Skip to content

Chore/ci #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 21, 2025
Merged

Chore/ci #124

merged 3 commits into from
Jul 21, 2025

Conversation

@radu-mocanu
Copy link
Collaborator

@radu-mocanu radu-mocanu commented Jul 21, 2025
edited by github-actions bot
Loading

  • add ci github actions
  • fix types and linting errors

Development Package

  • Add this package as a dependency in your pyproject.toml:
[project]
dependencies = [
  # Exact version:
  "uipath-mcp==0.0.98.dev1001240045",

  # Any version from PR
  "uipath-mcp>=0.0.98.dev1001240000,<0.0.98.dev1001250000"
]

[[tool.uv.index]]
name = "testpypi"
url = "https://test.pypi.org/simple/"
publish-url = "https://test.pypi.org/legacy/"
explicit = true

[tool.uv.sources]
uipath-mcp = { index = "testpypi" }

@radu-mocanu radu-mocanu requested a review from cristipufu July 21, 2025 13:13
@radu-mocanu radu-mocanu self-assigned this Jul 21, 2025
@radu-mocanu radu-mocanu added the build:dev Create a dev build from the pr label Jul 21, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 21, 2025
View reviewed changes
.github/workflows/commitlint.yml
Comment on lines +44 to +47
- name: Validate PR commits with commitlint
run: |
git fetch origin pull/${{ github.event.pull_request.number }}/head:pr_branch
npx commitlint --from ${{ github.event.pull_request.base.sha }} --to pr_branch --verbose

Check warning

Code scanning / CodeQL

Checkout of untrusted code in trusted context Medium

Potential unsafe checkout of untrusted pull request on privileged workflow.

Copilot Autofix

AI 4 months ago

To fix the problem, you should prevent the checkout and execution of untrusted PR code in a privileged context. The best practice is to separate the untrusted PR handling from privileged workflows. Specifically:

  1. Remove any direct fetching or checking out of PR HEAD code in a privileged workflow.
  2. Instead, perform commit linting in a workflow triggered by pull_request (unprivileged) rather than via workflow_call or pull_request_target.
  3. If you need to communicate results to privileged workflows, use artifacts and the workflow_run pattern as described in the background.
  4. For the workflow in question, you should remove the step that fetches and checks out the PR branch and instead run commitlint only on trusted code or in an unprivileged context.

Specifically, in .github/workflows/commitlint.yml, you should remove or adjust the step:

git fetch origin pull/${{ github.event.pull_request.number }}/head:pr_branch

and not run commitlint on untrusted PR code when triggered from a privileged context.

Suggested changeset 1
.github/workflows/commitlint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -41,7 +41,7 @@
         run: |
           echo "export default { extends: ['@commitlint/config-conventional'] };" > commitlint.config.js
 
-      - name: Validate PR commits with commitlint
-        run: |
-          git fetch origin pull/${{ github.event.pull_request.number }}/head:pr_branch
-          npx commitlint --from ${{ github.event.pull_request.base.sha }} --to pr_branch --verbose
+      # Removed unsafe checkout and validation of untrusted PR branch.
+      # To safely lint PR commits, run this workflow from a 'pull_request' trigger and only on trusted refs.
+      # If needed, use artifacts to communicate results to privileged workflows.
+      # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request for safe patterns.
EOF
@@ -41,7 +41,7 @@
run: |
echo "export default { extends: ['@commitlint/config-conventional'] };" > commitlint.config.js

- name: Validate PR commits with commitlint
run: |
git fetch origin pull/${{ github.event.pull_request.number }}/head:pr_branch
npx commitlint --from ${{ github.event.pull_request.base.sha }} --to pr_branch --verbose
# Removed unsafe checkout and validation of untrusted PR branch.
# To safely lint PR commits, run this workflow from a 'pull_request' trigger and only on trusted refs.
# If needed, use artifacts to communicate results to privileged workflows.
# See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request for safe patterns.
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/lint.yml
uses: actions/checkout@v4

- name: Setup uv
uses: astral-sh/setup-uv@v5

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Lint' step
Uses Step
Loading
uses 'astral-sh/setup-uv' with ref 'v5', not a pinned commit hash
cristipufu
cristipufu reviewed Jul 21, 2025
View reviewed changes
@radu-mocanu radu-mocanu merged commit afcf400 into main Jul 21, 2025
9 checks passed
@cristipufu cristipufu deleted the chore/ci branch July 22, 2025 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cristipufu cristipufu cristipufu approved these changes

Assignees

@radu-mocanu radu-mocanu

Labels

build:dev Create a dev build from the pr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@radu-mocanu @cristipufu