. Complete Cherry-Pick:

    • Add missing .forgejo/workflows/test.yml file
    • Add missing .github/README.md file
    • Verify these match upstream content exactly

  2. Security Fixes for validateSubscription:

    • Add input validation for GITHUB_REPOSITORY
    • Replace process.exit(1) with core.setFailed()
    • Improve error handling granularity
    • Use proper URL encoding

📊 OVERALL ASSESSMENT

Status: 🔴 CRITICAL ISSUES PRESENT - DO NOT MERGE

  • Critical Bug: parseVersion function completely broken
  • Security Concerns: Multiple vulnerabilities in subscription validation
  • Incomplete Cherry-Pick: Missing upstream files

Priority:

  1. Fix parseVersion bug (blocks all version-dependent functionality)
  2. Address security vulnerabilities
  3. Complete missing files from cherry-pick
  4. Rebuild and test all dist files after fixes

Note: This PR has an approval but should not be merged until critical parseVersion bug is resolved, as it will cause version parsing failures in production.

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 16, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.5...v2.1.0

📋 File-by-File Analysis:

.forgejo/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 54 additions, 0 deletions)

.github/README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 21 additions, 0 deletions)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+17 -9) | Missing 16 additions | Missing 8 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

common.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+48 -94)

main.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -5)

📊 Summary:

  • Total files changed upstream: 6
  • Files present in PR: 4/6
  • Files with matching changes: 3/6

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@Raj-StepSecurity Raj-StepSecurity merged commit 506a2de into main Dec 16, 2025
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review required review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amanstep @Raj-StepSecurity