Skip to content

chore: Cherry-picked changes from upstream#134

Merged
Raj-StepSecurity merged 10 commits into
mainfrom
auto-cherry-pick
Dec 16, 2025
Merged

chore: Cherry-picked changes from upstream#134
Raj-StepSecurity merged 10 commits into
mainfrom
auto-cherry-pick

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Dec 11, 2025

Cherry-picked changes from upstream.

@github-actions
action should use node24 (#96)
4939109
@github-actions
nit (#97)
9a8c238
@github-actions
feat: add network configuration option and Tempo support (#98)
203dc24 
* add dual network support

* update dist

* update action yml

* bump build

* fix network

* bump

* bump

* we do not distribute windows binaries for tempo

* fix
@github-actions
feat: add network configuration option and Tempo support (#98)
67494a7 
* add dual network support

* update dist

* update action yml

* bump build

* fix network

* bump

* bump

* we do not distribute windows binaries for tempo

* fix
@github-actions
feat: add network configuration option and Tempo support (#98)
d0d9784 
* add dual network support

* update dist

* update action yml

* bump build

* fix network

* bump

* bump

* we do not distribute windows binaries for tempo

* fix
@github-actions
fix: apply code build script
4931b81
@github-actions
fix: apply code build script
aabcdb0
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Dec 11, 2025

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v1.6.0
📋 Previous Release Version: v1.5.0

🛑 Workflow Files (Cannot be auto-applied by GitHub Actions):

  • .github/workflows/ci.yml from commit 29630be21d3f22fc09bd27b7da633571afc893cc
  • .github/workflows/ci.yml from commit 049c2418c6878b9f11599ca3f29c7b91eb18e427
  • .github/workflows/ci.yml from commit 46218fda365a4e77b923f603b6dde0ba695f7fc0
  • .github/workflows/ci.yml from commit d2ab9036cc4396ea2c0cd9f724d1ff118075e65e
  • .github/workflows/ci.yml from commit 8b0419c685ef46cb79ec93fbdc131174afceb730

❌ Conflicting Files:

  • src/index.js from commit 8b0419c685ef46cb79ec93fbdc131174afceb730

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Dec 11, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.0...v1.6.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+35 -16)

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+3 -2)

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+16 -9)

src/index.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ❌ No
  • Status: 🔴 Missing - ❌ No PR patch available (+4 -3)

src/utils.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+14 -2)

📊 Summary:

  • Total files changed upstream: 5
  • Files present in PR: 3/5
  • Files with matching changes: 3/5

Overall Status: 🔴 INCOMPLETE - Missing files or changes

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Dec 11, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.0...v1.6.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+35 -16) | Missing 9 additions | Missing 9 deletions

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+3 -2)

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+16 -9)

src/index.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+4 -3)

src/utils.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+14 -2)

📊 Summary:

  • Total files changed upstream: 5
  • Files present in PR: 5/5
  • Files with matching changes: 4/5

⚠️ Overall Status: 🟡 PARTIAL - All files present but some changes missing

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Dec 11, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.0...v1.6.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+35 -16) | Missing 9 additions | Missing 9 deletions

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+3 -2)

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+16 -9)

src/index.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+4 -3)

src/utils.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+14 -2)

📊 Summary:

  • Total files changed upstream: 5
  • Files present in PR: 5/5
  • Files with matching changes: 4/5

⚠️ Overall Status: 🟡 PARTIAL - All files present but some changes missing

@github-actions
fix: code build script
d5d5124 
* fix: apply audit fixes

* fix: apply audit fixes

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Dec 11, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.0...v1.6.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+35 -16) | Missing 9 additions | Missing 9 deletions

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+3 -2)

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+16 -9)

src/index.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+4 -3)

src/utils.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+14 -2)

📊 Summary:

  • Total files changed upstream: 5
  • Files present in PR: 5/5
  • Files with matching changes: 4/5

⚠️ Overall Status: 🟡 PARTIAL - All files present but some changes missing

@claude
Copy link
Copy Markdown

claude Bot commented Dec 11, 2025
edited
Loading

Claude finished @github-actions[bot]'s task —— View job

PR Review: Cherry-picked Changes from Upstream

Reviewing this automated cherry-pick PR for completeness and security.

Tasks:

  • Analyze the incomplete cherry-pick status from automated reports
  • Review the .github/workflows/ci.yml file (reported as missing 9 additions/9 deletions)
  • Review other changed files (README.md, action.yml, src/index.js, src/utils.js, dist files)
  • Scan all changes for security vulnerabilities
  • Provide comprehensive feedback on cherry-pick completeness
  • Submit final review

Analysis of Cherry-pick Completeness:

Cherry-pick Status: ⚠️ PARTIAL - Critical workflow changes missing

Based on the automated verification reports and my code review, here's the detailed analysis:

Files with Complete Cherry-picks ✅:

  • README.md - All changes applied correctly (+3 -2)
  • action.yml - All changes applied correctly (+16 -9)
  • src/index.js - All changes applied correctly (+4 -3)
  • src/utils.js - All changes applied correctly (+14 -2)
  • dist/index.js & dist/index.js.map - Appear to be properly updated

Files with Incomplete Cherry-picks ❌:

  • .github/workflows/ci.yml - Missing 9 additions and 9 deletions

Security Analysis:

Security Issues Found: 🔒 None identified in cherry-picked changes

I've reviewed all modified files for security vulnerabilities:

  1. src/index.js - ✅ Secure

    • Subscription validation endpoint uses HTTPS
    • Proper timeout handling (3000ms)
    • Error handling doesn't leak sensitive information
    • Process exits appropriately on authentication failure

  2. src/utils.js - ✅ Secure

    • Platform detection uses safe Node.js APIs
    • Version normalization with regex is safe
    • URL construction is predictable and safe
    • No dynamic code execution or injection risks

  3. action.yml - ✅ Secure

    • Input validation and defaults are appropriate
    • No sensitive information exposed in defaults
    • Node.js runtime version specified (node24)

  4. .github/workflows/ci.yml - ✅ Secure (what's present)

    • Uses step-security/harden-runner for security
    • Pinned action versions with SHA hashes
    • Proper permissions declarations
    • No credential persistence enabled

  5. README.md - ✅ Secure

    • Documentation updates only
    • No executable content or credentials

Recommendations:

🚨 CRITICAL: This PR should NOT be merged in its current state due to:

  1. Incomplete Cherry-pick: The CI workflow is missing essential changes (9 additions/9 deletions)
  2. Potential CI Failures: Missing workflow changes could break the build pipeline
  3. Inconsistent State: Having partial upstream changes could lead to unexpected behavior

Required Actions:

  1. Complete the cherry-pick for .github/workflows/ci.yml with the missing changes
  2. Re-run the verification process to ensure all upstream changes are properly applied
  3. Test the CI workflow to ensure it functions correctly with the new changes

Approval Status: ❌ Changes Requested

The code quality and security practices are excellent, but the incomplete cherry-pick must be resolved before merging to maintain repository stability and consistency.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Dec 11, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.0...v1.6.0

📋 File-by-File Analysis:

.github/workflows/ci.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ❌ No
  • Status: 🟡 Partial - ❌ Cherry-pick incomplete (+35 -16) | Missing 9 additions | Missing 9 deletions

README.md

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+3 -2)

action.yml

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+16 -9)

src/index.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+4 -3)

src/utils.js

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+14 -2)

📊 Summary:

  • Total files changed upstream: 5
  • Files present in PR: 5/5
  • Files with matching changes: 4/5

⚠️ Overall Status: 🟡 PARTIAL - All files present but some changes missing

@Raj-StepSecurity Raj-StepSecurity merged commit c7f4c6a into main Dec 16, 2025
27 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review required review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amanstep @Raj-StepSecurity