This is an archive of the discontinued LLVM Phabricator instance.

.github/workflows/issue-subscriber.yml
25–29	Consider single-quoting lines 22 and 24 as well, while you're at it. (Economist's $100 bill corollary: If this technique actually works, you'd expect everyone to be doing it.)

• Quuxplusone added inline comments.Jan 20 2022, 6:00 AM

.github/workflows/issue-subscriber.yml
25–29	The economist might be right in this case. Did you know it's legal to create a GitHub label containing `'`, e.g. `arthur's test`? Single-quotes-before-and-after is not the same thing as shell escaping. (Unless GitHub treats it the same because magic??) Perhaps all these command-line options should be env vars instead? I don't know what the right answer is (but I bet StackOverflow does). I'm pleased to report that https://github.com/llvm/llvm-project/runs/4876930402?check_suite_focus=true does helpfully blank out the secret API token with three asterisks `--token *** \` instead of showing it in plain text. That's nice. :)

Correctly handle apostrophes.

tstellar marked an inline comment as done.Jan 20 2022, 7:12 AM

tstellar added inline comments.

.github/workflows/issue-subscriber.yml
25–29	I've fixed this by ignoring labels with apostrophes. I think it's easier to have a policy to not have apostrophes in label names than to add a lot of complex code just to handle them.

• Quuxplusone accepted this revision.Jan 20 2022, 7:34 AM

• Quuxplusone added inline comments.

.github/workflows/issue-subscriber.yml
25–29	As long as only non-malicious people can create new labels and/or attach labels to issues, sure. I had a vague impression that any GitHub user could create or attach labels, but looking at some repos where I'm not a committer, I see that even attaching labels seems to be restricted. So that seems fine. It'd be nice to use a safe-list like `re.match(r'[a-zA-Z0-9_ :+-]+', ...)` instead of `contains(github.event.label.name, '''')`... but it looks like GitHub Actions Expressions doesn't support general expression syntax here, only `contains`, `startsWith`, and `endsWith`. Bah. (And maybe why pasting user input straight into the shell isn't a best practice and we ought to be looking at passing user input via env vars or files instead. GitHub Actions ought to have some safe way of getting user input into a program! (But I'm too cynical to say it "must" have a way.)

Harbormaster completed remote builds in B144578: Diff 401635.Jan 20 2022, 8:19 AM

Use environment variable for label name instead of disallowing apostrophes.

tstellar marked an inline comment as done.Jan 20 2022, 1:10 PM

tstellar marked an inline comment as done.

tstellar added inline comments.

.github/workflows/issue-subscriber.yml
25–29	The GitHub security hardening guide for actions recommends using environment variables, so I've made this change.

Harbormaster completed remote builds in B144668: Diff 401757.Jan 20 2022, 2:55 PM

tstellar mentioned this in D120206: Fix the "good first issue" type of failures.Feb 21 2022, 3:52 AM

Closed by commit rG90faaf811f38: issue-subscriber: Fix handling of labels with spaces (authored by tstellar). · Explain WhyFeb 21 2022, 4:05 AM

This revision was automatically updated to reflect the committed changes.

tstellar marked an inline comment as done.

tstellar added a commit: rG90faaf811f38: issue-subscriber: Fix handling of labels with spaces.

Revision Contents

Path

Size

.github/

workflows/

issue-subscriber.yml

9 lines

Diff 410267

.github/workflows/issue-subscriber.yml

Show All 12 Lines	auto-subscribe:
- name: Setup Automation Script		- name: Setup Automation Script
run: \|		run: \|
curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/$GITHUB_SHA/llvm/utils/git/github-automation.py		curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/$GITHUB_SHA/llvm/utils/git/github-automation.py
curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/$GITHUB_SHA/llvm/utils/git/requirements.txt		curl -O -L https://raw.githubusercontent.com/$GITHUB_REPOSITORY/$GITHUB_SHA/llvm/utils/git/requirements.txt
chmod a+x github-automation.py		chmod a+x github-automation.py
pip install -r requirements.txt		pip install -r requirements.txt

- name: Update watchers		- name: Update watchers
		# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
		env:
		LABEL_NAME: ${{ github.event.label.name }}
run: \|		run: \|
./github-automation.py \		./github-automation.py \
--token ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }} \		--token '${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}' \
issue-subscriber \		issue-subscriber \
--issue-number ${{ github.event.issue.number }} \		--issue-number '${{ github.event.issue.number }}' \
--label-name ${{ github.event.label.name }}		--label-name "$LABEL_NAME"
		QuuxplusoneUnsubmitted Done Reply Inline Actions Consider single-quoting lines 22 and 24 as well, while you're at it. (Economist's $100 bill corollary: If this technique actually works, you'd expect everyone to be doing it.) Quuxplusone: Consider single-quoting lines 22 and 24 as well, while you're at it. (Economist's $100 bill…
		QuuxplusoneUnsubmitted Done Reply Inline Actions The economist might be right in this case. Did you know it's legal to create a GitHub label containing `'`, e.g. `arthur's test`? Single-quotes-before-and-after is not the same thing as shell escaping. (Unless GitHub treats it the same because magic??) Perhaps all these command-line options should be env vars instead? I don't know what the right answer is (but I bet StackOverflow does). I'm pleased to report that https://github.com/llvm/llvm-project/runs/4876930402?check_suite_focus=true does helpfully blank out the secret API token with three asterisks `--token * \` instead of showing it in plain text. That's nice. :) Quuxplusone:** The economist might be right in this case. Did you know it's legal to create a GitHub label…
		tstellarAuthorUnsubmitted Done Reply Inline Actions I've fixed this by ignoring labels with apostrophes. I think it's easier to have a policy to not have apostrophes in label names than to add a lot of complex code just to handle them. tstellar: I've fixed this by ignoring labels with apostrophes. I think it's easier to have a policy to…
		QuuxplusoneUnsubmitted Done Reply Inline Actions As long as only non-malicious people can create new labels and/or attach labels to issues, sure. I had a vague impression that any GitHub user could create or attach labels, but looking at some repos where I'm not a committer, I see that even attaching labels seems to be restricted. So that seems fine. It'd be nice to use a safe-list like `re.match(r'[a-zA-Z0-9_ :+-]+', ...)` instead of `contains(github.event.label.name, '''')`... but it looks like GitHub Actions Expressions doesn't support general expression syntax here, only `contains`, `startsWith`, and `endsWith`. Bah. (And maybe why pasting user input straight into the shell isn't a best practice and we ought to be looking at passing user input via env vars or files instead. GitHub Actions ought to have some safe way of getting user input into a program! (But I'm too cynical to say it "must" have a way.) Quuxplusone: As long as only non-malicious people can create new labels and/or attach labels to issues, sure.
		tstellarAuthorUnsubmitted Done Reply Inline Actions The GitHub security hardening guide for actions recommends using environment variables, so I've made this change. tstellar: The GitHub security hardening guide for actions recommends using environment variables, so I've…

This is an archive of the discontinued LLVM Phabricator instance.

issue-subscriber: Fix handling of labels with spacesClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 410267

.github/workflows/issue-subscriber.yml

issue-subscriber: Fix handling of labels with spaces
ClosedPublic