Skip to content

ci: improve test comment#258

Merged
hfudev merged 1 commit intomainfrom
ci/improve-test-comment
Mar 18, 2026
Merged

ci: improve test comment#258
hfudev merged 1 commit intomainfrom
ci/improve-test-comment

Conversation

@hfudev
Copy link
Copy Markdown
Member

@hfudev hfudev commented Mar 2, 2026

No description provided.

@hfudev hfudev requested a review from Copilot March 2, 2026 19:52
@hfudev hfudev self-assigned this Mar 2, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 2, 2026
View reviewed changes
Comment thread .github/workflows/pr-test-summary.yml
Comment on lines +27 to +33
run: |
if [ -f pr_number.txt ]; then
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
else
echo "pr_number.txt not found, skipping comment."
exit 0
fi

Check failure

Code scanning / CodeQL

Environment variable built from user-controlled sources Critical

Potential environment variable injection in
if [ -f pr_number.txt ]; thenecho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENVelseecho "pr_number.txt not found, skipping comment."exit 0fi
Loading
, which may be controlled by an external user (
workflow_run
Loading
).

Copilot Autofix

AI about 1 month ago

In general, the fix is to prevent arbitrary content from pr_number.txt from being written directly into the GITHUB_ENV file. We should (1) strip newlines so the variable assignment cannot be split across multiple lines, and (2) optionally validate that the value is a numeric PR number before using it. This ensures an attacker cannot inject additional environment variables by crafting pr_number.txt with embedded newlines or KEY=VALUE lines.

The best minimal fix here, without changing the workflow’s overall behavior, is to read pr_number.txt into a shell variable, normalize it to a single line, validate that it looks like a PR number (digits only), and then write it to $GITHUB_ENV using the hardened echo pattern recommended by GitHub: echo "VAR=$(echo "$VAR" | tr -d '\n')" >> "$GITHUB_ENV". If validation fails, the step should fail early rather than proceeding with a malicious or malformed value.

Concretely, in .github/workflows/pr-test-summary.yml lines 27–33, replace the simple cat-and-echo sequence with a small shell script that:

  • Checks the file exists (as now).
  • Reads PR_NUMBER from the file.
  • Strips whitespace/newlines.
  • Verifies it matches ^[0-9]+$.
  • Writes PR_NUMBER=<sanitized_value> to $GITHUB_ENV using double quotes around $GITHUB_ENV.

No external dependencies are needed; we can use standard POSIX tools (tr, grep/shell pattern) available in ubuntu-latest.

Suggested changeset 1
.github/workflows/pr-test-summary.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-test-summary.yml b/.github/workflows/pr-test-summary.yml
--- a/.github/workflows/pr-test-summary.yml
+++ b/.github/workflows/pr-test-summary.yml
@@ -26,7 +26,13 @@
       - name: Read PR number
         run: |
           if [ -f pr_number.txt ]; then
-            echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+            PR_NUMBER=$(cat pr_number.txt | tr -d '\r\n')
+            # Ensure PR_NUMBER consists only of digits to avoid environment injection
+            if ! printf '%s\n' "$PR_NUMBER" | grep -Eq '^[0-9]+$'; then
+              echo "Invalid PR number in pr_number.txt: '$PR_NUMBER'"
+              exit 1
+            fi
+            echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV"
           else
             echo "pr_number.txt not found, skipping comment."
             exit 0
EOF
@@ -26,7 +26,13 @@
- name: Read PR number
run: |
if [ -f pr_number.txt ]; then
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
PR_NUMBER=$(cat pr_number.txt | tr -d '\r\n')
# Ensure PR_NUMBER consists only of digits to avoid environment injection
if ! printf '%s\n' "$PR_NUMBER" | grep -Eq '^[0-9]+$'; then
echo "Invalid PR number in pr_number.txt: '$PR_NUMBER'"
exit 1
fi
echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV"
else
echo "pr_number.txt not found, skipping comment."
exit 0
Copilot is powered by AI and may make mistakes. Always verify output.
@hfudev hfudev force-pushed the ci/improve-test-comment branch from e85f700 to 0956d5d Compare March 2, 2026 19:53
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors how pytest coverage gets reported back to pull requests by persisting test outputs as an artifact in the main test workflow and adding a separate workflow_run workflow to post the coverage comment after the run completes.

Changes:

  • Update test-build-idf-apps.yml to save the PR number and upload pytest outputs as a test-results artifact.
  • Add pr-test-summary.yml to download the artifact on workflow_run completion and post the coverage comment.
  • Minor YAML formatting tweaks (quote style and matrix formatting).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/test-build-idf-apps.yml Uploads PR-associated test outputs (coverage + junit xml + PR number) as an artifact instead of commenting inline.
.github/workflows/pr-test-summary.yml New workflow that runs on completed upstream workflows, downloads the artifact, and comments coverage back to the PR.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/pr-test-summary.yml
Comment on lines +3 to +8
on:
workflow_run:
workflows:
- Test Build IDF Apps
types:
- completed
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow triggers on all completed runs of “Test Build IDF Apps”, including push runs on main. Since the artifact is only uploaded for pull_request runs, the download/comment steps will fail for push-triggered runs. Add a guard (e.g. job/step if: github.event.workflow_run.event == 'pull_request') or otherwise skip when the upstream run wasn’t a PR.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/pr-test-summary.yml
Comment thread .github/workflows/pr-test-summary.yml Outdated
Comment thread .github/workflows/test-python-package.yml
Comment thread .github/workflows/test-python-package.yml Outdated
@hfudev hfudev force-pushed the ci/improve-test-comment branch 2 times, most recently from 1ca6e7e to be8d2a7 Compare March 7, 2026 10:08
@hfudev hfudev force-pushed the ci/improve-test-comment branch from be8d2a7 to 551bcf6 Compare March 18, 2026 09:15
@hfudev hfudev merged commit c6be26b into main Mar 18, 2026
7 of 8 checks passed
@hfudev hfudev deleted the ci/improve-test-comment branch March 18, 2026 09:19
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026

Coverage

Coverage Report
FileStmtsMissCoverMissing
idf_build_apps
   __main__.py330%4–7
   app.py5698286%183, 228, 237–239, 271, 283, 339–340, 342, 351–352, 363–364, 424, 439, 477, 533–541, 551–552, 562, 580–581, 583, 599–608, 626–630, 645–648, 663–664, 682–683, 687–688, 699–701, 707, 720–722, 867–875, 885–915, 919–929, 1024–1030, 1033, 1055, 1075–1079
   args.py3773092%97, 174, 418–423, 433–438, 667, 670–671, 712, 735, 742–743, 755–757, 793–794, 941, 1020, 1022, 1107–1117, 1136
   autocompletions.py292417%16–23, 31–54
   finder.py92496%146, 163–165
   log.py681184%35, 39, 50, 60–69, 114
   main.py2397270%59, 64–68, 115, 120–124, 163, 187–189, 193–194, 200–213, 227–230, 241–270, 360–367, 376–377, 408–415, 418, 424–425, 431–433, 506–521
   session_args.py53787%46–50, 56, 70
   utils.py1822188%91, 108–109, 133, 181, 224, 251–257, 270–273, 287–293, 375
idf_build_apps/junit
   report.py94990%70, 80, 97–99, 125, 132–133, 158
   utils.py291066%18, 26–35
idf_build_apps/manifest
   manifest.py252897%183, 240–245, 352, 382–383, 402, 454
   soc_header.py220%4–6
idf_build_apps/vendors
   pydantic_sources.py58493%63, 66–69
TOTAL216328787% 

Tests Skipped Failures Errors Time
166 0 💤 0 ❌ 0 🔥 10m 18s ⏱️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@hfudev hfudev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hfudev @github-advanced-security