akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: use double quotes for environment variable assignments in workflows

Browse Source 
- Updated environment variable assignments in multiple workflow files to use double quotes for consistency and to prevent potential issues with variable expansion.
- Refactored echo commands to group multiple lines into a single block for improved readability in the following workflows:
  - release-goreleaser.yml
  - renovate_prune.yml
  - security-pr.yml
  - security-weekly-rebuild.yml
  - supply-chain-pr.yml
  - supply-chain-verify.yml
  - update-geolite2.yml
  - waf-integration.yml
  - weekly-nightly-promotion.yml
This commit is contained in:
GitHub Actions
2026-02-08 10:18:40 +00:00
parent ef5efd2e33
commit ee48c2e716
25 changed files with 812 additions and 689 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
.github/workflows/quality-checks.yml vendored
View File

@@ -48,26 +48,27 @@ jobs:
CGO_ENABLED: 1
run: |
bash scripts/go-test-coverage.sh 2>&1 | tee backend/test-output.txt
exit ${PIPESTATUS[0]}
exit "${PIPESTATUS[0]}"
- name: Go Test Summary
if: always()
working-directory: backend
run: |
echo "## 🔧 Backend Test Results" >> $GITHUB_STEP_SUMMARY
if [ "${{ steps.go-tests.outcome }}" == "success" ]; then
echo "✅ **All tests passed**" >> $GITHUB_STEP_SUMMARY
PASS_COUNT=$(grep -c "^--- PASS" test-output.txt || echo "0")
echo "- Tests passed: $PASS_COUNT" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Tests failed**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Failed Tests:" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
grep -E "^--- FAIL|FAIL\s+github" test-output.txt || echo "See logs for details"
grep -E "^--- FAIL|FAIL\s+github" test-output.txt >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
{
echo "## 🔧 Backend Test Results"
if [ "${{ steps.go-tests.outcome }}" == "success" ]; then
echo "✅ **All tests passed**"
PASS_COUNT=$(grep -c "^--- PASS" test-output.txt || echo "0")
echo "- Tests passed: $PASS_COUNT"
else
echo "❌ **Tests failed**"
echo ""
echo "### Failed Tests:"
echo '```'
grep -E "^--- FAIL|FAIL\s+github" test-output.txt || echo "See logs for details"
echo '```'
fi
} >> "$GITHUB_STEP_SUMMARY"
# Codecov upload moved to `codecov-upload.yml` (Docker Build-gated).
@@ -89,24 +90,26 @@ jobs:
- name: GORM Security Scan Summary
if: always()
run: |
echo "## 🔒 GORM Security Scan Results" >> $GITHUB_STEP_SUMMARY
if [ "${{ steps.gorm-scan.outcome }}" == "success" ]; then
echo "✅ **No GORM security issues detected**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "All models follow secure GORM patterns:" >> $GITHUB_STEP_SUMMARY
echo "- ✅ No exposed internal database IDs" >> $GITHUB_STEP_SUMMARY
echo "- ✅ No exposed API keys or secrets" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Response DTOs properly structured" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **GORM security issues found**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Run locally for details:" >> $GITHUB_STEP_SUMMARY
echo '```bash' >> $GITHUB_STEP_SUMMARY
echo "./scripts/scan-gorm-security.sh --report" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "See [GORM Security Scanner docs](docs/implementation/gorm_security_scanner_complete.md) for remediation guidance." >> $GITHUB_STEP_SUMMARY
fi
{
echo "## 🔒 GORM Security Scan Results"
if [ "${{ steps.gorm-scan.outcome }}" == "success" ]; then
echo "✅ **No GORM security issues detected**"
echo ""
echo "All models follow secure GORM patterns:"
echo "- ✅ No exposed internal database IDs"
echo "- ✅ No exposed API keys or secrets"
echo "- ✅ Response DTOs properly structured"
else
echo "❌ **GORM security issues found**"
echo ""
echo "Run locally for details:"
echo '```bash'
echo "./scripts/scan-gorm-security.sh --report"
echo '```'
echo ""
echo "See [GORM Security Scanner docs](docs/implementation/gorm_security_scanner_complete.md) for remediation guidance."
fi
} >> "$GITHUB_STEP_SUMMARY"
- name: Annotate GORM Security Issues
if: failure() && steps.gorm-scan.outcome == 'failure'
@@ -121,9 +124,9 @@ jobs:
PERF_MAX_MS_GETSTATUS_P95_PARALLEL: 1500ms
PERF_MAX_MS_LISTDECISIONS_P95: 2000ms
run: |
echo "## 🔍 Running performance assertions (TestPerf)" >> $GITHUB_STEP_SUMMARY
echo "## 🔍 Running performance assertions (TestPerf)" >> "$GITHUB_STEP_SUMMARY"
go test -run TestPerf -v ./internal/api/handlers -count=1 | tee perf-output.txt
exit ${PIPESTATUS[0]}
exit "${PIPESTATUS[0]}"
frontend-quality:
name: Frontend (React)
@@ -153,7 +156,7 @@ jobs:
BASE_REF="${{ github.event.pull_request.base.ref }}"
if [ "$EVENT_NAME" = "push" ]; then
echo "frontend_changed=true" >> $GITHUB_OUTPUT
echo "frontend_changed=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# Try to fetch the PR base ref. This may fail for forked PRs or other cases.
@@ -167,25 +170,25 @@ jobs:
else
CHANGED=""
fi
echo "Changed files (base ref):\n$CHANGED"
printf 'Changed files (base ref):\n%s\n' "$CHANGED"
if [ -z "$CHANGED" ]; then
echo "Base ref diff empty or failed; fetching origin/main for fallback..."
git fetch origin main --depth=1 || true
CHANGED=$(git diff --name-only origin/main...HEAD 2>/dev/null || echo "")
echo "Changed files (main fallback):\n$CHANGED"
printf 'Changed files (main fallback):\n%s\n' "$CHANGED"
fi
if [ -z "$CHANGED" ]; then
echo "Still empty; falling back to diffing last 10 commits from HEAD..."
CHANGED=$(git diff --name-only HEAD~10...HEAD 2>/dev/null || echo "")
echo "Changed files (HEAD~10 fallback):\n$CHANGED"
printf 'Changed files (HEAD~10 fallback):\n%s\n' "$CHANGED"
fi
if echo "$CHANGED" | grep -q '^frontend/'; then
echo "frontend_changed=true" >> $GITHUB_OUTPUT
echo "frontend_changed=true" >> "$GITHUB_OUTPUT"
else
echo "frontend_changed=false" >> $GITHUB_OUTPUT
echo "frontend_changed=false" >> "$GITHUB_OUTPUT"
fi
- name: Install dependencies
@@ -199,28 +202,30 @@ jobs:
if: ${{ inputs.run_frontend != false && (github.event_name == 'workflow_dispatch' || steps.check-frontend.outputs.frontend_changed == 'true') }}
run: |
bash scripts/frontend-test-coverage.sh 2>&1 | tee frontend/test-output.txt
exit ${PIPESTATUS[0]}
exit "${PIPESTATUS[0]}"
- name: Frontend Test Summary
if: always()
working-directory: frontend
run: |
echo "## ⚛️ Frontend Test Results" >> $GITHUB_STEP_SUMMARY
if [ "${{ steps.frontend-tests.outcome }}" == "success" ]; then
echo "✅ **All tests passed**" >> $GITHUB_STEP_SUMMARY
# Extract test counts from vitest output
if grep -q "Tests:" test-output.txt; then
grep "Tests:" test-output.txt | tail -1 >> $GITHUB_STEP_SUMMARY
{
echo "## ⚛️ Frontend Test Results"
if [ "${{ steps.frontend-tests.outcome }}" == "success" ]; then
echo "✅ **All tests passed**"
# Extract test counts from vitest output
if grep -q "Tests:" test-output.txt; then
grep "Tests:" test-output.txt | tail -1
fi
else
echo "❌ **Tests failed**"
echo ""
echo "### Failed Tests:"
echo '```'
# Extract failed test info from vitest output
grep -E "FAIL|✕|×|AssertionError|Error:" test-output.txt | head -30 || echo "See logs for details"
echo '```'
fi
else
echo "❌ **Tests failed**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Failed Tests:" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
# Extract failed test info from vitest output
grep -E "FAIL|✕|×|AssertionError|Error:" test-output.txt | head -30 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
} >> "$GITHUB_STEP_SUMMARY"
# Codecov upload moved to `codecov-upload.yml` (Docker Build-gated).