eat your veggies / brush your teeth / bump npins versions after bump script fixes#1476
Merged
eat your veggies / brush your teeth / bump npins versions after bump script fixes#1476
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
70544e4 to
de9e21c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates various developer/CI maintenance assets: bumps pinned third-party tooling (Nix pins, KaTeX/Mermaid), introduces an opengrep CI lint workflow, and removes some older dev-env/dev-test scaffolding scripts/templates.
Changes:
- Bump KaTeX/Mermaid versions used by docs header generation and the generated custom header HTML.
- Update
npins/sources.jsonpins (crane, nixpkgs channel, rust, rust-overlay, etc.). - Add an opengrep CI workflow and clean up/remove legacy scripts/templates (dpdk-sys env templates, dev-tests Docker harness, direnv envrc, etc.).
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/update-doc-headers.sh | Bump KaTeX/Mermaid versions used for generating doc headers + SRI hashes. |
| scripts/doc/custom-header.html | Update KaTeX/Mermaid CDN URLs + integrity attributes in generated header. |
| scripts/bump.sh | Repurposed into an npins initialization/add script (previously gen-pins.sh). |
| scripts/gen-pins.sh | Removed (content effectively moved into scripts/bump.sh). |
| npins/sources.json | Update pinned revisions/hashes for several Nix inputs (crane, nixpkgs, rust, etc.). |
| .github/workflows/lint-opengrep.yml | New required lint workflow that builds/runs opengrep. |
| .semgrepignore | Ignore known false-positives for minimal passwd/group files in generated Nix config. |
| .github/workflows/dev.yml | Refactor “push container” step to pass values via env vars into nix-shell. |
| .github/workflows/version-bump.yml | Refactor to use an env var for NEW_VERSION during validation/bump. |
| deny.toml | Remove multiple bans.skip* exceptions from cargo-deny config. |
| Dockerfile | Explicitly set USER root (with justification and # nosem). |
| .config/nextest.toml | Change final-status-level from all to slow. |
| .gitignore | Stop ignoring dev-env-template/** (directory/files removed in this PR). |
| scripts/templates/dpdk-sys.env.template | Deleted. |
| scripts/dpdk-sys.env | Deleted. |
| scripts/dev-tests/test-dev-envs.sh | Deleted. |
| scripts/dev-tests/Dockerfile | Deleted. |
| dev-env-template/etc.template/passwd.template | Deleted. |
| dev-env-template/etc.template/group.template | Deleted. |
| .envrc | Deleted. |
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
9dcbeb8 to
1e031c7
Compare
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
1e031c7 to
1fa1c5c
Compare
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
1fa1c5c to
718a6bf
Compare
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
718a6bf to
a8aa75e
Compare
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
a8aa75e to
c43f533
Compare
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
c43f533 to
50d9c19
Compare
daniel-noland
added
enhancement
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
50d9c19 to
347cf8a
Compare
Previously scripts/update-doc-headers.sh carried hardcoded MERMAID_VERSION and KATEX_VERSION constants which had to be edited by hand every time upstream shipped a release. Promote both to proper npins pins (KaTeX as GitRelease, mermaid as GitRelease with `mermaid@` prefix) and teach the script to read the version strings out of npins/sources.json via `jq`, stripping the tag prefixes so URLs match the jsdelivr form. That way `just bump pins` picks up katex and mermaid releases along with every other dep, and the regenerated custom-header.html lands in the same PR. Fix the script's relative paths while here so it runs from the repo root rather than assuming a CWD of scripts/. Versions moved to current upstream (katex 0.16.45, mermaid 11.14.0) as a side effect of introducing the pins. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Floating pin updates from `npins update`: - rust: 1.94.1 -> 1.95.0 - crane: v0.23.2 -> v0.23.3 - frr (stable/10.5): d8971dfa -> 1e938d47 - perftest (master): a9f846ef -> c94e5386 - nixpkgs (unstable channel): 26.05pre978638 -> 26.05pre980800 - rust-overlay (master): 3c27f4c9 -> 8087ff1f Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Rust 1.95.0 adds several clippy::pedantic lints that fire on
existing code. Bringing the tree back to lint-clean:
- duration_suboptimal_units (config, flow-entry, nat, routing): switch
`Duration::from_millis(N_000)` / `Duration::from_secs(60)` to
`Duration::from_secs(N)` / `Duration::from_mins(1)` where applicable.
- collapsible_match (interface-manager): fold the inner `if` checks
into match guards, removing the redundant catch-all arms that
duplicated the existing `_ => {}` fall-through.
- unnecessary_trailing_comma (config, nat, routing): drop trailing
commas on single-argument `write!` / `assert!` / `writeln!` calls.
- useless_conversion (hardware): `elems.extend(child.into_iter())`
becomes `elems.extend(child)` since `extend` already consumes an
`IntoIterator`.
- manual_is_none_or (routing): `x.is_some_and(p) || x.is_none()`
collapses to `x.is_none_or(p)`.
No behavior changes; `just test` passes all 716 tests.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
The new_version workflow_dispatch input was interpolated directly into
the Validate and Bump steps' shell scripts via ${{ ... }}, which means a
crafted input could execute arbitrary shell before the semver regex
check ran (for Validate) or in the nix-shell bump (for Bump). Route the
value through an env var and reference it as ${NEW_VERSION} so bash
treats it as data rather than re-parsing it as source.
We have never accepted workflow runs from people without repo edit access
so this was always protected, albeit through spooky action at a distance.
Much better to just fix.
Flagged by opengrep rule yaml.github-actions.security.run-shell-injection.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
8ed795b to
d98f279
Compare
The build job's "push container" step interpolated matrix values and
needs.version.outputs directly into the nix-shell script via ${{ ... }}.
The values involved are all matrix literals or SHA-derived strings so
there is no live injection path, but the pattern invites regressions if
a future matrix entry picks up user-controlled input. Move every
interpolation into step-level env vars and reference them with
${VAR_NAME} inside the script.
Flagged by opengrep rule yaml.github-actions.security.run-shell-injection.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Introduce opengrep as a dev-shell tool and wire it into CI
as a required status check (pull_request + merge_group events).
Sadly building opengrep in nix is a trick (difficulties with ocaml
deps). Thus derivation at nix/pkgs/opengrep fetches opengrep's
upstream prebuilt manylinux binary and autoPatchelfs its interpreter.
The version is tracked via an npins pin on the opengrep/opengrep
GitHub repo; the binary content hash lives in
nix/pkgs/opengrep/binary.sri because npins has no pin type for raw
non-archive release assets. scripts/bump.sh refreshes that hash on
every `just bump pins`, so the weekly bump.yml cron keeps the hash
current without any manual edits.
Suppress two classes of false positives along the way:
- .semgrepignore excludes nix/pkgs/frr-config/config/etc/{passwd,group}
because those files intentionally minimize the user/group set inside
the FRR container; they are not leaked credentials.
- Dockerfile USER root gets a `# nosem` annotation because the
dataplane container is inherently privileged; running as a less
privileged user is not an option here.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Require a 7-day cooldown before dependabot opens a PR for any github-actions version bump (default, major, minor, and patch all set to 7 days). This is actually a form of security: we don't accept potentially malicious action updates until they have been public for at least 7 days. This policy can and should be manually overridden if we find that a malicious update slipped through anyway. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
CodeQL alerts 1-6 on main flag six workflows for running without an
explicit `permissions:` block, which means GITHUB_TOKEN picks up the
repository default scope. Add a minimal block to each so the lint
workflows only grant themselves what they actually need.
- fossa.yml, lint-cargo-fmt.yml, lint-commitlint.yml,
lint-license-headers.yml, lint-validate-dependabot.yml: grant
`contents: read`, covering the actions/checkout fetch and any
read-only tooling the step runs.
- mergeability.yml: grant `{}`. The workflow only reads
`github.event.*.labels` off the webhook payload and runs `exit 0/1`;
it never touches repo contents, so it needs no token scopes at all
(matches CodeQL's own suggestion for alert 6).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
I don't think it is actually reading our development guide. Attempt to get it in focus by skipping the link and giving more explicit directions. Signed-off-by: Daniel Noland <daniel@githedgehog.com>
daniel-noland
force-pushed
the
pr/daniel-noland/eat-your-veggies
branch
from
7372d85 to
ece2ad6
Compare
Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= axum 0.8.8 0.8.9 0.8.9 0.8.9 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= bitflags 2.11.0 2.11.1 2.11.1 2.11.1 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= clap 4.6.0 4.6.1 4.6.1 4.6.1 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= linkme 0.3.35 0.3.36 0.3.36 0.3.36 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= tokio 1.51.1 1.52.1 1.52.1 1.52.1 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= uuid 1.23.0 1.23.1 1.23.1 1.23.1 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
mvachhar
approved these changes
Apr 18, 2026
Contributor
mvachhar
left a comment
mvachhar
left a comment
There was a problem hiding this comment.
I am approving this PR as it has a lot of needed cleanups and minor security fixes and there is no need to hold things up in a review and refactor cycle. However, in the future, the actual bump of the npins file should be its own bump PR.
mvachhar
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Just keeping the place tidy.
The big things are