From 0d017f725a34170078004558b9368b00029b1ae5 Mon Sep 17 00:00:00 2001 From: "c.lamboo" Date: Fri, 17 May 2024 09:56:49 +0200 Subject: [PATCH 1/9] Change `value` to `resolve` CURA-11912 --- resources/definitions/fdmprinter.def.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/definitions/fdmprinter.def.json b/resources/definitions/fdmprinter.def.json index 7591a30232..124ba37967 100644 --- a/resources/definitions/fdmprinter.def.json +++ b/resources/definitions/fdmprinter.def.json @@ -6845,7 +6845,7 @@ "label": "Prime Tower Type", "description": "How to generate the prime tower:", "type": "enum", - "value": "'interleaved' if (all(material_type_var == extruderValues('material_type')[0] for material_type_var in extruderValues('material_type')) and all(material_brand_var == extruderValues('material_brand')[0] for material_brand_var in extruderValues('material_brand'))) else 'normal'", + "resolve": "'interleaved' if (all(material_type_var == extruderValues('material_type')[0] for material_type_var in extruderValues('material_type')) and all(material_brand_var == extruderValues('material_brand')[0] for material_brand_var in extruderValues('material_brand'))) else 'normal'", "options": { "normal": "Normal", From 170c5115682caba0f00f993d3b0401c451811ac4 Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Thu, 23 May 2024 11:49:35 +0200 Subject: [PATCH 2/9] Reduce permissions on printer-linter GitHub actions Previously they had no permission set, so by default all write access. We now specify only the required permissions for each of them. --- .github/workflows/printer-linter-pr-diagnose.yml | 3 +++ .github/workflows/printer-linter-pr-post.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/printer-linter-pr-diagnose.yml b/.github/workflows/printer-linter-pr-diagnose.yml index 1be20c4548..67fbe7247f 100644 --- a/.github/workflows/printer-linter-pr-diagnose.yml +++ b/.github/workflows/printer-linter-pr-diagnose.yml @@ -5,6 +5,9 @@ on: path: - "resources/**" +permissions: + contents: read + jobs: printer-linter-diagnose: name: Printer linter PR diagnose diff --git a/.github/workflows/printer-linter-pr-post.yml b/.github/workflows/printer-linter-pr-post.yml index 8bb1aaf028..526fdcdbaa 100644 --- a/.github/workflows/printer-linter-pr-post.yml +++ b/.github/workflows/printer-linter-pr-post.yml @@ -5,6 +5,9 @@ on: workflows: ["printer-linter-pr-diagnose"] types: [completed] +permissions: + issues: write + jobs: clang-tidy-results: # Trigger the job only if the previous (insecure) workflow completed successfully From 32cac847b470c7c20432fe6b75a315f95dd391bd Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Mon, 27 May 2024 09:00:40 +0200 Subject: [PATCH 3/9] Update the printer-linter post actions to use the last version of inner action This is actually required to fix an issue where it was possible to inject malicious code into the environment variables when using a PR that changed the diagnose script. At the same time, it is also good practice to use the last version of the called clang-tidy-pr-comments action. --- .github/workflows/printer-linter-pr-post.yml | 117 +++++++++++-------- 1 file changed, 66 insertions(+), 51 deletions(-) diff --git a/.github/workflows/printer-linter-pr-post.yml b/.github/workflows/printer-linter-pr-post.yml index 526fdcdbaa..f9da24345d 100644 --- a/.github/workflows/printer-linter-pr-post.yml +++ b/.github/workflows/printer-linter-pr-post.yml @@ -5,80 +5,95 @@ on: workflows: ["printer-linter-pr-diagnose"] types: [completed] -permissions: - issues: write - jobs: clang-tidy-results: # Trigger the job only if the previous (insecure) workflow completed successfully if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Download analysis results - uses: actions/github-script@v3.1.0 + uses: actions/github-script@v7 with: script: | - let artifacts = await github.actions.listWorkflowRunArtifacts({ + const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{github.event.workflow_run.id }}, }); - let matchArtifact = artifacts.data.artifacts.filter((artifact) => { + const matchArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "printer-linter-result" })[0]; - let download = await github.actions.downloadArtifact({ + const download = await github.rest.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchArtifact.id, archive_format: "zip", }); - let fs = require("fs"); - fs.writeFileSync("${{github.workspace}}/printer-linter-result.zip", Buffer.from(download.data)); - - - name: Set environment variables - run: | - mkdir printer-linter-result - unzip printer-linter-result.zip -d printer-linter-result - echo "pr_id=$(cat printer-linter-result/pr-id.txt)" >> $GITHUB_ENV - echo "pr_head_repo=$(cat printer-linter-result/pr-head-repo.txt)" >> $GITHUB_ENV - echo "pr_head_ref=$(cat printer-linter-result/pr-head-ref.txt)" >> $GITHUB_ENV - if [[ -f "printer-linter-result/comment.md" ]]; then - echo "commentFileExists=true" >> $GITHUB_ENV - else - echo "commentFileExists=false" >> $GITHUB_ENV - fi - - - uses: actions/checkout@v3 - with: - repository: ${{ env.pr_head_repo }} - ref: ${{ env.pr_head_ref }} - persist-credentials: false - - - name: Redownload analysis results - uses: actions/github-script@v3.1.0 - with: - script: | - let artifacts = await github.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{github.event.workflow_run.id }}, - }); - let matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "printer-linter-result" - })[0]; - let download = await github.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: "zip", - }); - let fs = require("fs"); - fs.writeFileSync("${{github.workspace}}/printer-linter-result.zip", Buffer.from(download.data)); + const fs = require("fs"); + fs.writeFileSync("${{ github.workspace }}/printer-linter-result.zip", Buffer.from(download.data)); - name: Extract analysis results run: | mkdir printer-linter-result - unzip printer-linter-result.zip -d printer-linter-result + unzip -j printer-linter-result.zip -d printer-linter-result + + - name: Set PR details environment variables + uses: actions/github-script@v7 + with: + script: | + const assert = require("node:assert").strict; + const fs = require("fs"); + function exportVar(varName, fileName, regEx) { + const val = fs.readFileSync("${{ github.workspace }}/clang-tidy-result/" + fileName, { + encoding: "ascii" + }).trimEnd(); + assert.ok(regEx.test(val), "Invalid value format for " + varName); + core.exportVariable(varName, val); + } + exportVar("PR_ID", "pr-id.txt", /^[0-9]+$/); + exportVar("PR_HEAD_REPO", "pr-head-repo.txt", /^[-./0-9A-Z_a-z]+$/); + exportVar("PR_HEAD_SHA", "pr-head-sha.txt", /^[0-9A-Fa-f]+$/); + fs.access("${{ github.workspace }}/printer-linter-result/comment.md", fs.constants.F_OK, (err) => { + if (err) { + core.exportVariable("commentFileExists", "false"); + } else { + core.exportVariable("commentFileExists", "true"); + } + }); + + - uses: actions/checkout@v4 + with: + repository: ${{ env.PR_HEAD_REPO }} + ref: ${{ env.PR_HEAD_SHA }} + persist-credentials: false + + - name: Redownload analysis results + uses: actions/github-script@v7 + with: + script: | + const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + const matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "printer-linter-result" + })[0]; + const download = await github.rest.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: "zip", + }); + const fs = require("fs"); + fs.writeFileSync("${{ github.workspace }}/printer-linter-result.zip", Buffer.from(download.data)); + + - name: Extract analysis results + run: | + mkdir printer-linter-result + unzip -j printer-linter-result.zip -d printer-linter-result - name: Run PR Comments if: env.commentFileExists == 'true' @@ -88,7 +103,7 @@ jobs: body-path: 'printer-linter-result/comment.md' - name: Run clang-tidy-pr-comments action - uses: platisd/clang-tidy-pr-comments@bc0bb7da034a8317d54e7fe1e819159002f4cc40 + uses: platisd/clang-tidy-pr-comments@v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} clang_tidy_fixes: printer-linter-result/fixes.yml From 811c859fc5bce0ff9a0427b1d8399ebe13ce30e0 Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Tue, 28 May 2024 08:43:48 +0200 Subject: [PATCH 4/9] Fix indentation --- .github/workflows/printer-linter-pr-post.yml | 40 ++++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/printer-linter-pr-post.yml b/.github/workflows/printer-linter-pr-post.yml index f9da24345d..f96a418cad 100644 --- a/.github/workflows/printer-linter-pr-post.yml +++ b/.github/workflows/printer-linter-pr-post.yml @@ -42,26 +42,26 @@ jobs: - name: Set PR details environment variables uses: actions/github-script@v7 with: - script: | - const assert = require("node:assert").strict; - const fs = require("fs"); - function exportVar(varName, fileName, regEx) { - const val = fs.readFileSync("${{ github.workspace }}/clang-tidy-result/" + fileName, { - encoding: "ascii" - }).trimEnd(); - assert.ok(regEx.test(val), "Invalid value format for " + varName); - core.exportVariable(varName, val); - } - exportVar("PR_ID", "pr-id.txt", /^[0-9]+$/); - exportVar("PR_HEAD_REPO", "pr-head-repo.txt", /^[-./0-9A-Z_a-z]+$/); - exportVar("PR_HEAD_SHA", "pr-head-sha.txt", /^[0-9A-Fa-f]+$/); - fs.access("${{ github.workspace }}/printer-linter-result/comment.md", fs.constants.F_OK, (err) => { - if (err) { - core.exportVariable("commentFileExists", "false"); - } else { - core.exportVariable("commentFileExists", "true"); - } - }); + script: | + const assert = require("node:assert").strict; + const fs = require("fs"); + function exportVar(varName, fileName, regEx) { + const val = fs.readFileSync("${{ github.workspace }}/clang-tidy-result/" + fileName, { + encoding: "ascii" + }).trimEnd(); + assert.ok(regEx.test(val), "Invalid value format for " + varName); + core.exportVariable(varName, val); + } + exportVar("PR_ID", "pr-id.txt", /^[0-9]+$/); + exportVar("PR_HEAD_REPO", "pr-head-repo.txt", /^[-./0-9A-Z_a-z]+$/); + exportVar("PR_HEAD_SHA", "pr-head-sha.txt", /^[0-9A-Fa-f]+$/); + fs.access("${{ github.workspace }}/printer-linter-result/comment.md", fs.constants.F_OK, (err) => { + if (err) { + core.exportVariable("commentFileExists", "false"); + } else { + core.exportVariable("commentFileExists", "true"); + } + }); - uses: actions/checkout@v4 with: From 5681bf6507ef4c0580d0ad9c253d738c1fd60063 Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Tue, 28 May 2024 08:53:19 +0200 Subject: [PATCH 5/9] Fix wrong file path --- .github/workflows/printer-linter-pr-post.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/printer-linter-pr-post.yml b/.github/workflows/printer-linter-pr-post.yml index f96a418cad..4d784e7e2c 100644 --- a/.github/workflows/printer-linter-pr-post.yml +++ b/.github/workflows/printer-linter-pr-post.yml @@ -6,7 +6,7 @@ on: types: [completed] jobs: - clang-tidy-results: + printer-linter-result: # Trigger the job only if the previous (insecure) workflow completed successfully if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest @@ -46,7 +46,7 @@ jobs: const assert = require("node:assert").strict; const fs = require("fs"); function exportVar(varName, fileName, regEx) { - const val = fs.readFileSync("${{ github.workspace }}/clang-tidy-result/" + fileName, { + const val = fs.readFileSync("${{ github.workspace }}/printer-linter-result/" + fileName, { encoding: "ascii" }).trimEnd(); assert.ok(regEx.test(val), "Invalid value format for " + varName); From f4349be84a2976946df7972e0e9cee9589366b9e Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Tue, 28 May 2024 09:03:46 +0200 Subject: [PATCH 6/9] Fix diagnose script to match post script --- .github/workflows/printer-linter-pr-diagnose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/printer-linter-pr-diagnose.yml b/.github/workflows/printer-linter-pr-diagnose.yml index 67fbe7247f..ed51f8b2f8 100644 --- a/.github/workflows/printer-linter-pr-diagnose.yml +++ b/.github/workflows/printer-linter-pr-diagnose.yml @@ -53,7 +53,7 @@ jobs: run: | echo ${{ github.event.number }} > printer-linter-result/pr-id.txt echo ${{ github.event.pull_request.head.repo.full_name }} > printer-linter-result/pr-head-repo.txt - echo ${{ github.event.pull_request.head.ref }} > printer-linter-result/pr-head-ref.txt + echo ${{ github.event.pull_request.head.sha }} > printer-linter-result/pr-head-sha.txt - uses: actions/upload-artifact@v2 with: From dca3cb2cca2639d9782a35a02cdb8c59dbcca6f7 Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Tue, 28 May 2024 09:18:46 +0200 Subject: [PATCH 7/9] Fix wrong variable given to script --- .github/workflows/printer-linter-pr-post.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/printer-linter-pr-post.yml b/.github/workflows/printer-linter-pr-post.yml index 4d784e7e2c..7b3dd152cb 100644 --- a/.github/workflows/printer-linter-pr-post.yml +++ b/.github/workflows/printer-linter-pr-post.yml @@ -99,7 +99,7 @@ jobs: if: env.commentFileExists == 'true' uses: peter-evans/create-or-update-comment@v4 with: - issue-number: ${{ env.pr_id }} + issue-number: ${{ env.PR_ID }} body-path: 'printer-linter-result/comment.md' - name: Run clang-tidy-pr-comments action @@ -107,5 +107,5 @@ jobs: with: github_token: ${{ secrets.GITHUB_TOKEN }} clang_tidy_fixes: printer-linter-result/fixes.yml - pull_request_id: ${{ env.pr_id }} + pull_request_id: ${{ env.PR_ID }} request_changes: true From a4178e8377758a12fa18516589c4db3e277eeb37 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 30 May 2024 10:45:04 +0000 Subject: [PATCH 8/9] Set dependencies version .. --- conandata.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/conandata.yml b/conandata.yml index 89ceba3d30..f4f1617189 100644 --- a/conandata.yml +++ b/conandata.yml @@ -1,10 +1,10 @@ version: "5.8.0-alpha.0" requirements: - - "cura_resources/(latest)@ultimaker/testing" - - "uranium/(latest)@ultimaker/testing" - - "curaengine/(latest)@ultimaker/testing" - - "cura_binary_data/(latest)@ultimaker/testing" - - "fdm_materials/(latest)@ultimaker/testing" + - "cura_resources/.." + - "uranium/.." + - "curaengine/.." + - "cura_binary_data/.." + - "fdm_materials/.." - "curaengine_plugin_gradual_flow/0.1.0-beta.3" - "dulcificum/latest@ultimaker/testing" - "pysavitar/5.3.0" @@ -12,7 +12,7 @@ requirements: - "curaengine_grpc_definitions/0.2.0" - "native_cad_plugin/2.0.0" requirements_internal: - - "fdm_materials/(latest)@internal/testing" + - "fdm_materials/.." - "cura_private_data/(latest)@internal/testing" urls: default: From 59771d0ddcaca7f3ec89800e9e0725857040f27b Mon Sep 17 00:00:00 2001 From: Erwan MATHIEU Date: Thu, 30 May 2024 12:48:03 +0200 Subject: [PATCH 9/9] Revert "Set dependencies version .." This reverts commit a4178e8377758a12fa18516589c4db3e277eeb37. --- conandata.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/conandata.yml b/conandata.yml index f4f1617189..89ceba3d30 100644 --- a/conandata.yml +++ b/conandata.yml @@ -1,10 +1,10 @@ version: "5.8.0-alpha.0" requirements: - - "cura_resources/.." - - "uranium/.." - - "curaengine/.." - - "cura_binary_data/.." - - "fdm_materials/.." + - "cura_resources/(latest)@ultimaker/testing" + - "uranium/(latest)@ultimaker/testing" + - "curaengine/(latest)@ultimaker/testing" + - "cura_binary_data/(latest)@ultimaker/testing" + - "fdm_materials/(latest)@ultimaker/testing" - "curaengine_plugin_gradual_flow/0.1.0-beta.3" - "dulcificum/latest@ultimaker/testing" - "pysavitar/5.3.0" @@ -12,7 +12,7 @@ requirements: - "curaengine_grpc_definitions/0.2.0" - "native_cad_plugin/2.0.0" requirements_internal: - - "fdm_materials/.." + - "fdm_materials/(latest)@internal/testing" - "cura_private_data/(latest)@internal/testing" urls: default: