Skip to content

[generate_manifest] let issue creation trigger the workflow #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 20, 2025
Merged

[generate_manifest] let issue creation trigger the workflow #245

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
00f1ade
[generate_manifest] let issue creation trigger the workflow
GabrielDrapor Aug 20, 2025
65462f4
Potential fix for code scanning alert no. 10: Code injection
GabrielDrapor Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions .github/workflows/generate-manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,13 @@
type: string
repository_dispatch:
types: [generate-manifest]
issues:
types: [opened, labeled]

jobs:
generate-manifest:
runs-on: ubuntu-latest
if: ${{ github.event_name != 'issues' || contains(github.event.issue.labels.*.name, 'server submission') }}
permissions:
contents: write
pull-requests: write
Expand Down Expand Up @@ -40,17 +43,32 @@
python -m pip install --upgrade pip
pip install requests
- name: Extract repository URL from issue
id: extract-url
if: github.event_name == 'issues'
run: |
# Extract the repository URL from the GitHub issue form
# The form renders the repository field as a URL line after the label
REPO_URL=$(echo '${{ github.event.issue.body }}' | grep -oP 'https://github\.com/[^\s]+' | head -1)
if [ -z "$REPO_URL" ]; then
echo "No GitHub repository URL found in issue body"
echo "Issue body: ${{ github.event.issue.body }}"
exit 1
fi
echo "Found repository URL: $REPO_URL"
echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT
- name: Generate manifest
env:
ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }}
run: |
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url }}"
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"

Check failure

Code scanning / CodeQL

Code injection Critical

Potential code injection in
${ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }
Loading
, which may be controlled by an external user (
issues
Loading
).

Copilot Autofix

AI 3 months ago

To fix this code injection vulnerability, we should avoid interpolating untrusted input directly into the shell command using ${{ ... }}. Instead, we should assign the untrusted value to an environment variable using the env: key, and then reference it in the shell command using native shell variable syntax ($REPO_URL). This prevents shell injection because the shell will treat the value as a single argument, not as code. Specifically, in the "Generate manifest" and "Extract repo name for branch" steps, move the expression for the repository URL into the env: block, and reference it as $REPO_URL in the run: block. No additional dependencies are required.

Suggested changeset 1
.github/workflows/generate-manifest.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/generate-manifest.yml b/.github/workflows/generate-manifest.yml
--- a/.github/workflows/generate-manifest.yml
+++ b/.github/workflows/generate-manifest.yml
@@ -63,14 +63,15 @@
       - name: Generate manifest
         env:
           ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }}
+          REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
         run: |
-          REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
           python scripts/get_manifest.py "$REPO_URL"
 
       - name: Extract repo name for branch
         id: repo-info
+        env:
+          REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
         run: |
-          REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
           REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-')
           echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
           echo "branch_name=add-manifest-$REPO_NAME" >> $GITHUB_OUTPUT
EOF
@@ -63,14 +63,15 @@
- name: Generate manifest
env:
ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }}
REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
run: |
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
python scripts/get_manifest.py "$REPO_URL"

- name: Extract repo name for branch
id: repo-info
env:
REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
run: |
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-')
echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
echo "branch_name=add-manifest-$REPO_NAME" >> $GITHUB_OUTPUT
Copilot is powered by AI and may make mistakes. Always verify output.
python scripts/get_manifest.py "$REPO_URL"
- name: Extract repo name for branch
id: repo-info
run: |
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url }}"
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"

Check failure

Code scanning / CodeQL

Code injection Critical

Potential code injection in
${ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }
Loading
, which may be controlled by an external user (
issues
Loading
).

Copilot Autofix

AI 3 months ago

To fix the code injection vulnerability, we should avoid using ${{ ... }} interpolation of untrusted input directly in the shell command. Instead, we should assign the untrusted input to an environment variable using the env: block, and then reference it using native shell syntax ("$REPO_URL") in the run: block. Specifically, in the steps "Generate manifest" and "Extract repo name for branch", move the assignment of REPO_URL to the env: block, and update the shell commands to use $REPO_URL directly. This change should be made in lines 64-68 and 72-74. No new methods or imports are needed, just a change in how the input is passed to the shell.

Suggested changeset 1
.github/workflows/generate-manifest.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/generate-manifest.yml b/.github/workflows/generate-manifest.yml
--- a/.github/workflows/generate-manifest.yml
+++ b/.github/workflows/generate-manifest.yml
@@ -63,14 +63,15 @@
       - name: Generate manifest
         env:
           ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }}
+          REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
         run: |
-          REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
           python scripts/get_manifest.py "$REPO_URL"
 
       - name: Extract repo name for branch
         id: repo-info
+        env:
+          REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
         run: |
-          REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
           REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-')
           echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
           echo "branch_name=add-manifest-$REPO_NAME" >> $GITHUB_OUTPUT
EOF
@@ -63,14 +63,15 @@
- name: Generate manifest
env:
ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }}
REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
run: |
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
python scripts/get_manifest.py "$REPO_URL"

- name: Extract repo name for branch
id: repo-info
env:
REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
run: |
REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-')
echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
echo "branch_name=add-manifest-$REPO_NAME" >> $GITHUB_OUTPUT
Copilot is powered by AI and may make mistakes. Always verify output.
REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-')
echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
echo "branch_name=add-manifest-$REPO_NAME" >> $GITHUB_OUTPUT
Expand All @@ -62,14 +80,14 @@
commit-message: |
feat: add manifest for ${{ steps.repo-info.outputs.repo_name }}
Generated manifest JSON for repository: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url }}
Generated manifest JSON for repository: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
Co-Authored-By: Lucien
title: "feat: Add MCP manifest for ${{ steps.repo-info.outputs.repo_name }}"
body: |
## Summary
This PR adds a new MCP server manifest generated from the repository: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url }}
This PR adds a new MCP server manifest generated from the repository: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
## Changes
Expand Down
Loading