Skip to content

Backport/master to 2.x #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hfudev merged 3 commits into from
Mar 19, 2026
Merged

Backport/master to 2.x #261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
28e4428
ci: improve test comment
hfudev Mar 2, 2026
561f9aa
build(deps): bump actions/download-artifact from 7 to 8
dependabot[bot] Mar 18, 2026
d29a844
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/workflows/pr-test-summary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: PR Test Summary

on:
workflow_run:
workflows:
- Test Python Package
types:
- completed

permissions:
actions: read
checks: write
pull-requests: write

jobs:
report:
runs-on: ubuntu-latest
steps:
- name: Download test report
uses: dawidd6/action-download-artifact@v14
with:
name: test-results
workflow: ${{ github.event.workflow_run.workflow_id }}
run_id: ${{ github.event.workflow_run.id }}

- name: Read PR number
run: |
if [ -f pr_number.txt ]; then
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
else
echo "pr_number.txt not found, skipping comment."
exit 0
fi
Comment on lines +27 to +33

Check failure

Code scanning / CodeQL

Environment variable built from user-controlled sources Critical

Potential environment variable injection in
if [ -f pr_number.txt ]; thenecho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENVelseecho "pr_number.txt not found, skipping comment."exit 0fi
Loading
, which may be controlled by an external user (
workflow_run
Loading
).

Copilot Autofix

AI 28 days ago

In general, to fix this class of issues you must ensure that data written to $GITHUB_ENV cannot contain untrusted newlines or here‑doc delimiters. For single-line variables, strip or reject newline characters from the source before writing; for multi-line variables, use a unique, hard‑to‑guess delimiter. Here, we only need a single-line numeric PR number, so the safest approach is to read pr_number.txt, strip any newlines, and optionally validate that it’s a simple integer, then write that sanitized value into $GITHUB_ENV.

Concretely, in .github/workflows/pr-test-summary.yml, modify the Read PR number step so that instead of echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV, we (1) read the file into a shell variable, (2) delete all newline characters and non‑digits (or reject if invalid), and (3) append a single, sanitized PR_NUMBER=... line to $GITHUB_ENV. For example:

PR_NUMBER_RAW=$(cat pr_number.txt)
PR_NUMBER_SANITIZED=$(printf '%s' "$PR_NUMBER_RAW" | tr -d '\n\r' | tr -cd '0-9')
if [ -z "$PR_NUMBER_SANITIZED" ]; then
  echo "Invalid PR number in pr_number.txt, skipping comment."
  exit 0
fi
echo "PR_NUMBER=$PR_NUMBER_SANITIZED" >> "$GITHUB_ENV"

This keeps functionality (using the PR number from the artifact) while preventing injection via newlines or unexpected characters. No new imports or external dependencies are required; only standard POSIX utilities (cat, printf, tr, basic test) are used.

Suggested changeset 1
.github/workflows/pr-test-summary.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-test-summary.yml b/.github/workflows/pr-test-summary.yml
--- a/.github/workflows/pr-test-summary.yml
+++ b/.github/workflows/pr-test-summary.yml
@@ -26,7 +26,13 @@
       - name: Read PR number
         run: |
           if [ -f pr_number.txt ]; then
-            echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+            PR_NUMBER_RAW=$(cat pr_number.txt)
+            PR_NUMBER_SANITIZED=$(printf '%s' "$PR_NUMBER_RAW" | tr -d '\n\r' | tr -cd '0-9')
+            if [ -z "$PR_NUMBER_SANITIZED" ]; then
+              echo "Invalid PR number in pr_number.txt, skipping comment."
+              exit 0
+            fi
+            echo "PR_NUMBER=$PR_NUMBER_SANITIZED" >> "$GITHUB_ENV"
           else
             echo "pr_number.txt not found, skipping comment."
             exit 0
EOF
@@ -26,7 +26,13 @@
- name: Read PR number
run: |
if [ -f pr_number.txt ]; then
echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
PR_NUMBER_RAW=$(cat pr_number.txt)
PR_NUMBER_SANITIZED=$(printf '%s' "$PR_NUMBER_RAW" | tr -d '\n\r' | tr -cd '0-9')
if [ -z "$PR_NUMBER_SANITIZED" ]; then
echo "Invalid PR number in pr_number.txt, skipping comment."
exit 0
fi
echo "PR_NUMBER=$PR_NUMBER_SANITIZED" >> "$GITHUB_ENV"
else
echo "pr_number.txt not found, skipping comment."
exit 0
Copilot is powered by AI and may make mistakes. Always verify output.

- name: Comment on PR
uses: MishaKav/pytest-coverage-comment@v1
with:
pytest-coverage-path: ./pytest-coverage.txt
junitxml-path: ./pytest.xml
issue-number: ${{ env.PR_NUMBER }}
71 changes: 17 additions & 54 deletions .github/workflows/test-build-idf-apps.yml → .github/workflows/test-python-package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Test Build IDF Apps
name: Test Python Package

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.run_id }}
Expand All @@ -7,8 +7,8 @@ concurrency:
on:
pull_request:
paths:
- 'idf_build_apps/**'
- '.github/workflows/test-build-idf-apps.yml'
- "idf_build_apps/**"
- ".github/workflows/test-build-idf-apps.yml"
push:
branches:
- main
Expand Down Expand Up @@ -43,13 +43,14 @@ jobs:
needs: build-python-packages
strategy:
matrix:
idf-branch: [ release-v5.1, release-v5.2, release-v5.3, release-v5.4, release-v5.5 ]
idf-branch:
[release-v5.2, release-v5.3, release-v5.4, release-v5.5]
runs-on: ubuntu-latest
container:
image: espressif/idf:${{ matrix.idf-branch }}
steps:
- name: Download wheel
uses: actions/download-artifact@v7
uses: actions/download-artifact@v8
with:
name: wheel
- name: Build the Apps
Expand Down Expand Up @@ -82,54 +83,16 @@ jobs:
-p $IDF_PATH/examples/get-started/hello_world \
--size-file size_info.json
pytest --cov idf_build_apps --cov-report term-missing:skip-covered --junit-xml pytest.xml | tee pytest-coverage.txt
- name: Pytest coverage comment
- name: Save PR number
if: github.event_name == 'pull_request'
uses: MishaKav/pytest-coverage-comment@main
run: echo ${{ github.event.number }} > pr_number.txt
- name: Upload test results
uses: actions/upload-artifact@v6
if: always() && github.event_name == 'pull_request'
with:
pytest-coverage-path: pytest-coverage.txt
junitxml-path: pytest.xml

build-apps-on-idf-8266:
runs-on: ubuntu-latest
container:
image: python:3
env:
TOOLCHAIN_DIR: ${HOME}/.espressif/tools
FLIT_ROOT_INSTALL: 1
strategy:
matrix:
branch:
- release/v3.4
steps:
- uses: actions/checkout@v6
- name: Install dependencies
run: |
apt update \
&& apt install -y --no-install-recommends \
gcc \
git \
wget \
make \
libncurses-dev \
flex \
bison \
gperf
- name: Checkout the SDK
run: |
git clone --recursive --shallow-submodules \
--branch ${{ matrix.branch }} \
https://github.com/espressif/ESP8266_RTOS_SDK \
$IDF_PATH
- name: Install toolchain
run: |
${IDF_PATH}/install.sh
- name: Build Hello World
run: |
. ${IDF_PATH}/export.sh
pip install flit
flit install -s
idf-build-apps build -vv -t esp8266 \
--build-system make \
-p ${IDF_PATH}/examples/get-started/hello_world \
--build-dir build_@t \
--size-file size_info.json
name: test-results
path: |
pr_number.txt
pytest-coverage.txt
pytest.xml
retention-days: 7
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ repos:
- --use-current-year
exclude: 'idf_build_apps/vendors/'
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: 'v0.15.1'
rev: 'v0.15.6'
hooks:
- id: ruff-check
args: ['--fix']
Expand Down
Loading