[v5.8] some more CI related backports#28885
Open
Luap99 wants to merge 5 commits into
Open
Conversation
Use https://api.github.com/repos/podman-container-tools/podman/releases. That may eventually fix podman-container-tools#28850 based on https://docs.github.com/en/actions/concepts/security/github_token: > The token's permissions are limited to the repository that contains your > workflow. Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com> (cherry picked from commit ff9f192) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
sed scripts are capable of doing file I/O and executing arbitrary commands. The `--sandbox` option prevents this by rejecting sed commands with such capabilities; it's good practice to use this whenever the sed script is dynamically generated (e.g. if it involves a variable expansion). Also fixed an error in one sed script where `.*` had been placed outside of the quoted string (and would therefore be subject to shell globbing), presumably due to single-quotes having been changed to double-quotes at some point in the past. Signed-off-by: Daniel Hast <hast.daniel@protonmail.com> (cherry picked from commit 3f4af37) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Template expansions are not aware of shell script syntax, and therefore can potentially result in code injection vulnerabilities when used in code contexts: https://docs.zizmor.sh/audits/#template-injection To avoid this, instead use environment variables to safely store the values of the template expansions. Also (in the process of doing the above) added double-quotes around a some instances of variable expansions in shell scripts, which is necessary to avoid unintended shell splitting and globbing. (I didn't see any instances where this was actually likely to result in erroneous behavior, but it's good practice and makes shell scripts more robust.) Signed-off-by: Daniel Hast <hast.daniel@protonmail.com> (cherry picked from commit 67c050b) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
containers -> podman-container-tools Signed-off-by: Ashley Cui <acui@redhat.com> (cherry picked from commit c0f582d) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
When the validate-source job is re-run manually after adding a label, it uses stale labels (from the "pull_request" event that originally triggered it), and so the steps that check labels don't see new labels. Fix by querying the labels live (similar to how it was done before commits 6e597af and 1da1541). Note the logic differs slightly between hack/ci/make-and-check-size.sh and hack/ci/pr-should-include-tests. This is because pr-should-include-tests is also executed locally as well as on non-PRs, while make-and-check-size is run strictly in CI for PRs only. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit d05c113) Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Member
Author
|
@mheon PTAL |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Does this PR introduce a user-facing change?