From d39b4232b02261e85377ef8e8966c4f989e2f47a Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 31 Mar 2026 11:41:34 -0400 Subject: [PATCH 1/9] Add if:always to artifact uploads, fix cache restore-keys, fix test workflow --- .github/workflows/test.yml | 2 +- ruby/deps/action.yml | 2 +- ruby/lint/action.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bb7e052..ea8aff5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,4 +28,4 @@ jobs: - uses: actions/checkout@v6 - uses: ./ with: - milliseconds: 1000 + job_status: ${{ job.status }} diff --git a/ruby/deps/action.yml b/ruby/deps/action.yml index 8e90f35..72913a0 100644 --- a/ruby/deps/action.yml +++ b/ruby/deps/action.yml @@ -15,7 +15,7 @@ runs: with: path: vendor/bundle key: rails-${{ hashFiles('Gemfile.lock') }} - restore-keys: rails-${{ hashFiles('Gemfile.lock') }} + restore-keys: rails- - name: Bundle install if: steps.bundle-cache.outputs.cache-hit != 'true' shell: bash diff --git a/ruby/lint/action.yml b/ruby/lint/action.yml index be3966f..366d901 100644 --- a/ruby/lint/action.yml +++ b/ruby/lint/action.yml @@ -18,6 +18,7 @@ runs: env: BUNDLE_DEPLOYMENT: true - name: 'Upload rubocop results' + if: always() uses: actions/upload-artifact@v6 with: name: "${{ github.sha }}-lint-results.out" From 65476ea68c7457ff9e790c3776e34da3f48d2046 Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 31 Mar 2026 13:22:20 -0400 Subject: [PATCH 2/9] Replace eval with bash array in EKS deploy step --- deploy/eks/action.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/deploy/eks/action.yml b/deploy/eks/action.yml index 3893fbb..fc5d058 100644 --- a/deploy/eks/action.yml +++ b/deploy/eks/action.yml @@ -45,8 +45,12 @@ runs: uses: wishabi/github-actions/common/branch-info@v0 - name: Validate AWS credentials input shell: bash + env: + AWS_ROLE_ARN_INPUT: ${{ inputs.AWS_ROLE_ARN }} + AWS_ACCESS_KEY_ID_INPUT: ${{ inputs.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY_INPUT: ${{ inputs.AWS_SECRET_ACCESS_KEY }} run: | - if [ -z "${{ inputs.AWS_ROLE_ARN }}" ] && { [ -z "${{ inputs.AWS_ACCESS_KEY_ID }}" ] || [ -z "${{ inputs.AWS_SECRET_ACCESS_KEY }}" ]; }; then + if [ -z "$AWS_ROLE_ARN_INPUT" ] && { [ -z "$AWS_ACCESS_KEY_ID_INPUT" ] || [ -z "$AWS_SECRET_ACCESS_KEY_INPUT" ]; }; then echo "::error::Either AWS_ROLE_ARN (IAM auth) or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (static auth) must be provided." exit 1 fi @@ -67,26 +71,31 @@ runs: - name: Cleaning workspace if: ${{ inputs.CLEAN_WORKSPACE == 'true' }} shell: bash - run: shopt -s dotglob && rm -rf "${{ github.workspace }}"/* + run: shopt -s dotglob && rm -rf "$GITHUB_WORKSPACE"/* - name: Restoring workspace from cache uses: wishabi/github-actions/cache@v0 - name: Deploying to EKS via Helm release shell: bash + env: + DEPLOY_ENV: ${{ inputs.ENV }} + DEPLOY_TIMEOUT: ${{ inputs.TIMEOUT }} + DEPLOY_ATOMIC: ${{ inputs.ATOMIC }} run: | - cmd="chmod +x ./deploy/build.sh && ./deploy/build.sh service deploy_eks --env=${{ inputs.ENV }}" + chmod +x ./deploy/build.sh + cmd=(./deploy/build.sh service deploy_eks --env="$DEPLOY_ENV") # Check if TIMEOUT is set and provide it as a flag - if [ -n "${{ inputs.TIMEOUT }}" ]; then - cmd="${cmd} --timeout=${{ inputs.TIMEOUT }}" + if [ -n "$DEPLOY_TIMEOUT" ]; then + cmd+=(--timeout="$DEPLOY_TIMEOUT") fi - # Check if ATOMIC is set and provide it as a flag - if [ -n "${{ inputs.ATOMIC }}" ]; then - cmd="${cmd} --atomic=${{ inputs.ATOMIC }}" + # Check if ATOMIC is set and provide it as a flag + if [ -n "$DEPLOY_ATOMIC" ]; then + cmd+=(--atomic="$DEPLOY_ATOMIC") fi # Execute command - eval $cmd + "${cmd[@]}" - name: Notify slack channel on success if: success() && inputs.SLACK_SUCCESS_CHANNEL_ID != '' uses: slackapi/slack-github-action@v1.27.1 From 84edceec338bbe5b5a5c7890bf7ebc449a720deb Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 31 Mar 2026 13:31:23 -0400 Subject: [PATCH 3/9] Move expressions from run blocks to env vars for injection hardening --- .github/workflows/main-version-update.yml | 9 +++++++-- common/branch-info/action.yml | 10 +++++++--- deploy/lambda/go/action.yml | 9 ++++++--- go/configure/action.yml | 4 +++- go/deps/action.yml | 10 ++++++---- go/lint/action.yml | 10 +++++++--- go/smoke-test/action.yml | 4 +++- go/test/action.yml | 8 +++++++- go/test/test.sh | 6 +++--- ruby/test/action.yml | 4 +++- ruby/validation/schema/action.yml | 4 +++- ruby/validation/topic/action.yml | 7 +++++-- 12 files changed, 60 insertions(+), 25 deletions(-) diff --git a/.github/workflows/main-version-update.yml b/.github/workflows/main-version-update.yml index 5cf3699..b2263f2 100644 --- a/.github/workflows/main-version-update.yml +++ b/.github/workflows/main-version-update.yml @@ -25,6 +25,11 @@ jobs: git config user.name flipp-bot git config user.email flipp-bot@flipp.com - name: Tag new target - run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }} + env: + MAJOR_VERSION: ${{ github.event.inputs.major_version }} + TARGET_REF: ${{ github.event.inputs.target }} + run: git tag -f "$MAJOR_VERSION" "$TARGET_REF" - name: Push new tag - run: git push origin ${{ github.event.inputs.major_version }} --force + env: + MAJOR_VERSION: ${{ github.event.inputs.major_version }} + run: git push origin "$MAJOR_VERSION" --force diff --git a/common/branch-info/action.yml b/common/branch-info/action.yml index cff7832..9d6e9d2 100644 --- a/common/branch-info/action.yml +++ b/common/branch-info/action.yml @@ -15,11 +15,15 @@ runs: - name: Set branch variable id: set-branch shell: bash + env: + EVENT_NAME: ${{ github.event_name }} + PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} + GIT_REF: ${{ github.ref }} run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - branch="${{ github.event.pull_request.head.ref }}" + if [ "$EVENT_NAME" == "pull_request" ]; then + branch="$PR_HEAD_REF" else - branch="${{ github.ref }}" + branch="$GIT_REF" branch="${branch#refs/heads/}" fi echo "branch=${branch}" >> $GITHUB_OUTPUT diff --git a/deploy/lambda/go/action.yml b/deploy/lambda/go/action.yml index 8b2364c..6eab4d5 100644 --- a/deploy/lambda/go/action.yml +++ b/deploy/lambda/go/action.yml @@ -16,15 +16,18 @@ runs: - uses: actions/checkout@v6 - name: Cleaning workspace shell: bash - run: shopt -s dotglob && rm -rf "${{ github.workspace }}"/* + run: shopt -s dotglob && rm -rf "$GITHUB_WORKSPACE"/* - name: Restoring workspace from cache uses: wishabi/github-actions/cache@v0 - name: Building lambda function for deployment shell: bash + env: + LAMBDA_DIR: ${{ inputs.LAMBDA_FUNCTION_DIRECTORY }} run: | - go build -o ${{ inputs.LAMBDA_FUNCTION_DIRECTORY }}/main ${{ inputs.LAMBDA_FUNCTION_DIRECTORY }}/main.go + go build -o "$LAMBDA_DIR/main" "$LAMBDA_DIR/main.go" - name: Deploying to Lambda shell: bash + env: + DEPLOY_ENV: ${{ inputs.ENV }} run: | - export DEPLOY_ENV=${{ inputs.ENV }} chmod +x ./deploy/build.sh && ./deploy/build.sh service diff --git a/go/configure/action.yml b/go/configure/action.yml index 0c8594e..65f6e57 100644 --- a/go/configure/action.yml +++ b/go/configure/action.yml @@ -25,7 +25,9 @@ runs: fetch-depth: ${{ inputs.FETCH_DEPTH }} - name: Setting up private modules access shell: bash - run: git config --global url."https://${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }}:x-oauth-basic@github.com/wishabi".insteadOf "https://github.com/wishabi" + env: + REPO_TOKEN: ${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }} + run: git config --global url."https://$REPO_TOKEN:x-oauth-basic@github.com/wishabi".insteadOf "https://github.com/wishabi" - name: Grab buf version if: ${{ hashFiles('.tool-versions') != '' }} run: | diff --git a/go/deps/action.yml b/go/deps/action.yml index c37d2ea..d1da375 100644 --- a/go/deps/action.yml +++ b/go/deps/action.yml @@ -27,7 +27,7 @@ runs: with: path: vendor key: vendor-cache-${{ hashFiles('go.mod','go.sum') }} - restore-keys: vendor-cache-${{ hashFiles('go.mod','go.sum') }} + restore-keys: vendor-cache- - name: Generating protobuf code if: ${{ hashFiles('buf.gen.yaml') != '' }} run: buf generate @@ -47,7 +47,7 @@ runs: eval "$CODE_GEN_COMMANDS" env: CODE_GEN_COMMANDS: ${{ inputs.CODE_GEN_COMMANDS }} - - name: Setting up private modules access + - name: Tidy and vendor modules if: steps.vendor-cache.outputs.cache-hit != 'true' shell: bash run: | @@ -60,13 +60,15 @@ runs: run: go generate ./... shell: bash - name: Grab mockery version + env: + MOCKERY_VERSION: ${{ inputs.MOCKERY_INSTALL_VERSION }} run: | # Default to empty version and v1 config MOCKERY_INSTALL_VERSION="" # Check for MOCKERY_INSTALL_VERSION input - if [ -n "${{ inputs.MOCKERY_INSTALL_VERSION }}" ]; then - MOCKERY_INSTALL_VERSION="${{ inputs.MOCKERY_INSTALL_VERSION }}" + if [ -n "$MOCKERY_VERSION" ]; then + MOCKERY_INSTALL_VERSION="$MOCKERY_VERSION" echo "Using MOCKERY_INSTALL_VERSION=${MOCKERY_INSTALL_VERSION} from input" fi diff --git a/go/lint/action.yml b/go/lint/action.yml index 2b3aac6..d635c48 100644 --- a/go/lint/action.yml +++ b/go/lint/action.yml @@ -45,16 +45,20 @@ runs: FLIPPCIRCLECIPULLER_REPO_TOKEN: ${{ inputs.FLIPPCIRCLECIPULLER_REPO_TOKEN }} - name: Setup safe directory shell: bash - run: git config --global --add safe.directory ${{ inputs.WORKSPACE || github.workspace }} + env: + LINT_WORKSPACE: ${{ inputs.WORKSPACE || github.workspace }} + run: git config --global --add safe.directory "$LINT_WORKSPACE" - name: Determine golangci-lint and config version + env: + LINT_VERSION: ${{ inputs.GOLANG_CI_LINT_VERSION }} run: | # Default to empty version and v1 config GOLANGCI_LINT_VERSION="" IS_V2=false # Check for GOLANG_CI_LINT_VERSION input - if [ -n "${{ inputs.GOLANG_CI_LINT_VERSION }}" ]; then - GOLANGCI_LINT_VERSION="${{ inputs.GOLANG_CI_LINT_VERSION }}" + if [ -n "$LINT_VERSION" ]; then + GOLANGCI_LINT_VERSION="$LINT_VERSION" echo "Using GOLANG_CI_LINT_VERSION=${GOLANGCI_LINT_VERSION} from input" fi diff --git a/go/smoke-test/action.yml b/go/smoke-test/action.yml index 9be047b..b6cdd25 100644 --- a/go/smoke-test/action.yml +++ b/go/smoke-test/action.yml @@ -69,9 +69,11 @@ runs: fi - name: Rollback on failure if: failure() && inputs.ROLLBACK_ON_FAIL == 'true' + env: + DEPLOY_ENV: ${{ inputs.ENV }} run: | echo "WARNING: Rolling back service" - chmod +x ./deploy/build.sh && ./deploy/build.sh service rollback --env=${{ inputs.ENV }} + chmod +x ./deploy/build.sh && ./deploy/build.sh service rollback --env="$DEPLOY_ENV" shell: bash - name: Notify slack channel on failure if: failure() && inputs.SLACK_CHANNEL_ID != '' diff --git a/go/test/action.yml b/go/test/action.yml index d076c06..4ca10f7 100644 --- a/go/test/action.yml +++ b/go/test/action.yml @@ -23,7 +23,11 @@ runs: steps: - name: Running go tests shell: bash - run: ${GITHUB_ACTION_PATH}/test.sh "${{ inputs.TAGS }}" "${{ inputs.TIMEOUT }}" "${{ inputs.PARALLEL }}" + env: + TEST_TAGS: ${{ inputs.TAGS }} + TEST_TIMEOUT: ${{ inputs.TIMEOUT }} + TEST_PARALLEL: ${{ inputs.PARALLEL }} + run: ${GITHUB_ACTION_PATH}/test.sh - name: Write test summary if: always() shell: bash @@ -51,12 +55,14 @@ runs: echo "> **Warning:** No test report found" >> $GITHUB_STEP_SUMMARY fi - name: Uploading test report + if: always() uses: actions/upload-artifact@v6 with: name: "${{ github.sha }}-test-report.out" path: "./test-report.out" retention-days: ${{ inputs.ARTIFACT_RETENTION_DAYS }} - name: Uploading coverage report + if: always() uses: actions/upload-artifact@v6 with: name: "${{ github.sha }}-coverage.out" diff --git a/go/test/test.sh b/go/test/test.sh index cd0fde1..63e01cd 100755 --- a/go/test/test.sh +++ b/go/test/test.sh @@ -1,9 +1,9 @@ #! /bin/bash set -eu -TAGS=${1:-} -TIMEOUT=${2:-} -PARALLEL=${3:-} +TAGS=${TEST_TAGS:-} +TIMEOUT=${TEST_TIMEOUT:-} +PARALLEL=${TEST_PARALLEL:-true} cmd="go test -v ./... -coverprofile=coverage.out" diff --git a/ruby/test/action.yml b/ruby/test/action.yml index c203010..13f88b6 100644 --- a/ruby/test/action.yml +++ b/ruby/test/action.yml @@ -61,14 +61,16 @@ runs: working-directory: ./coverage shell: bash run: | - sed -i 's@${{ env.ROOT_PATH }}''@/github/workspace/@g' coverage.json + sed -i "s@${ROOT_PATH}@/github/workspace/@g" coverage.json - name: 'Upload coverage' + if: always() uses: actions/upload-artifact@v6 with: name: ${{ github.sha }}-coverage.out path: ./coverage/coverage.json retention-days: ${{ inputs.ARTIFACT_RETENTION_DAYS }} - name: 'Upload test results' + if: always() uses: actions/upload-artifact@v6 with: name: ${{ github.sha }}-test-report.out diff --git a/ruby/validation/schema/action.yml b/ruby/validation/schema/action.yml index 8f21714..fc48d1b 100644 --- a/ruby/validation/schema/action.yml +++ b/ruby/validation/schema/action.yml @@ -22,5 +22,7 @@ runs: BUNDLE_DEPLOYMENT: true - name: Schema validation shell: bash + env: + VALIDATION_ENV: ${{ inputs.ENV }} run: | - chmod +x ./deploy/build.sh && ./deploy/build.sh service schema_validation --env=${{ inputs.ENV }} + chmod +x ./deploy/build.sh && ./deploy/build.sh service schema_validation --env="$VALIDATION_ENV" diff --git a/ruby/validation/topic/action.yml b/ruby/validation/topic/action.yml index 45050d5..068e6b3 100644 --- a/ruby/validation/topic/action.yml +++ b/ruby/validation/topic/action.yml @@ -19,12 +19,15 @@ runs: - name: Topic validation shell: bash run: | - bundle exec rails g flipp_ruby_kafka:topic_config --producer_services=${{ inputs.PRODUCER_SERVICE }} --consumer_services=${{ inputs.CONSUMER_SERVICE }} + bundle exec rails g flipp_ruby_kafka:topic_config --producer_services="$PRODUCER_SERVICE" --consumer_services="$CONSUMER_SERVICE" # check if the circeci user exists and update permission. This is needed for non runner-fleet-v2 jobs if id "3434" >/dev/null 2>&1; then sudo chown circleci:circleci /var/run/docker.sock fi - chmod +x ./deploy/build.sh && ./deploy/build.sh service topic_validation --env=${{ inputs.ENV }} --config-file=./platform.yml --config-file=./topic_validation.yaml + chmod +x ./deploy/build.sh && ./deploy/build.sh service topic_validation --env="$VALIDATION_ENV" --config-file=./platform.yml --config-file=./topic_validation.yaml env: BUNDLE_DEPLOYMENT: true + PRODUCER_SERVICE: ${{ inputs.PRODUCER_SERVICE }} + CONSUMER_SERVICE: ${{ inputs.CONSUMER_SERVICE }} + VALIDATION_ENV: ${{ inputs.ENV }} From d4ef0f5316bf16d13f0edb49c45c97eb7c0ebb22 Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 7 Apr 2026 10:25:08 -0400 Subject: [PATCH 4/9] Address Copilot review: move remaining expressions out of run blocks --- go/lint/action.yml | 14 +++++++++----- go/smoke-test/action.yml | 18 +++++++++++++----- go/test/test.sh | 14 +++++++------- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/go/lint/action.yml b/go/lint/action.yml index d635c48..105b5f1 100644 --- a/go/lint/action.yml +++ b/go/lint/action.yml @@ -82,7 +82,7 @@ runs: run: | echo "::group::Tool Versions" echo "Go: $(go version)" - if [ -n "${{ env.GOLANGCI_LINT_VERSION }}" ]; then echo "golangci-lint: ${{ env.GOLANGCI_LINT_VERSION }}"; fi + if [ -n "$GOLANGCI_LINT_VERSION" ]; then echo "golangci-lint: $GOLANGCI_LINT_VERSION"; fi echo "::endgroup::" - name: Run v1 Go linter if: ${{ env.IS_V2 == 'false' }} @@ -101,16 +101,20 @@ runs: - name: Write lint summary if: always() shell: bash + env: + JOB_STATUS: ${{ job.status }} run: | echo "## Go Lint Results" >> $GITHUB_STEP_SUMMARY echo "| Setting | Value |" >> $GITHUB_STEP_SUMMARY echo "|---------|-------|" >> $GITHUB_STEP_SUMMARY echo "| Go | $(go version | awk '{print $3}') |" >> $GITHUB_STEP_SUMMARY - if [ -n "${{ env.GOLANGCI_LINT_VERSION }}" ]; then - echo "| golangci-lint | ${{ env.GOLANGCI_LINT_VERSION }} |" >> $GITHUB_STEP_SUMMARY + if [ -n "$GOLANGCI_LINT_VERSION" ]; then + echo "| golangci-lint | $GOLANGCI_LINT_VERSION |" >> $GITHUB_STEP_SUMMARY fi - echo "| Config version | ${{ env.IS_V2 == 'true' && 'v2' || 'v1' }} |" >> $GITHUB_STEP_SUMMARY - if [ "${{ job.status }}" = "success" ]; then + CONFIG_VERSION="v1" + if [ "$IS_V2" = "true" ]; then CONFIG_VERSION="v2"; fi + echo "| Config version | $CONFIG_VERSION |" >> $GITHUB_STEP_SUMMARY + if [ "$JOB_STATUS" = "success" ]; then echo "" >> $GITHUB_STEP_SUMMARY echo "> Lint passed" >> $GITHUB_STEP_SUMMARY else diff --git a/go/smoke-test/action.yml b/go/smoke-test/action.yml index b6cdd25..0951956 100644 --- a/go/smoke-test/action.yml +++ b/go/smoke-test/action.yml @@ -52,15 +52,23 @@ runs: - name: Write smoke test summary if: always() shell: bash + env: + SMOKE_ENV: ${{ inputs.ENV }} + GO_SMOKE: ${{ inputs.GO_SMOKE }} + DD_SYNTHETIC_IDS: ${{ inputs.DD_SYNTHETIC_IDS }} + ROLLBACK_ON_FAIL: ${{ inputs.ROLLBACK_ON_FAIL }} + JOB_STATUS: ${{ job.status }} run: | + DD_ENABLED="no" + if [ -n "$DD_SYNTHETIC_IDS" ]; then DD_ENABLED="yes"; fi echo "## Smoke Test Results" >> $GITHUB_STEP_SUMMARY echo "| Setting | Value |" >> $GITHUB_STEP_SUMMARY echo "|---------|-------|" >> $GITHUB_STEP_SUMMARY - echo "| Environment | ${{ inputs.ENV }} |" >> $GITHUB_STEP_SUMMARY - echo "| Go Smoke | ${{ inputs.GO_SMOKE }} |" >> $GITHUB_STEP_SUMMARY - echo "| DataDog Synthetics | ${{ inputs.DD_SYNTHETIC_IDS != '' && 'yes' || 'no' }} |" >> $GITHUB_STEP_SUMMARY - echo "| Rollback on Fail | ${{ inputs.ROLLBACK_ON_FAIL }} |" >> $GITHUB_STEP_SUMMARY - if [ "${{ job.status }}" = "success" ]; then + echo "| Environment | $SMOKE_ENV |" >> $GITHUB_STEP_SUMMARY + echo "| Go Smoke | $GO_SMOKE |" >> $GITHUB_STEP_SUMMARY + echo "| DataDog Synthetics | $DD_ENABLED |" >> $GITHUB_STEP_SUMMARY + echo "| Rollback on Fail | $ROLLBACK_ON_FAIL |" >> $GITHUB_STEP_SUMMARY + if [ "$JOB_STATUS" = "success" ]; then echo "" >> $GITHUB_STEP_SUMMARY echo "> Smoke tests passed" >> $GITHUB_STEP_SUMMARY else diff --git a/go/test/test.sh b/go/test/test.sh index 63e01cd..5cf81ee 100755 --- a/go/test/test.sh +++ b/go/test/test.sh @@ -5,7 +5,7 @@ TAGS=${TEST_TAGS:-} TIMEOUT=${TEST_TIMEOUT:-} PARALLEL=${TEST_PARALLEL:-true} -cmd="go test -v ./... -coverprofile=coverage.out" +cmd=(go test -v ./... -coverprofile=coverage.out) # find non-ignored subdirectories file_list=() @@ -22,21 +22,21 @@ IFS=, package_list="${file_list[*]}" IFS=$old_ifs # put delimiter back to the original value -cmd="$cmd -coverpkg $package_list" +cmd+=(-coverpkg "$package_list") if [ -n "$TAGS" ]; then - cmd="$cmd --tags=${TAGS}" + cmd+=(--tags="${TAGS}") fi if [ -n "$TIMEOUT" ]; then - cmd="$cmd -timeout ${TIMEOUT}s" + cmd+=(-timeout "${TIMEOUT}s") fi if [ "$PARALLEL" = "false" ]; then - cmd="$cmd -p 1" + cmd+=(-p 1) fi -echo "$cmd | tee test-report.out" -bash -c "$cmd" 2>&1 | tee test-report.out +echo "${cmd[*]} | tee test-report.out" +"${cmd[@]}" 2>&1 | tee test-report.out exit ${PIPESTATUS[0]} From ab70e621f2098584cd4299cff13f22c0469d142b Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 7 Apr 2026 11:23:47 -0400 Subject: [PATCH 5/9] Escape sed regex metacharacters in coverage path rewrite --- ruby/test/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ruby/test/action.yml b/ruby/test/action.yml index 13f88b6..d060504 100644 --- a/ruby/test/action.yml +++ b/ruby/test/action.yml @@ -61,7 +61,8 @@ runs: working-directory: ./coverage shell: bash run: | - sed -i "s@${ROOT_PATH}@/github/workspace/@g" coverage.json + ESCAPED_ROOT=$(printf '%s\n' "$ROOT_PATH" | sed 's/[[\.*^$()+?{|\\]/\\&/g') + sed -i "s@${ESCAPED_ROOT}@/github/workspace/@g" coverage.json - name: 'Upload coverage' if: always() uses: actions/upload-artifact@v6 From 65cdc0b1ad680133c14c7e247819818d014388fd Mon Sep 17 00:00:00 2001 From: David Bickford Date: Fri, 17 Apr 2026 15:52:22 -0400 Subject: [PATCH 6/9] chore: trigger secret scan From 190680e76c59f26ee655e97daeaf23c6e8ce0f51 Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 21 Apr 2026 14:41:12 -0400 Subject: [PATCH 7/9] add secret-scan workflow to satisfy enterprise ruleset --- .github/workflows/secret-scan.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/secret-scan.yml diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml new file mode 100644 index 0000000..e4df9fc --- /dev/null +++ b/.github/workflows/secret-scan.yml @@ -0,0 +1,12 @@ +name: Secret Scan + +on: + pull_request: + types: [opened, synchronize, reopened] + push: + branches: [main] + +jobs: + secret-scan: + uses: wishabi/github-shared-actions/.github/workflows/secret-scan.yml@main + secrets: inherit From 17c4a4984fa628446b8685c2b5b39fcc7181f522 Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 21 Apr 2026 14:43:23 -0400 Subject: [PATCH 8/9] inline secret-scan workflow instead of reusable workflow_call --- .github/workflows/secret-scan.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index e4df9fc..18da183 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -6,7 +6,20 @@ on: push: branches: [main] +permissions: + contents: read + jobs: - secret-scan: - uses: wishabi/github-shared-actions/.github/workflows/secret-scan.yml@main - secrets: inherit + trufflehog: + name: TruffleHog Secret Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: wishabi/github-shared-actions/actions/secret-scan@main + id: scan + with: + base-sha: ${{ github.event.pull_request.base.sha || github.event.before }} + head-sha: ${{ github.event.pull_request.head.sha || github.event.after }} From 754e7484d14902c5789ab9020b13a620b02a8c6c Mon Sep 17 00:00:00 2001 From: David Bickford Date: Tue, 21 Apr 2026 14:44:49 -0400 Subject: [PATCH 9/9] revert secret-scan workflow, enterprise ruleset should trigger it --- .github/workflows/secret-scan.yml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/secret-scan.yml diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml deleted file mode 100644 index 18da183..0000000 --- a/.github/workflows/secret-scan.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Secret Scan - -on: - pull_request: - types: [opened, synchronize, reopened] - push: - branches: [main] - -permissions: - contents: read - -jobs: - trufflehog: - name: TruffleHog Secret Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - uses: wishabi/github-shared-actions/actions/secret-scan@main - id: scan - with: - base-sha: ${{ github.event.pull_request.base.sha || github.event.before }} - head-sha: ${{ github.event.pull_request.head.sha || github.event.after }}