From 849b602e2e6d9967ec7ba55869433e9a33faea24 Mon Sep 17 00:00:00 2001 From: Jan Wendling <7381150+jwndlng@users.noreply.github.com> Date: Tue, 28 May 2024 08:45:23 +0200 Subject: [PATCH 1/2] fix: Sanitize PR title by using ENV variable We need to sanitize the PR title by leveraging an environment variable as an intermediate step to prevent potential script injection attacks. This additional measure enhances the security of the workflow. --- .github/workflows/check-commits.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-commits.yaml b/.github/workflows/check-commits.yaml index 0bec1d2..87da3df 100644 --- a/.github/workflows/check-commits.yaml +++ b/.github/workflows/check-commits.yaml @@ -18,6 +18,8 @@ jobs: if: ${{ github.event_name == 'pull_request' }} name: 'conventional-title:required' runs-on: ubuntu-latest + env: + TITLE: ${{ github.event.pull_request.title }} steps: # Conventional commit patterns: # verb: description @@ -28,11 +30,10 @@ jobs: # scope: refers to the part of code being changed. E.g. " (accounts)" or " (accounts,canisters)" # !: Indicates that the PR contains a breaking change. - run: | - if [[ "${{ github.event.pull_request.title }}" =~ ^(feat|fix|chore|build|ci|docs|style|refactor|perf|test)(\([-a-zA-Z0-9,]+\))?\!?\: ]]; then + if [[ "$TITLE" =~ ^(feat|fix|chore|build|ci|docs|style|refactor|perf|test)(\([-a-zA-Z0-9,]+\))?\!?\: ]]; then echo pass else echo "PR Title does not match conventions" - echo "PR Title: ${{ github.event.pull_request.title }}" exit 1 fi check_commits: From 7c6ca93fe52f48d9e9e5af7104e6a73c2ecebd8d Mon Sep 17 00:00:00 2001 From: Kepler Vital Date: Tue, 28 May 2024 09:08:09 +0200 Subject: [PATCH 2/2] add rust-toolchain with stable rust version --- .github/actions/setup-rust/action.yaml | 20 ------------------- .github/workflows/code-style.yaml | 1 - .github/workflows/tests.yaml | 1 - .../name-registry/src/repositories/zone.rs | 2 +- rust-toolchain.toml | 4 ++++ 5 files changed, 5 insertions(+), 23 deletions(-) delete mode 100644 .github/actions/setup-rust/action.yaml create mode 100644 rust-toolchain.toml diff --git a/.github/actions/setup-rust/action.yaml b/.github/actions/setup-rust/action.yaml deleted file mode 100644 index e9f9945..0000000 --- a/.github/actions/setup-rust/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: 'Setup Rust' -description: 'Adds rust to the system' - -runs: - using: 'composite' - steps: - - name: 'Setup Cargo Cache' - uses: actions/cache@v3 - with: - path: | - ~/.cargo/bin/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - target/ - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - name: 'Setup Rust' - uses: actions-rs/toolchain@v1 - with: - toolchain: stable diff --git a/.github/workflows/code-style.yaml b/.github/workflows/code-style.yaml index fd2de3c..9cf8422 100644 --- a/.github/workflows/code-style.yaml +++ b/.github/workflows/code-style.yaml @@ -26,7 +26,6 @@ jobs: steps: - name: 'Checkout' uses: actions/checkout@v3 - - uses: ./.github/actions/setup-rust - name: 'Format code' run: cargo fmt --all -- --check env: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 056c8d8..c0a55d4 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -26,6 +26,5 @@ jobs: steps: - name: 'Checkout' uses: actions/checkout@v3 - - uses: ./.github/actions/setup-rust - name: 'Test cargo crates' run: cargo test diff --git a/canisters/name-registry/src/repositories/zone.rs b/canisters/name-registry/src/repositories/zone.rs index ecd1e75..25c8c06 100644 --- a/canisters/name-registry/src/repositories/zone.rs +++ b/canisters/name-registry/src/repositories/zone.rs @@ -129,7 +129,7 @@ mod tests { }, DomainRecord::default(), ), - results.get(0).unwrap().to_owned() + results.first().unwrap().to_owned() ); assert_eq!( DomainZoneEntry::new( diff --git a/rust-toolchain.toml b/rust-toolchain.toml new file mode 100644 index 0000000..2847c44 --- /dev/null +++ b/rust-toolchain.toml @@ -0,0 +1,4 @@ +[toolchain] +channel = "1.77.2" +targets = ["wasm32-unknown-unknown"] +components = ["rustfmt", "clippy"]