Skip to content

chore: Cherry-picked changes from upstream#19

Merged
Raj-StepSecurity merged 3 commits intomainfrom
auto-cherry-pick
Dec 29, 2025
Merged

chore: Cherry-picked changes from upstream#19
Raj-StepSecurity merged 3 commits intomainfrom
auto-cherry-pick

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 24, 2025

Cherry-picked changes from upstream.

@github-actions
deprecate install input
950f6b0 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@github-actions
deprecate install input
bc74b6f 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 24, 2025

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v3.12.0
📋 Previous Release Version: v3.11.1

⚠️ Completely Skipped Commits Due to only modifying files in: package.json, package-lock.json, yarn.lock, node_modules/, dist/, or .gitignore

  • ac3a803dd397b50e5896529e5dc54fd2e6b885e9
  • ae7d6893e8453cb836c63c002c65291c0f4533fd
  • 68163b97ca8bd762d10018c3686e2846c2121d2d
  • 5d221e89563fb33e6673298388843b51e7c7ffed
  • 774224adf69ca8de2e87f0afc9ef26b0e4dc8072
  • 5efa6e34fd45a902671bb71748b44d969eaf81f4
  • c52693d481186999f17538d5daca807aabc5d835
  • 8424fa00704187e45edbd81a7ffe66791133cb15
  • f7a6c723e14bded854f42cd3942fdb88e9771dff
  • da183f8ca33c6f45905f4d432aa23e059696cbe4
  • c65d441f3804c7219af6268d5ca10f8b1b13a854
  • ee3eb2f3a4851493b4c9191afab569c4771113fa
  • 7ebadadf6b9bbb95b4c11e0281488cd1ea9102e8
  • 90fa7ac87049976269448a9b4b4082c201c82375
  • e8cd182ec7e0050e00421a4fb33e4b9a4287f11c
  • 2c8bcdab540207666c188bc0c1fe75d2d109dc81
  • af1b253b8dc984466d22633f04ef341c1520ed2f
  • 4cc794f83e4b7488282e879f4469e86246e52ddd
  • 1583c0f09d26c58c59d25b0eef29792b7ce99d9a
  • 65d18f8f8a05aab1b2d761032bec9cd5578caadb
  • 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f

❗ Missing Files:

  • .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs

🛑 Workflow Files (Cannot be auto-applied by GitHub Actions):

  • .github/workflows/ci.yml from commit 3c6ab92b04d9f3e63233e0e0168ba114c6b448bc
  • .github/workflows/ci.yml from commit 4dfc3d6c5d9e9534040f8d8b55bd4a98459b62b7
  • .github/workflows/publish.yml from commit 4dfc3d6c5d9e9534040f8d8b55bd4a98459b62b7
  • .github/workflows/test.yml from commit 4dfc3d6c5d9e9534040f8d8b55bd4a98459b62b7
  • .github/workflows/validate.yml from commit 4dfc3d6c5d9e9534040f8d8b55bd4a98459b62b7
  • .github/workflows/ci.yml from commit 000d75d273dec231f74115df50b6ee04c9b25e55
  • .github/workflows/publish.yml from commit 000d75d273dec231f74115df50b6ee04c9b25e55
  • .github/workflows/test.yml from commit 000d75d273dec231f74115df50b6ee04c9b25e55
  • .github/workflows/validate.yml from commit 000d75d273dec231f74115df50b6ee04c9b25e55
  • .github/workflows/ci.yml from commit e81846bcc4416a0bf18b8389e4f6fce279619ddc

❌ Conflicting Files:

  • .yarnrc.yml from commit 8c5c87276d8f1781413f1a05079641476eb645ee
  • .yarnrc.yml from commit 1051acaba6be4685e5d29fa185efab4e74f8ead9
  • README.md from commit ed158e796328af702db08c75bebb92f2fb10be88

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 24, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v3.11.1...v3.12.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+26 -41)

.github/workflows/publish.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 1 additions, 1 deletions)

.github/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

.github/workflows/validate.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

.yarnrc.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+8 -4)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+10 -2) | Missing 1 additions | Missing 1 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+6 -5)

📊 Summary:

  • Total files changed upstream: 7
  • Files present in PR: 2/7
  • Files with matching changes: 1/7

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 24, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v3.11.1...v3.12.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+26 -41) | Missing 26 additions | Missing 26 deletions

.github/workflows/publish.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 1 additions, 1 deletions)

.github/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

.github/workflows/validate.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

.yarnrc.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+8 -4)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+10 -2) | Missing 1 additions | Missing 1 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+6 -5)

📊 Summary:

  • Total files changed upstream: 7
  • Files present in PR: 3/7
  • Files with matching changes: 1/7

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@claude
Copy link

claude bot commented Dec 29, 2025
edited
Loading

Claude finished @github-actions[bot]'s task —— View job

PR Review: Cherry-picked Changes Analysis

Analyzing this auto-cherry-pick PR for completeness, consistency, and security issues.

Review Tasks:

  • Read and analyze changed files (.github/workflows/ci.yml, README.md, action.yml)
  • Verify cherry-pick completeness against verification reports
  • Scan for security vulnerabilities
  • Provide comprehensive feedback and recommendations

Critical Issues Found

1. Incomplete Cherry-Pick (BLOCKING)

The verification reports clearly show this cherry-pick is severely incomplete:

  • Expected changes: 7 files should have been updated
  • Actual changes: Only 3 files were modified
  • Success rate: 1/7 files (14%) fully applied correctly

Missing Files (4/7):

  • .github/workflows/publish.yml - Completely missing
  • .github/workflows/test.yml - Completely missing
  • .github/workflows/validate.yml - Completely missing
  • .yarnrc.yml - Completely missing

Partial Applications (2/7):

  • .github/workflows/ci.yml - Missing 26 additions and 26 deletions
  • README.md - Missing changes (specific count varies between reports)

Successfully Applied (1/7):

  • action.yml - ✅ Fully applied correctly

2. Security Analysis

Security Strengths Found:

  • Proper security hardening: All workflow jobs use step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 with audit egress policy
  • Pinned action versions: All external actions are pinned to specific SHA commits (security best practice)
  • No exposed secrets: No hardcoded credentials or tokens found
  • Proper permissions: No overly permissive workflow permissions detected

⚠️ Potential Security Considerations:

  • Missing workflow files could contain important security updates
  • Without seeing the complete upstream changes, we cannot verify if security patches were missed

3. Impact Assessment

This incomplete cherry-pick means:

  • Missing CI/CD capabilities - test, publish, and validate workflows are absent
  • Potential security gaps - missing security updates from upstream
  • Incomplete functionality - yarn configuration changes not applied
  • Technical debt - partial CI workflow application creates inconsistent state

📋 Recommendations

Immediate Actions Required:

  1. ❌ Do not merge this PR in its current state
  2. Investigate cherry-pick failures - determine why 6/7 files failed to apply
  3. Manual review required - compare upstream v3.11.1...v3.12.0 changes manually
  4. Re-attempt cherry-pick - fix conflicts and ensure all changes are applied

Process Improvements:

  1. Validation gates - Add checks to prevent incomplete cherry-picks from being approved
  2. Verification requirements - Require 100% application rate before approval
  3. Manual verification - When auto-cherry-pick fails, require manual review of all changes

🔍 Detailed File Analysis

.github/workflows/ci.yml (Partial)

  • Status: Partially applied - missing significant changes
  • Security: ✅ Good security practices maintained
  • Impact: CI workflow may be missing important updates

README.md (Partial)

  • Status: Partially applied - missing documentation updates
  • Impact: Users may not have complete/accurate documentation

action.yml (Complete)

  • Status: ✅ Fully applied correctly
  • Security: ✅ No security concerns
  • Changes: Successfully updated action metadata

📊 Verdict

❌ REJECT - This PR should not be merged due to:

  • Severely incomplete cherry-pick (only 14% success rate)
  • Missing critical workflow files
  • Potential security gaps from incomplete updates
  • Inconsistent codebase state

Despite the approval from @amanstep, the verification reports clearly indicate this cherry-pick failed to apply most upstream changes, creating a high risk of missing important updates and creating an inconsistent codebase state.

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 29, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v3.11.1...v3.12.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+26 -41) | Missing 26 additions | Missing 26 deletions

.github/workflows/publish.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - File missing in PR (upstream has 1 additions, 1 deletions)

.github/workflows/test.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

.github/workflows/validate.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

.yarnrc.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+8 -4)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+10 -2) | Missing 1 additions | Missing 1 deletions

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+6 -5)

📊 Summary:

  • Total files changed upstream: 7
  • Files present in PR: 3/7
  • Files with matching changes: 1/7

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@Raj-StepSecurity Raj-StepSecurity merged commit 4f61500 into main Dec 29, 2025
57 of 58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review required review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amanstep @Raj-StepSecurity