Backport/master to 2.x by hfudev · Pull Request #261 · espressif/idf-build-apps

hfudev · 2026-03-19T03:27:05Z

No description provided.

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

updates: - [github.com/astral-sh/ruff-pre-commit: v0.15.1 → v0.15.6](astral-sh/ruff-pre-commit@v0.15.1...v0.15.6)

+        run: |
+          if [ -f pr_number.txt ]; then
+            echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+          else
+            echo "pr_number.txt not found, skipping comment."
+            exit 0
+          fi


In general, to fix this class of issues you must ensure that data written to $GITHUB_ENV cannot contain untrusted newlines or here‑doc delimiters. For single-line variables, strip or reject newline characters from the source before writing; for multi-line variables, use a unique, hard‑to‑guess delimiter. Here, we only need a single-line numeric PR number, so the safest approach is to read pr_number.txt, strip any newlines, and optionally validate that it’s a simple integer, then write that sanitized value into $GITHUB_ENV.

Concretely, in .github/workflows/pr-test-summary.yml, modify the Read PR number step so that instead of echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV, we (1) read the file into a shell variable, (2) delete all newline characters and non‑digits (or reject if invalid), and (3) append a single, sanitized PR_NUMBER=... line to $GITHUB_ENV. For example:

PR_NUMBER_RAW=$(cat pr_number.txt) PR_NUMBER_SANITIZED=$(printf '%s' "$PR_NUMBER_RAW" | tr -d '\n\r' | tr -cd '0-9') if [ -z "$PR_NUMBER_SANITIZED" ]; then echo "Invalid PR number in pr_number.txt, skipping comment." exit 0 fi echo "PR_NUMBER=$PR_NUMBER_SANITIZED" >> "$GITHUB_ENV"

This keeps functionality (using the PR number from the artifact) while preventing injection via newlines or unexpected characters. No new imports or external dependencies are required; only standard POSIX utilities (cat, printf, tr, basic test) are used.

github-actions · 2026-03-19T03:39:51Z

Coverage Report

File	Stmts	Miss	Cover	Missing
idf_build_apps
__main__.py	3	3	0%	4–9
app.py	550	82	85%	197, 242, 251–253, 285, 297, 353–354, 356, 365–366, 377–378, 438, 453, 491, 547–555, 565–566, 576, 594–595, 597, 613–622, 640–644, 659–662, 677–678, 696–697, 701–702, 713–715, 721, 734–736, 881–889, 899–929, 933–943, 1038–1044, 1047, 1069, 1089–1093
args.py	376	31	92%	124, 188, 410–415, 425–430, 632, 635–636, 677, 700, 707–708, 720–722, 756–757, 885, 958, 960, 1020, 1049–1059, 1078
autocompletions.py	29	24	17%	16–23, 31–54
finder.py	89	4	96%	154, 171–173
log.py	66	11	83%	33, 37, 48, 58–67, 112
main.py	221	68	69%	72, 77–81, 128, 133–137, 176, 200–202, 206–207, 213–226, 240–243, 254–279, 369–376, 385–386, 413–420, 423, 429–430, 436–438, 511–526
session_args.py	53	7	87%	46–50, 56, 70
utils.py	188	23	88%	26, 35, 113, 130–131, 155, 203, 246, 273–279, 292–295, 309–315, 397
idf_build_apps/junit
report.py	93	9	90%	82, 92, 109–111, 137, 144–145, 170
utils.py	29	10	66%	18, 26–35
idf_build_apps/manifest
manifest.py	284	13	95%	121, 139, 147, 154, 159, 250, 307–312, 419, 449–450, 469, 521
soc_header.py	2	2	0%	4–6
idf_build_apps/vendors
pydantic_sources.py	68	5	93%	52, 75, 78–81
TOTAL	2158	292	86%

Tests	Skipped	Failures	Errors	Time
164	0 💤	0 ❌	0 🔥	10m 24s ⏱️

hfudev and others added 3 commits March 19, 2026 11:25

ci: improve test comment

28e4428

[pre-commit.ci] pre-commit autoupdate

d29a844

updates: - [github.com/astral-sh/ruff-pre-commit: v0.15.1 → v0.15.6](astral-sh/ruff-pre-commit@v0.15.1...v0.15.6)

hfudev self-assigned this Mar 19, 2026

github-advanced-security AI found potential problems Mar 19, 2026

View reviewed changes

hfudev merged commit 6951b6c into release/v2.x Mar 19, 2026
7 of 8 checks passed

hfudev deleted the backport/master-to-2.x branch March 19, 2026 03:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Backport/master to 2.x#261

Backport/master to 2.x#261
hfudev merged 3 commits intorelease/v2.xfrom
backport/master-to-2.x

hfudev commented Mar 19, 2026

Uh oh!

Check failure

Copilot Autofix

github-actions bot commented Mar 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

@@ -26,7 +26,13 @@
                   - name: Read PR number
                     run: |
                       if [ -f pr_number.txt ]; then
-                        echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+                        PR_NUMBER_RAW=$(cat pr_number.txt)
+                        PR_NUMBER_SANITIZED=$(printf '%s' "$PR_NUMBER_RAW" | tr -d '\n\r' | tr -cd '0-9')
+                        if [ -z "$PR_NUMBER_SANITIZED" ]; then
+                          echo "Invalid PR number in pr_number.txt, skipping comment."
+                          exit 0
+                        fi
+                        echo "PR_NUMBER=$PR_NUMBER_SANITIZED" >> "$GITHUB_ENV"
                       else
                         echo "pr_number.txt not found, skipping comment."
                         exit 0

Conversation

hfudev commented Mar 19, 2026

Uh oh!

Check failure

Uh oh!

Uh oh!

Copilot Autofix

github-actions bot commented Mar 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants