Skip to content

refactor github action upload flow #340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
noam-starkware wants to merge 2 commits into
base: main
Choose a base branch
from
Open

refactor github action upload flow #340

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b9d4a7
refactor github action upload flow
noam-starkware May 5, 2026
b20163c
safer env vars setup
noam-starkware May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/actions/build-arch-binary/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Build and upload arch-specific binary
description: Builds a Rust binary for a specific CPU architecture and uploads it to GCS.

inputs:
arch:
description: CPU architecture target (e.g. znver5, sapphirerapids)
required: true
binary_name:
description: Binary crate name with hyphens (e.g. stwo-run-and-prove)
required: true

runs:
using: composite
steps:
- name: Setup environment variables
shell: bash
env:
BINARY_NAME_ORIGINAL: ${{ inputs.binary_name }}
ARCH_NAME: ${{ inputs.arch }}
run: |
echo "BINARY_NAME_ORIGINAL=${BINARY_NAME_ORIGINAL}" >> $GITHUB_ENV
echo "BINARY_NAME_DEST=${BINARY_NAME_ORIGINAL//-/_}" >> $GITHUB_ENV
echo "ARCH_NAME=${ARCH_NAME}" >> $GITHUB_ENV

- name: Build ${{ env.BINARY_NAME_ORIGINAL }} for ${{ env.ARCH_NAME }}
shell: bash
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=${{ env.ARCH_NAME }}" \
cargo build --release --target x86_64-unknown-linux-gnu --bin ${{ env.BINARY_NAME_ORIGINAL }}

- name: Rename ${{ env.BINARY_NAME_ORIGINAL }} to ${{ env.BINARY_NAME_DEST }} (${{ env.ARCH_NAME }})
shell: bash
run: |
mv "target/x86_64-unknown-linux-gnu/release/${{ env.BINARY_NAME_ORIGINAL }}" \
"target/x86_64-unknown-linux-gnu/release/${{ env.BINARY_NAME_DEST }}"

Comment on lines +33 to +36
Copy link
Copy Markdown

@semgrep-code-starkware-libs semgrep-code-starkware-libs Bot May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

🥳 Fixed in commit 4b9d4a7 🥳

- name: Upload ${{ env.BINARY_NAME_DEST }} (${{ env.ARCH_NAME }}) to GCP
uses: google-github-actions/upload-cloud-storage@v2
with:
path: "target/x86_64-unknown-linux-gnu/release/${{ env.BINARY_NAME_DEST }}"
destination: "${{ env.BINARY_NAME_DEST }}_${{ env.ARCH_NAME }}_artifacts/${{ env.SHORT_HASH }}/release"
Copy link
Copy Markdown

@cursor cursor Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Composite action has undeclared dependency on SHORT_HASH

Medium Severity

The composite action references ${{ env.SHORT_HASH }} in the upload destination but never declares it as an input parameter, unlike arch and binary_name. This creates a hidden contract with the calling workflow. If the action is reused in a context where SHORT_HASH isn't set, the destination path silently includes an empty segment, uploading artifacts to the wrong location with no error. Making SHORT_HASH (or a commit_hash equivalent) an explicit required input would make the action self-contained and safe to reuse.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit b20163c. Configure here.

Copy link
Copy Markdown
Contributor Author

@noam-starkware noam-starkware May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We invoke via the upload script which defines the hash so I don't think this is an issue and passing the value seems redundant since it's already in scope at invoke time.

96 changes: 24 additions & 72 deletions .github/workflows/upload_artifacts_workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,86 +53,38 @@ jobs:
path: "target/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_artifacts/${{ env.SHORT_HASH }}/release"

- name: Build stwo_run_and_prove for znver5 architecture
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=znver5" cargo build --release --target x86_64-unknown-linux-gnu --bin stwo-run-and-prove

- name: Rename stwo-run-and-prove binary (znver5)
run: mv target/x86_64-unknown-linux-gnu/release/stwo-run-and-prove target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove

- name: Upload stwo_run_and_prove_znver5 binary to GCP
id: upload_stwo_run_and_prove_znver5
uses: "google-github-actions/upload-cloud-storage@v2"
- name: Build and upload stwo_run_and_prove for znver5
uses: ./.github/actions/build-arch-binary
with:
path: "target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_znver5_artifacts/${{ env.SHORT_HASH }}/release"

- name: Build stwo_run_and_prove for znver4 architecture
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=znver4" cargo build --release --target x86_64-unknown-linux-gnu --bin stwo-run-and-prove
arch: znver5
binary_name: stwo-run-and-prove

- name: Rename stwo-run-and-prove binary (znver4)
run: mv target/x86_64-unknown-linux-gnu/release/stwo-run-and-prove target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove

- name: Upload stwo_run_and_prove_znver4 binary to GCP
id: upload_stwo_run_and_prove_znver4
uses: "google-github-actions/upload-cloud-storage@v2"
- name: Build and upload stwo_run_and_prove for znver4
uses: ./.github/actions/build-arch-binary
with:
path: "target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_znver4_artifacts/${{ env.SHORT_HASH }}/release"

- name: Build stwo_run_and_prove for znver3 architecture
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=znver3" cargo build --release --target x86_64-unknown-linux-gnu --bin stwo-run-and-prove

- name: Rename stwo-run-and-prove binary (znver3)
run: mv target/x86_64-unknown-linux-gnu/release/stwo-run-and-prove target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove
arch: znver4
binary_name: stwo-run-and-prove

- name: Upload stwo_run_and_prove_znver3 binary to GCP
id: upload_stwo_run_and_prove_znver3
uses: "google-github-actions/upload-cloud-storage@v2"
- name: Build and upload stwo_run_and_prove for znver3
uses: ./.github/actions/build-arch-binary
with:
path: "target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_znver3_artifacts/${{ env.SHORT_HASH }}/release"
arch: znver3
binary_name: stwo-run-and-prove

- name: Build stwo_run_and_prove for emeraldrapids architecture
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=emeraldrapids" cargo build --release --target x86_64-unknown-linux-gnu --bin stwo-run-and-prove

- name: Rename stwo-run-and-prove binary (emeraldrapids)
run: mv target/x86_64-unknown-linux-gnu/release/stwo-run-and-prove target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove

- name: Upload stwo_run_and_prove_emeraldrapids binary to GCP
id: upload_stwo_run_and_prove_emeraldrapids
uses: "google-github-actions/upload-cloud-storage@v2"
- name: Build and upload stwo_run_and_prove for emeraldrapids
uses: ./.github/actions/build-arch-binary
with:
path: "target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_emeraldrapids_artifacts/${{ env.SHORT_HASH }}/release"

- name: Build stwo_run_and_prove for sapphirerapids architecture
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=sapphirerapids" cargo build --release --target x86_64-unknown-linux-gnu --bin stwo-run-and-prove
arch: emeraldrapids
binary_name: stwo-run-and-prove

- name: Rename stwo-run-and-prove binary (sapphirerapids)
run: mv target/x86_64-unknown-linux-gnu/release/stwo-run-and-prove target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove

- name: Upload stwo_run_and_prove_sapphirerapids binary to GCP
id: upload_stwo_run_and_prove_sapphirerapids
uses: "google-github-actions/upload-cloud-storage@v2"
- name: Build and upload stwo_run_and_prove for sapphirerapids
uses: ./.github/actions/build-arch-binary
with:
path: "target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_sapphirerapids_artifacts/${{ env.SHORT_HASH }}/release"

- name: Build stwo_run_and_prove for graniterapids architecture
run: |
CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS="-C target-cpu=graniterapids" cargo build --release --target x86_64-unknown-linux-gnu --bin stwo-run-and-prove

- name: Rename stwo-run-and-prove binary (graniterapids)
run: mv target/x86_64-unknown-linux-gnu/release/stwo-run-and-prove target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove
arch: sapphirerapids
binary_name: stwo-run-and-prove

- name: Upload stwo_run_and_prove_graniterapids binary to GCP
id: upload_stwo_run_and_prove_graniterapids
uses: "google-github-actions/upload-cloud-storage@v2"
- name: Build and upload stwo_run_and_prove for graniterapids
uses: ./.github/actions/build-arch-binary
with:
path: "target/x86_64-unknown-linux-gnu/release/stwo_run_and_prove"
destination: "stwo_run_and_prove_graniterapids_artifacts/${{ env.SHORT_HASH }}/release"
arch: graniterapids
binary_name: stwo-run-and-prove
Loading