refactor github action upload flow#340
Conversation
PR SummaryLow Risk Overview The workflow now calls this action for each target CPU ( Reviewed by Cursor Bugbot for commit b20163c. Bugbot is set up for automated code reviews on this repo. Configure here. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #340 +/- ##
=======================================
Coverage 53.16% 53.16%
=======================================
Files 35 35
Lines 5295 5295
=======================================
Hits 2815 2815
Misses 2480 2480 🚀 New features to boost your workflow:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![semgrep-code-starkware-libs[bot]](https://avatars.githubusercontent.com/u/59333826?s=60&v=4){kind=small}
| run: | | ||
| BINARY_NAME="${{ inputs.binary_name }}" | ||
| BINARY_NAME="${BINARY_NAME//-/_}" | ||
| mv "target/x86_64-unknown-linux-gnu/release/${{ inputs.binary_name }}" \ | ||
| "target/x86_64-unknown-linux-gnu/release/${BINARY_NAME}" | ||
| echo "BINARY_NAME=${BINARY_NAME}" >> "$GITHUB_ENV" | ||
|
|
There was a problem hiding this comment.
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
🥳 Fixed in commit 4b9d4a7 🥳
noam-starkware
force-pushed
the
noamp/refactor_upload_flow
branch
from
85b3f0a to
023cacd
Compare
noam-starkware
force-pushed
the
noamp/refactor_upload_flow
branch
from
023cacd to
4b9d4a7
Compare
noam-starkware
force-pushed
the
noamp/refactor_upload_flow
branch
from
3e385a6 to
b20163c
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b20163c. Configure here.
| uses: google-github-actions/upload-cloud-storage@v2 | ||
| with: | ||
| path: "target/x86_64-unknown-linux-gnu/release/${{ env.BINARY_NAME_DEST }}" | ||
| destination: "${{ env.BINARY_NAME_DEST }}_${{ env.ARCH_NAME }}_artifacts/${{ env.SHORT_HASH }}/release" |
There was a problem hiding this comment.
Composite action has undeclared dependency on SHORT_HASH
Medium Severity
The composite action references ${{ env.SHORT_HASH }} in the upload destination but never declares it as an input parameter, unlike arch and binary_name. This creates a hidden contract with the calling workflow. If the action is reused in a context where SHORT_HASH isn't set, the destination path silently includes an empty segment, uploading artifacts to the wrong location with no error. Making SHORT_HASH (or a commit_hash equivalent) an explicit required input would make the action self-contained and safe to reuse.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit b20163c. Configure here.
There was a problem hiding this comment.
We invoke via the upload script which defines the hash so I don't think this is an issue and passing the value seems redundant since it's already in scope at invoke time.
noam-starkware
left a comment
noam-starkware
left a comment
There was a problem hiding this comment.
@noam-starkware made 1 comment.
Reviewable status: 0 of 2 files reviewed, 2 unresolved discussions (waiting on YairVaknin-starkware).
| uses: google-github-actions/upload-cloud-storage@v2 | ||
| with: | ||
| path: "target/x86_64-unknown-linux-gnu/release/${{ env.BINARY_NAME_DEST }}" | ||
| destination: "${{ env.BINARY_NAME_DEST }}_${{ env.ARCH_NAME }}_artifacts/${{ env.SHORT_HASH }}/release" |
There was a problem hiding this comment.
We invoke via the upload script which defines the hash so I don't think this is an issue and passing the value seems redundant since it's already in scope at invoke time.
YairVaknin-starkware
left a comment
YairVaknin-starkware
left a comment
There was a problem hiding this comment.
@YairVaknin-starkware reviewed 2 files and all commit messages, and made 1 comment.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on noam-starkware).
a discussion (no related file):
Have u created a dummy commit over this branch so the push binaries workflow runs for pushes to this branch to test it works?
noam-starkware
left a comment
noam-starkware
left a comment
There was a problem hiding this comment.
@noam-starkware made 1 comment and resolved 1 discussion.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on YairVaknin-starkware).
a discussion (no related file):
Previously, YairVaknin-starkware wrote…
Have u created a dummy commit over this branch so the push binaries workflow runs for pushes to this branch to test it works?
Yes, sorry, I thought I wrote this here. I compiled an exmaple and made sure the resulting bins are equivalent to the one from the base on main.
2 participants
Type
Description
Breaking changes?
This change is