Skip to content

NOT FOR Merging: remove cgo implementation for regex to make non-cgo default #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

NOT FOR Merging: remove cgo implementation for regex to make non-cgo default #1

wants to merge 1 commit into from
+0 −33

Conversation

@kylebrandt
Copy link
Collaborator

@kylebrandt kylebrandt commented Oct 27, 2025

Fork Branch where we make non-cgo the default.

@github-actions
Copy link

github-actions bot commented Oct 27, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:102:55
    |
102 |         run: GOOS=linux go get github.com/dolthub/${{ github.event.client_payload.dependency }}@${{ github.event.client_payload.hea...
    |         --- this run block                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:102:101
    |
102 | ...   run: GOOS=linux go get github.com/dolthub/${{ github.event.client_payload.dependency }}@${{ github.event.client_payload.head_commit_sha }}
    |       --- this run block                                                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:106:21
    |
105 |         run: |
    |         --- this run block
106 |           if [ "${{ github.event.client_payload.assignee }}" == "zachmu" ]
    |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:115:22
    |
114 |         run: |
    |         --- this run block
115 |           commit=${{ github.event.client_payload.head_commit_sha }}
    |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:120:52
    |
119 |         run: |
    |         --- this run block
120 |           git config --global --add user.name "${{ github.event.client_payload.assignee }}"
    |                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:121:53
    |
119 |         run: |
    |         --- this run block
120 |           git config --global --add user.name "${{ github.event.client_payload.assignee }}"
121 |           git config --global --add user.email "${{ github.event.client_payload.assignee_email }}"
    |                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:122:44
    |
119 |         run: |
    |         --- this run block
...
122 |           branchname=${{ format('{0}-{1}', github.event.client_payload.assignee, steps.short-sha.outputs.short) }}
    |                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/bump-dependency.yaml:125:84
    |
119 |         run: |
    |         --- this run block
...
125 |           git commit -m "${{ format('[ga-bump-dep] Bump dependency in GMS by {0}', github.event.client_payload.assignee) }}"
    |                                                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/bump-dependency.yaml:128:9
    |
128 |         uses: repo-sync/pull-request@v2
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/dependency-test.yml:21:9
   |
21 |         uses: fregante/setup-git-user@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/format.yml:42:9
   |
42 |       - uses: EndBug/add-and-commit@v9.1.1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/label-customer-issues.yaml:3:1
  |
3 | / on:
4 | |   issues:
5 | |     types: [opened]
6 | |   pull_request_target:
7 | |     branches: [main]
8 | |     types: [opened]
  | |___________________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/label-customer-issues.yaml:14:9
   |
14 |       - uses: dolthub/label-customer-issues@main
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test.yml:30:7
   |
30 |       uses: msys2/setup-msys2@v2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

64 findings (21 ignored, 29 suppressed, 6 fixable): 0 informational, 0 low, 0 medium, 14 high

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kylebrandt