Bump actions/upload-artifact from 7.0.0 to 7.0.1#2
Open
dependabot[bot] wants to merge 1 commit intomainfrom
Open
Bump actions/upload-artifact from 7.0.0 to 7.0.1#2dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
hiboma
added a commit
that referenced
this pull request
Apr 23, 2026
Subagent review of the branch found four small issues worth fixing before
merge:
1. Authorizer / SplunkClient / LoginResponse all derived Debug. Authorizer's
cached_session is a Splunk session key and LoginResponse carries the same
value from /services/auth/login. The derived Debug on
Arc<RwLock<Option<String>>> would expand the string verbatim, so any
future `eprintln!("{:?}", client)` / `dbg!(&auth)` would leak the session
key. Drop the derives and hand-write Authorizer's Debug so cached_session
only ever renders as "Some(***)" / "None" / "<locked>". SplunkClient
drops Debug entirely (the one `expect_err` callsite in the integration
test is rewritten to match on the result). LoginResponse drops the
derive outright.
2. resolve_secret treated an empty string as a real value. With
`SPLUNK_TOKEN=""` in the environment (a common mistake after e.g.
`source .envrc` without actually setting the var), the CLI would build
`BearerToken("")` and then 401. Filter empty strings out of all three
sources (env, store, toml) so missing and empty collapse to the same
"no credential set" state.
3. migrate computed its remove-list from the fields it actually wrote to
the store. A pre-existing `token = ""` line in config.toml was therefore
not cleaned up, even though after migrate the user expects the toml to
be entirely free of secret declarations. Flip the rule: always remove
the three secret keys from the toml regardless of whether the store was
updated. The value is already gone from effective resolution thanks to
#2, and leaving the dead declaration behind was just confusing.
4. `credentials set --stdin` used buf.trim(), which also strips leading and
trailing spaces. Token values with intentional surrounding whitespace
would be silently corrupted. Narrow the strip to `trim_end_matches(['\r',
'\n'])` so we still drop the terminator from `read_line` but respect
whatever the user actually piped in.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hiboma
added a commit
that referenced
this pull request
Apr 23, 2026
Subagent review of the branch found four small issues worth fixing before
merge:
1. Authorizer / SplunkClient / LoginResponse all derived Debug. Authorizer's
cached_session is a Splunk session key and LoginResponse carries the same
value from /services/auth/login. The derived Debug on
Arc<RwLock<Option<String>>> would expand the string verbatim, so any
future `eprintln!("{:?}", client)` / `dbg!(&auth)` would leak the session
key. Drop the derives and hand-write Authorizer's Debug so cached_session
only ever renders as "Some(***)" / "None" / "<locked>". SplunkClient
drops Debug entirely (the one `expect_err` callsite in the integration
test is rewritten to match on the result). LoginResponse drops the
derive outright.
2. resolve_secret treated an empty string as a real value. With
`SPLUNK_TOKEN=""` in the environment (a common mistake after e.g.
`source .envrc` without actually setting the var), the CLI would build
`BearerToken("")` and then 401. Filter empty strings out of all three
sources (env, store, toml) so missing and empty collapse to the same
"no credential set" state.
3. migrate computed its remove-list from the fields it actually wrote to
the store. A pre-existing `token = ""` line in config.toml was therefore
not cleaned up, even though after migrate the user expects the toml to
be entirely free of secret declarations. Flip the rule: always remove
the three secret keys from the toml regardless of whether the store was
updated. The value is already gone from effective resolution thanks to
#2, and leaving the dead declaration behind was just confusing.
4. `credentials set --stdin` used buf.trim(), which also strips leading and
trailing spaces. Token values with intentional surrounding whitespace
would be silently corrupted. Narrow the strip to `trim_end_matches(['\r',
'\n'])` so we still drop the terminator from `read_line` but respect
whatever the user actually piped in.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hiboma
added a commit
that referenced
this pull request
Apr 23, 2026
…chain (#6) * refactor(config): split config.rs into config/ module Prepare for adding credential_store sibling by moving the single-file module into a directory. No behavioral change — this commit is a pure rename so downstream functional changes stay reviewable in isolation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(config): add macOS Keychain-backed credential store Introduce a CredentialStore trait with a macOS KeychainStore implementation (keyring crate, apple-native feature) and a test-only MemoryStore. Wire resolve_credentials to consult the store between environment variables and the toml, so each of token / session_key / password can live in the OS credential store instead of plaintext config. Why: plaintext secrets in ~/.config/splunk-cloud-cli/config.toml are the single most direct leak surface — Time Machine backups, accidental dotfile commits, malware reading the home directory under the same uid. Moving the secret into the Keychain closes that path. Design decisions worth calling out: - StoreError is split into Unavailable (no backend at all — non-macOS build, CI sandbox without a default keychain) vs Backend (a real access failure such as a denied prompt, daemon down, ACL mismatch). Only Unavailable falls through to the toml. A Backend failure does NOT fall through; silently picking up a stale plaintext value would defeat the point of moving the secret into the Keychain in the first place. - Settings and AuthMethod get hand-written Debug impls that mask the three secret fields, so accidental {:?} / dbg! formatting cannot leak secrets into logs or error messages. - resolve_credentials_with_store is exposed for tests so they can inject a MemoryStore without touching the real Keychain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(cli): add credentials subcommand (set/delete/status/migrate) Add splunk-cloud-cli credentials as the user-facing way to put secrets into the Keychain and audit what is stored. The subcommand intentionally does not expose a get verb: the value never needs to leave the store for any legitimate workflow, and exposing one would invite leakage into shell history, terminal scrollback, and AI-agent transcripts. set reads the value from an rpassword-hidden prompt, or from stdin for CI. status probes each known key and prints only "stored" / "not stored" — never the value. delete removes the entry. migrate moves any token / session_key / password currently in config.toml into the Keychain in one step, ordered so the user is never left in an inconsistent half-migrated state: 1. Write to the credential store first. Any failure rolls back the entries already written in this run; the toml has not been touched yet. 2. Ask the user how to dispose of the plaintext copy (default: remove outright, with a loud warning if they opt for a 0600 backup). 3. Rewrite the toml via a 0600 tempfile + rename. If the rewrite fails, roll back the store entries so the next run of the CLI picks up the still-present plaintext secret rather than a missing one. Unsupported TOML quoting forms (literal strings, multi-line basic/literal, escaped quotes) are refused rather than silently mishandled. We delete the line entirely instead of blanking the value, so a future reader cannot misread client_secret = "" as an intentional override. main.rs routes credentials (and completion) before load_settings / resolve_credentials, since the whole point of `credentials set` is to configure the credentials themselves. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: add .gitallowed allowlist for git-secrets Track the allowlist that silences git-secrets false positives on the Cargo checksum pattern and on a couple of crate names the hook's entropy scan flags. Previously lived in the parent checkout only, so commits from fresh worktrees would fail the pre-commit hook without any way to reproduce the configuration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: document Keychain credential storage Add a Credential storage section to README describing the env > Keychain > config.toml resolution order, the Backend-error-does-not-fall-through behavior, the set / status / delete / migrate workflow, and how to inspect the entries via Keychain Access or security(1). Mark the keyring item in TODO.md as done. Also replace the pre-existing "eyJraWQi..." TOML example placeholder with the allowlist-friendly "eyJEXAMPLEHEADER00.eyJEXAMPLEPAYLOAD0.EXAMPLESIGN0" form so the pre-commit git-secrets hook stops false-positive-blocking unrelated commits that touch README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(credentials): close Debug leak paths, empty-env UX, migrate contract Subagent review of the branch found four small issues worth fixing before merge: 1. Authorizer / SplunkClient / LoginResponse all derived Debug. Authorizer's cached_session is a Splunk session key and LoginResponse carries the same value from /services/auth/login. The derived Debug on Arc<RwLock<Option<String>>> would expand the string verbatim, so any future `eprintln!("{:?}", client)` / `dbg!(&auth)` would leak the session key. Drop the derives and hand-write Authorizer's Debug so cached_session only ever renders as "Some(***)" / "None" / "<locked>". SplunkClient drops Debug entirely (the one `expect_err` callsite in the integration test is rewritten to match on the result). LoginResponse drops the derive outright. 2. resolve_secret treated an empty string as a real value. With `SPLUNK_TOKEN=""` in the environment (a common mistake after e.g. `source .envrc` without actually setting the var), the CLI would build `BearerToken("")` and then 401. Filter empty strings out of all three sources (env, store, toml) so missing and empty collapse to the same "no credential set" state. 3. migrate computed its remove-list from the fields it actually wrote to the store. A pre-existing `token = ""` line in config.toml was therefore not cleaned up, even though after migrate the user expects the toml to be entirely free of secret declarations. Flip the rule: always remove the three secret keys from the toml regardless of whether the store was updated. The value is already gone from effective resolution thanks to #2, and leaving the dead declaration behind was just confusing. 4. `credentials set --stdin` used buf.trim(), which also strips leading and trailing spaces. Token values with intentional surrounding whitespace would be silently corrupted. Narrow the strip to `trim_end_matches(['\r', '\n'])` so we still drop the terminator from `read_line` but respect whatever the user actually piped in. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(credentials): cover Backend/Unavailable fallback, empty env, TOML edges Add tests for the contracts that the preceding fix commit just locked down, plus the TOML parsing edges the subagent review flagged as under-covered: - FailingStore and UnavailableStore stubs in test_support so resolve tests can drive the StoreError::Backend vs Unavailable paths that the real KeychainStore cannot trigger deterministically. - resolve_backend_error_refuses_toml_fallback exercises the load-bearing contract that a Keychain access denial does NOT silently pick up a stale plaintext from config.toml. Also asserts the toml value string does not appear in the error message. - resolve_unavailable_store_falls_through_to_toml covers the dual case: when the store is simply not present, the toml IS read. - resolve_empty_env_var_is_treated_as_unset pins the SPLUNK_TOKEN="" UX behavior so a future refactor cannot silently regress it. - auth_method_debug_masks_session_key_and_basic_password extends the existing Debug-masks-BearerToken test to the other two variants, so the guarantee covers AuthMethod as a whole. - TOML scanning edges: CRLF line endings, inline `#` comment, commented- out lines, tab as key/value separator, and the migrate contract that `token = ""` gets dropped by remove_fields even though extract_field reports it as Absent. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/upload-artifact from 7.0.0 to 7.0.1.
Release notes
Sourced from actions/upload-artifact's releases.
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)