Skip to content

chore: Cherry-picked changes from upstream #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 6 commits into
base: main
Choose a base branch
from
Open

chore: Cherry-picked changes from upstream #39

github-actions wants to merge 6 commits into from
+32 −21

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 29, 2025

Cherry-picked changes from upstream.

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 29, 2025

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v2.0.2
📋 Previous Release Version: v2.0.1

⚠️ Completely Skipped Commits Due to only modifying files in: package.json, package-lock.json, yarn.lock, node_modules/, dist/, or .gitignore

  • 54899f6f3964ffb033e01c49fe843a76b45a0cd2
  • 31e75ec32486f8af8e5b9c3495efc61fad91c58e

@claude
Copy link

claude bot commented Dec 29, 2025
edited
Loading

Claude finished @github-actions[bot]'s task —— View job

Pull Request Review ✅

I've completed a comprehensive review of the cherry-picked changes. Here's my analysis:

Todo List:

  • Read repository setup instructions (CLAUDE.md) - No CLAUDE.md found
  • Analyze changed files for modifications
  • Verify cherry-pick completeness and consistency
  • Scan for security vulnerabilities
  • Provide comprehensive review feedback

🔍 Analysis Summary

This PR contains well-implemented security and reliability improvements to the workflow ID parsing logic. The changes are complete, consistent, and enhance the action's robustness.

📋 Changes Overview

Core Improvements in src/action/index.ts:

  • New function: getWorkflowIdFromValue() with proper regex validation (/^\d+$/)
  • Enhanced parsing: Only treats entirely numeric strings as workflow IDs
  • Prevention fix: Stops filenames like "1-release.yaml" from being parsed as workflow ID 1
  • Simplified logic: Removed unnecessary try-catch in getNumberFromValue()

Test Coverage in src/action/action.test.ts:

  • ✅ Added test: "Should treat workflow filename starting with a number as a string, not a workflow ID"
  • ✅ Validates the fix for edge case parsing

Distribution Files:

  • dist/index.js - Properly compiled with new logic
  • dist/index.js.map - Updated source mapping

🔒 Security Assessment

✅ SECURITY APPROVED - No vulnerabilities found. In fact, this PR improves security:

  • Enhanced Input Validation: More precise workflow ID parsing prevents misinterpretation
  • Reduced Attack Surface: Stricter regex validation (/^\d+$/) limits potential edge cases
  • No Malicious Code: All changes are defensive and improve robustness

🔄 Cherry-Pick Completeness

✅ CHERRY-PICK VERIFIED - All changes appear complete and consistent:

  • Source and compiled files are in sync
  • Test coverage matches the feature changes
  • No orphaned or partial implementations detected
  • Distribution files properly reflect source changes

🏗️ Code Quality Assessment

✅ HIGH QUALITY:

  • Clean Implementation: New getWorkflowIdFromValue() function is well-focused
  • Proper Testing: Edge case is covered with appropriate test
  • Good Practices: Used precise regex, clear function naming, proper error handling
  • No Breaking Changes: Maintains API compatibility

⚠️ Minor Observations

  1. Line Spacing: Could maintain consistent spacing around new function at src/action/index.ts:15-23
  2. Documentation: New function could benefit from JSDoc comment explaining the regex logic

🎯 Recommendation

✅ APPROVE - This PR should be merged. The changes:

  • Fix a legitimate edge case in workflow ID parsing
  • Improve security and reliability
  • Include proper test coverage
  • Maintain backward compatibility
  • Are well-implemented and complete

The cherry-pick appears to have been executed successfully with all upstream changes properly included.

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 29, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.1...v2.0.2

📋 File-by-File Analysis:

src/action/action.test.ts

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -0)

src/action/index.ts

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+11 -8)

📊 Summary:

  • Total files changed upstream: 2
  • Files present in PR: 2/2
  • Files with matching changes: 2/2

🎉 Overall Status:PERFECT - All upstream changes successfully applied!

1 similar comment
@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 29, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.1...v2.0.2

📋 File-by-File Analysis:

src/action/action.test.ts

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -0)

src/action/index.ts

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+11 -8)

📊 Summary:

  • Total files changed upstream: 2
  • Files present in PR: 2/2
  • Files with matching changes: 2/2

🎉 Overall Status:PERFECT - All upstream changes successfully applied!

@claude
Copy link

claude bot commented Dec 29, 2025
edited
Loading

Claude finished @github-actions[bot]'s task —— View job

Pull Request Review ✅

I've completed a comprehensive review of the cherry-picked changes. Here's my analysis:

Todo List:

  • Read repository setup instructions (CLAUDE.md) - No CLAUDE.md found
  • Analyze core source file changes (src/action/index.ts)
  • Review test changes (src/action/action.test.ts)
  • Verify distribution file consistency
  • Scan for security vulnerabilities
  • Provide comprehensive review feedback

🔍 Analysis Summary

This PR contains well-implemented security and reliability improvements to the workflow ID parsing logic. The changes are complete, consistent, and enhance the action's robustness.

📋 Changes Overview

Core Improvements in src/action/index.ts:

  • New function: getWorkflowIdFromValue() with proper regex validation (/^\d+$/)
  • Enhanced parsing: Only treats entirely numeric strings as workflow IDs
  • Prevention fix: Stops filenames like "1-release.yaml" from being parsed as workflow ID 1
  • Simplified logic: Removed unnecessary try-catch in getNumberFromValue()

Test Coverage in src/action/action.test.ts:

  • ✅ Added test: "Should treat workflow filename starting with a number as a string, not a workflow ID"
  • ✅ Validates the fix for edge case parsing

Distribution Files:

  • dist/index.js - Properly compiled with new logic
  • dist/index.js.map - Updated source mapping

🔒 Security Assessment

✅ SECURITY APPROVED - No vulnerabilities found. In fact, this PR improves security:

  • Enhanced Input Validation: More precise workflow ID parsing prevents misinterpretation
  • Reduced Attack Surface: Stricter regex validation (/^\d+$/) limits potential edge cases
  • No Malicious Code: All changes are defensive and improve robustness

🔄 Cherry-Pick Completeness

✅ CHERRY-PICK VERIFIED - All changes appear complete and consistent:

  • Source and compiled files are in sync
  • Test coverage matches the feature changes
  • No orphaned or partial implementations detected
  • Distribution files properly reflect source changes

🏗️ Code Quality Assessment

✅ HIGH QUALITY:

  • Clean Implementation: New getWorkflowIdFromValue() function is well-focused
  • Proper Testing: Edge case is covered with appropriate test
  • Good Practices: Used precise regex, clear function naming, proper error handling
  • No Breaking Changes: Maintains API compatibility

⚠️ Minor Observations

  1. Line Spacing: Could maintain consistent spacing around new function at src/action/index.ts:15-23
  2. Documentation: New function could benefit from JSDoc comment explaining the regex logic

🎯 Recommendation

✅ APPROVE - This PR should be merged. The changes:

  • Fix a legitimate edge case in workflow ID parsing
  • Improve security and reliability
  • Include proper test coverage
  • Maintain backward compatibility
  • Are well-implemented and complete

The cherry-pick appears to have been executed successfully with all upstream changes properly included.

@github-actions
Copy link
Contributor Author

github-actions bot commented Dec 29, 2025

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v2.0.1...v2.0.2

📋 File-by-File Analysis:

src/action/action.test.ts

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+7 -0)

src/action/index.ts

  • Upstream has changes: ✅ Yes
  • File exists in PR: ✅ Yes
  • Changes match: ✅ Yes
  • Status: 🟢 Perfect - ✅ All changes applied correctly (+11 -8)

📊 Summary:

  • Total files changed upstream: 2
  • Files present in PR: 2/2
  • Files with matching changes: 2/2

🎉 Overall Status:PERFECT - All upstream changes successfully applied!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

review required review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raj-StepSecurity