Apply recommended security fixes for github actions#3063
Apply recommended security fixes for github actions#3063
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughTop-level workflow permissions added/adjusted across multiple GitHub Actions; many Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #3063 +/- ##
=============================================
- Coverage 96.75% 96.72% -0.03%
Complexity 1924 1924
=============================================
Files 457 457
Lines 12988 12988
Branches 2079 2079
=============================================
- Hits 12566 12563 -3
- Misses 422 425 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/update-bbb-recording-player.yml:
- Around line 7-8: The workflow currently grants only contents: write which
allows pushing commits but not creating/updating PRs; update the workflow
permissions block to include pull-requests: write alongside contents: write so
the peter-evans/create-pull-request action using GITHUB_TOKEN can create or
update PRs; locate the permissions section and add the pull-requests: write
entry and keep contents: write unchanged to ensure both push and PR creation
actions succeed.
- Around line 40-43: The bash expansion is invalid because of spaces inside the
parameter braces; update the echo command that sets NEEDS_UPDATE to use proper
expansions like ${LATEST_PLAYER_VERSION} and ${CURRENT_PLAYER_VERSION} (no
spaces) and ensure the expression is quoted or grouped properly so dpkg
--compare-versions runs correctly; specifically edit the line that writes to
$GITHUB_ENV to reference LATEST_PLAYER_VERSION and CURRENT_PLAYER_VERSION
without spaces and preserve the conditional structure that outputs "true" or
"false".
In @.github/workflows/update-publiccode-on-release.yml:
- Around line 16-19: The workflow currently uses an invalid Bash expansion (`${
VERSION }`) and disables persisted credentials so the later git push will fail;
update the variable usage to `${VERSION}` (no spaces) wherever referenced, and
restore or enable authentication before the push: either remove or set
`persist-credentials: true` in the checkout step (undoing the line with
`persist-credentials: false`) or, if keeping `persist-credentials: false`, add
an authenticated remote set step using the `GITHUB_TOKEN` (e.g., run a step that
calls `git remote set-url origin
https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git`)
before the git commit/push steps so the push succeeds.
In @.github/workflows/upload-locales.yml:
- Line 51: The pinned setup action SHA/comment pair is inconsistent: the SHA
accd6127cb78bee3e8082180cb391013d204ef9f does not match the trailing comment
v2.37.0 (see the uses:
shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f line);
regenerate the pin/comment pair by either (A) replacing the SHA with the commit
that actually corresponds to tag v2.37.0, or (B) updating the comment to the tag
that the current SHA points to, and apply the same correction to all other
workflow files in this PR that reuse the same uses: shivammathur/setup-php@...
entry so the SHA and the posted tag/comment are consistent for auditability.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 86cd44f3-ac74-4e51-9336-3b0ebb03964e
📒 Files selected for processing (8)
.github/workflows/ci-docker.yml.github/workflows/ci.yml.github/workflows/deploy-docs.yml.github/workflows/publiccode-yml-validation.yml.github/workflows/pull-locales.yml.github/workflows/update-bbb-recording-player.yml.github/workflows/update-publiccode-on-release.yml.github/workflows/upload-locales.yml
PILOS
|
||||||||||||||||||||||||||||||||||
| Project |
PILOS
|
| Branch Review |
improve-actions-security
|
| Run status |
|
| Run duration | 07m 13s |
| Commit |
|
| Committer | Samuel Weirich |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
Failures
|
1
|
Flaky
|
0
|
Pending
|
0
|
Skipped
|
0
|
Passing
|
621
|
| View all changes introduced in this branch ↗︎ | |
Tests for review
e2e/RoomsJoinWithLobby.cy.js • 1 failed test • System tests
| Test | Artifacts | |
|---|---|---|
| Room Join with lobby settings > Lobby enabled for guests only |
Test Replay
Screenshots
|
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
24-24: Pin service image by digest for deterministic CI security.
redis:8-alpineis still a mutable tag. Prefer pinning to a digest to avoid unreviewed upstream image drift in CI.Suggested change
- image: redis:8-alpine + image: redis:8-alpine@sha256:<verified-digest>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml at line 24, The Redis service image is using a mutable tag ("image: redis:8-alpine"); replace it with a pinned digest to ensure deterministic CI (update the image field for the Redis service in the CI workflow to the official redis:8-alpine@sha256:<digest> value). Obtain the correct digest from the Docker Hub or GitHub Container Registry manifest for the exact tag you want, then commit the image field change so CI uses the immutable digest instead of the floating tag.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 24: The Redis service image is using a mutable tag ("image:
redis:8-alpine"); replace it with a pinned digest to ensure deterministic CI
(update the image field for the Redis service in the CI workflow to the official
redis:8-alpine@sha256:<digest> value). Obtain the correct digest from the Docker
Hub or GitHub Container Registry manifest for the exact tag you want, then
commit the image field change so CI uses the immutable digest instead of the
floating tag.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: a739267a-45c6-4c2b-bce5-e83f00b58652
📒 Files selected for processing (3)
.github/workflows/ci.yml.github/workflows/pull-locales.yml.github/workflows/upload-locales.yml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/pull-locales.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/upload-locales.yml
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions setup by applying recommended CI/CD security practices (least-privilege permissions, pinned action revisions, and safer checkout defaults) and refreshing some CI dependencies.
Changes:
- Add explicit
permissionsblocks to workflows and pin third-party actions to fixed commit SHAs. - Disable
persist-credentialsonactions/checkoutacross workflows to reduce token exposure. - Update various CI components (e.g., Redis service image, artifact naming/upload behavior) and extend Dependabot configuration.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/upload-locales.yml | Adds workflow-level permissions and pins checkout/setup/cache actions; disables credential persistence. |
| .github/workflows/update-publiccode-on-release.yml | Pins checkout, disables credential persistence, and rewires version/date injection into publiccode.yml. |
| .github/workflows/update-bbb-recording-player.yml | Adds explicit permissions, pins actions, hardens version-compare step, and pins PR creation action. |
| .github/workflows/pull-locales.yml | Adds explicit permissions, pins actions, disables credential persistence, and pins PR creation action. |
| .github/workflows/publiccode-yml-validation.yml | Adds explicit permissions, pins checkout and publiccode parser action; disables credential persistence. |
| .github/workflows/deploy-docs.yml | Adds explicit permissions, pins actions used for docs build and GitHub Pages deployment; disables credential persistence for checkout. |
| .github/workflows/ci.yml | Adds explicit permissions, pins many actions, updates service image tag(s), and adjusts artifact handling/naming. |
| .github/workflows/ci-docker.yml | Moves permissions to workflow scope, pins docker-related actions, disables credential persistence on checkout. |
| .github/dependabot.yml | Adds cooldown scheduling and a new GitHub Actions update entry alongside existing ecosystems. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| ref: develop | ||
| persist-credentials: false |
There was a problem hiding this comment.
actions/checkout is configured with persist-credentials: false, but the workflow later runs git push origin develop. Without credentials configured for the remote, this push is likely to fail. Either keep credentials persisted for this workflow, or explicitly configure the remote to use GITHUB_TOKEN (with contents: write) before pushing.
| persist-credentials: false | |
| persist-credentials: true |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/update-publiccode-on-release.yml (1)
52-52: Use a versioned branch name to avoid cross-release PR collisions.Line 52 uses a fixed branch (
update-publiccode), which can cause later release runs to overwrite/update an unrelated open PR.Suggested fix
- branch: "update-publiccode" + branch: "update-publiccode-${{ steps.release.outputs.version }}"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/update-publiccode-on-release.yml at line 52, The workflow currently uses a fixed branch name branch: "update-publiccode" which risks cross-release PR collisions; change the branch to a release-specific, versioned name by replacing the static "update-publiccode" with a dynamically constructed branch name using GitHub Actions context (e.g., include github.ref_name, github.run_number or github.run_id or short SHA) so each run creates a unique branch; update the workflow step that sets branch: "update-publiccode" to build and use that dynamic branch value (search for the literal branch: "update-publiccode" in the workflow).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/dependabot.yml:
- Around line 41-43: Update the dependabot configuration so that for
package-ecosystem "github-actions" the directory value is "/" instead of
".github/workflows"; locate the package-ecosystem: "github-actions" entry and
replace the directory key's value to "/" to ensure Dependabot scans GitHub
Actions workflows correctly.
---
Nitpick comments:
In @.github/workflows/update-publiccode-on-release.yml:
- Line 52: The workflow currently uses a fixed branch name branch:
"update-publiccode" which risks cross-release PR collisions; change the branch
to a release-specific, versioned name by replacing the static
"update-publiccode" with a dynamically constructed branch name using GitHub
Actions context (e.g., include github.ref_name, github.run_number or
github.run_id or short SHA) so each run creates a unique branch; update the
workflow step that sets branch: "update-publiccode" to build and use that
dynamic branch value (search for the literal branch: "update-publiccode" in the
workflow).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: ae01b70b-dd6c-4b1c-a76b-663db3c252d7
📒 Files selected for processing (3)
.github/dependabot.yml.github/workflows/update-bbb-recording-player.yml.github/workflows/update-publiccode-on-release.yml
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pull-locales.yml:
- Around line 123-128: The artifact upload step ("Upload locale files" that uses
actions/upload-artifact) misses deleted locale files because the workflow
uploads the working directory, not staged Git deletions performed by
ImportLocalesCommand (see git add -A lang usage); change the workflow to produce
and upload a Git patch (e.g., git diff --staged --name-only --diff-filter=D or
git format-patch / git diff --staged > locales-deletions.patch) or capture the
full staged changes (commit the changes in a temp branch or create an archive
from the index) and upload that patch/archive so deletions are preserved for the
downstream job instead of relying on the working tree files. Ensure the same
change is applied to both affected upload steps.
In @.github/workflows/update-bbb-recording-player.yml:
- Around line 19-33: The workflow creates player-release.json and
player-release-notes.md before the checkout step, but actions/checkout (uses:
actions/checkout@...) cleans untracked files by default and will delete them;
move the Checkout step (the action step that uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) so it runs before the
steps named "Get the latest BBB Recording Player release", "Extract the latest
BBB Recording Player version", and "Extract release notes" (or at least before
creating player-release.json and player-release-notes.md) so the created files
are not removed, preserving player-release-notes.md for the later PR body
creation.
- Around line 19-25: The GitHub Actions step "Get the latest BBB Recording
Player release" currently uses curl -s which won't fail on HTTP errors, causing
player-release.json to contain an error body and LATEST_PLAYER_VERSION to be
empty; change the curl invocation to fail on HTTP errors (e.g., use curl -fS
--show-error or --fail) so the step fails fast on non-2xx responses, keep
writing to player-release.json only on success, and in the "Extract the latest
BBB Recording Player version" step validate that the extracted
LATEST_PLAYER_VERSION (from player-release.json via jq) is non-empty and exit
with a failure if it's missing so the downstream dpkg --compare-versions logic
cannot silently treat an API failure as NEEDS_UPDATE=false.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 3d30a3b5-da9b-4dd6-8c42-1a4ac7ca9263
📒 Files selected for processing (2)
.github/workflows/pull-locales.yml.github/workflows/update-bbb-recording-player.yml
| - name: Upload locale files | ||
| if: steps.locale-changes.outputs.has_changes == 'true' | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| with: | ||
| name: locale-files | ||
| path: lang/**/*.php |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For actions/upload-artifactandactions/download-artifact, if a first job stages deletions with Git, can those deletions be preserved by uploading only the current files, or is a patch/archive needed to carry deletions into a later job?
💡 Result:
No, uploading only the current files with actions/upload-artifact does not preserve Git-staged deletions when downloaded in a later job. Artifacts capture and restore only the existing files in the filesystem at upload time as a zip archive; staged deletions (in Git's index but not yet committed or reflected in the working directory) are not part of the filesystem snapshot and thus are lost upon download and extraction in the new job's clean workspace. To preserve deletions across jobs, create a Git patch capturing the staged changes (including deletions) and upload that as an artifact. In the later job, download and apply the patch after checkout. Example workflow snippet: First job (after staging deletions with git add -u or similar): - name: Create patch run: git diff --cached > changes.patch - uses: actions/upload-artifact@v4 with: name: git-changes path: changes.patch Later job: - uses: actions/checkout@v4 - uses: actions/download-artifact@v5 with: name: git-changes - name: Apply patch run: git apply changes.patch This applies the staged changes, including deletions, to the fresh checkout. Note: git apply works for uncommitted diffs; for more complex scenarios, consider archiving the entire .git directory (though large and not recommended) or committing changes before artifacting the repo state.
Citations:
- 1: https://github.com/actions/upload-artifact
- 2: https://github.com/actions/upload-artifact/blob/main/README.md
- 3: https://github.com/actions/upload-artifact/blob/v4/README.md
- 4: https://docs.github.com/en/actions/configuring-and-managing-workflows/persisting-workflow-data-using-artifacts
- 5: https://docs.github.com/en/actions/tutorials/store-and-share-data
- 6: https://stackoverflow.com/questions/57498605/github-actions-share-workspace-artifacts-between-jobs
Artifacts lose deleted locale files, leaving stale translations in the PR.
Line 125 uploads only files that exist at upload time, but app/Console/Commands/ImportLocalesCommand.php:91-111 deletes old locale PHP files before regenerating them. Since git add -A lang on lines 105–106 stages those deletions, the second job never receives them—artifacts capture only the working directory, not staged deletions from Git's index. The resulting PR can miss removed locale files.
Suggested fix: use a Git patch instead
- name: Detect locale changes
id: locale-changes
run: |
git add -A lang
if git diff --cached --quiet; then
echo "has_changes=false" >> "$GITHUB_OUTPUT"
echo "No locale changes detected."
else
echo "has_changes=true" >> "$GITHUB_OUTPUT"
+ git diff --cached --binary -- lang > locale.patch
fi
- - name: Upload locale files
+ - name: Upload locale patch
if: steps.locale-changes.outputs.has_changes == 'true'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
- name: locale-files
- path: lang/**/*.php
+ name: locale-patch
+ path: locale.patch
...
- - name: Download locale files
+ - name: Download locale patch
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
- name: locale-files
+ name: locale-patch
+
+ - name: Apply locale patch
+ run: git apply --index locale.patchAlso applies to: 145–154
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pull-locales.yml around lines 123 - 128, The artifact
upload step ("Upload locale files" that uses actions/upload-artifact) misses
deleted locale files because the workflow uploads the working directory, not
staged Git deletions performed by ImportLocalesCommand (see git add -A lang
usage); change the workflow to produce and upload a Git patch (e.g., git diff
--staged --name-only --diff-filter=D or git format-patch / git diff --staged >
locales-deletions.patch) or capture the full staged changes (commit the changes
in a temp branch or create an archive from the index) and upload that
patch/archive so deletions are preserved for the downstream job instead of
relying on the working tree files. Ensure the same change is applied to both
affected upload steps.
| - name: Get the latest BBB Recording Player release | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| curl -s --request GET \ | ||
| --url "https://api.github.com/repos/bigbluebutton/bbb-playback/releases/latest" \ | ||
| --header "Authorization: Bearer $GH_TOKEN" \ | ||
| > player-release.json | ||
| - name: Extract the latest BBB Recording Player version | ||
| run: echo "LATEST_PLAYER_VERSION=$(jq -r '.tag_name' player-release.json | sed 's/^v//')" >> $GITHUB_ENV | ||
| - name: Extract release notes | ||
| run: | | ||
| RELEASE_NOTES=$(jq -r '.body' player-release.json) | ||
| echo "RELEASE_NOTES<<EOF" >> $GITHUB_ENV | ||
| echo "$RELEASE_NOTES" >> $GITHUB_ENV | ||
| echo "EOF" >> $GITHUB_ENV | ||
| jq -r '.body // ""' player-release.json > player-release-notes.md | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 2 | ||
| persist-credentials: false |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For actions/checkout@v6, what is the default value of clean, and does it delete untracked files created earlier in $GITHUB_WORKSPACE?
💡 Result:
The default value of clean for actions/checkout@v6 is true. When clean is true (the default), it executes git clean -ffdx && git reset --hard HEAD before fetching, which deletes untracked files (including those created earlier in $GITHUB_WORKSPACE) and resets any changes. Yes, it deletes untracked files created earlier in $GITHUB_WORKSPACE.
Citations:
- 1: https://github.com/actions/checkout/blob/main/action.yml
- 2: https://raw.githubusercontent.com/actions/checkout/v6/action.yml
- 3: https://github.com/actions/checkout?tab=readme-ov-file
- 4: https://github.com/actions/checkout/tree/v6.0.0
- 5: v6 clean: false still deletes my files that were checkedout from other directory. actions/checkout#2348
- 6: https://stackoverflow.com/questions/76030406/github-actions-checkoutv3-will-delete-unwatched-file-on-the-server
Move checkout before creating release notes file.
The actions/checkout@v6 action has clean: true by default, which runs git clean -ffdx && git reset --hard HEAD to delete untracked files. Since lines 19-28 create player-release.json and player-release-notes.md as untracked files before checkout at line 30, these files will be deleted. When line 61 attempts to read player-release-notes.md to create the PR body, it will fail with a file-not-found error.
Suggested fix
- - name: Get the latest BBB Recording Player release
- run: |
- curl -s --request GET \
- --url "https://api.github.com/repos/bigbluebutton/bbb-playback/releases/latest" \
- > player-release.json
- - name: Extract the latest BBB Recording Player version
- run: echo "LATEST_PLAYER_VERSION=$(jq -r '.tag_name' player-release.json | sed 's/^v//')" >> $GITHUB_ENV
- - name: Extract release notes
- run: |
- jq -r '.body // ""' player-release.json > player-release-notes.md
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 2
persist-credentials: false
+ - name: Get the latest BBB Recording Player release
+ run: |
+ curl -s --request GET \
+ --url "https://api.github.com/repos/bigbluebutton/bbb-playback/releases/latest" \
+ > player-release.json
+ - name: Extract the latest BBB Recording Player version
+ run: echo "LATEST_PLAYER_VERSION=$(jq -r '.tag_name' player-release.json | sed 's/^v//')" >> "$GITHUB_ENV"
+ - name: Extract release notes
+ run: |
+ jq -r '.body // ""' player-release.json > player-release-notes.md🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/update-bbb-recording-player.yml around lines 19 - 33, The
workflow creates player-release.json and player-release-notes.md before the
checkout step, but actions/checkout (uses: actions/checkout@...) cleans
untracked files by default and will delete them; move the Checkout step (the
action step that uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd)
so it runs before the steps named "Get the latest BBB Recording Player release",
"Extract the latest BBB Recording Player version", and "Extract release notes"
(or at least before creating player-release.json and player-release-notes.md) so
the created files are not removed, preserving player-release-notes.md for the
later PR body creation.
| - name: Get the latest BBB Recording Player release | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| curl -s --request GET \ | ||
| --url "https://api.github.com/repos/bigbluebutton/bbb-playback/releases/latest" \ | ||
| --header "Authorization: Bearer $GH_TOKEN" \ | ||
| > player-release.json | ||
| - name: Extract the latest BBB Recording Player version | ||
| run: echo "LATEST_PLAYER_VERSION=$(jq -r '.tag_name' player-release.json | sed 's/^v//')" >> $GITHUB_ENV |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
With curlagainst the GitHub Releases API, does-salone fail the step on HTTP 4xx/5xx responses, and what doesjq -r '.tag_name' return when that field is missing?
💡 Result:
No, curl -s alone does not fail the step (i.e., it exits with code 0) on HTTP 4xx/5xx responses. The -s or --silent flag only suppresses progress meter and error messages to stderr; it does not affect the exit status. Curl exits with code 0 for HTTP 4xx/5xx unless -f/--fail is used, which causes exit code 22 on 4xx/5xx. With -s alone, the response body (often HTML error page for GitHub Releases API 404) is output to stdout, and no error is shown due to silence. jq -r '.tag_name' returns nothing (empty output, no characters, not even "null") when the .tag_name field is missing or null in the input JSON. For a missing field in an object, .tag_name yields null; -r on null produces no output. For GitHub Releases API success (200), tag_name is present as required string. For 404 error, the body is an error object like {"message": "Not Found", ...} without tag_name, so jq outputs nothing. jq exits 0 unless using -e and result is false/null with no output.
Citations:
- 1: http://curl.se/docs/manpage.html
- 2: https://www.man7.org/linux/man-pages/man1/curl.1.html
- 3: https://everything.curl.dev/cmdline/exitcode.html
- 4: https://manpages.org/jq
- 5: [Schema Inaccuracy] the /repos/{owner}/{repo}/releases/latest endpoint can return a 404 github/rest-api-description#3726
- 6: https://docs.github.com/v3/repos/releases
🏁 Script executed:
cat -n .github/workflows/update-bbb-recording-player.ymlRepository: THM-Health/PILOS
Length of output: 3827
🏁 Script executed:
#!/bin/bash
# Test dpkg --compare-versions with empty version
echo "Testing dpkg --compare-versions with empty version:"
dpkg --compare-versions "" gt "1.0.0" && echo "Exit: $?" || echo "Exit: $?"
echo -e "\nTesting dpkg --compare-versions with valid versions:"
dpkg --compare-versions "2.0.0" gt "1.0.0" && echo "Exit: $?" || echo "Exit: $?"
echo -e "\nTesting jq on error JSON (GitHub 404 response):"
# Simulate GitHub 404 response
echo '{"message": "Not Found", "documentation_url": "https://docs.github.com/rest/releases/releases#get-the-latest-release"}' | jq -r '.tag_name'
echo "jq exit code: $?"
echo -e "\nTesting jq on empty/null field with -r flag:"
echo '{"body": "some content"}' | jq -r '.tag_name'
echo "jq exit code for missing field: $?"
echo -e "\nTesting jq with -e flag on missing field:"
echo '{"body": "some content"}' | jq -e '.tag_name'
echo "jq -e exit code: $?"Repository: THM-Health/PILOS
Length of output: 510
Fail fast when the GitHub release fetch fails.
Line 21 uses curl -s, which does not fail on HTTP 4xx/5xx errors—the error response body is written to player-release.json. Line 25 then extracts an empty/null version from the error response, and the dpkg --compare-versions on lines 38-42 treats this as a failed comparison, silently setting NEEDS_UPDATE=false instead of alerting to the API failure.
Suggested fix
- name: Get the latest BBB Recording Player release
run: |
- curl -s --request GET \
- --url "https://api.github.com/repos/bigbluebutton/bbb-playback/releases/latest" \
- > player-release.json
+ curl --fail-with-body --silent --show-error \
+ --retry 3 --retry-all-errors \
+ --request GET \
+ --url "https://api.github.com/repos/bigbluebutton/bbb-playback/releases/latest" \
+ > player-release.json
- name: Extract the latest BBB Recording Player version
- run: echo "LATEST_PLAYER_VERSION=$(jq -r '.tag_name' player-release.json | sed 's/^v//')" >> $GITHUB_ENV
+ run: echo "LATEST_PLAYER_VERSION=$(jq -e -r '.tag_name' player-release.json | sed 's/^v//')" >> "$GITHUB_ENV"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/update-bbb-recording-player.yml around lines 19 - 25, The
GitHub Actions step "Get the latest BBB Recording Player release" currently uses
curl -s which won't fail on HTTP errors, causing player-release.json to contain
an error body and LATEST_PLAYER_VERSION to be empty; change the curl invocation
to fail on HTTP errors (e.g., use curl -fS --show-error or --fail) so the step
fails fast on non-2xx responses, keep writing to player-release.json only on
success, and in the "Extract the latest BBB Recording Player version" step
validate that the extracted LATEST_PLAYER_VERSION (from player-release.json via
jq) is non-empty and exit with a failure if it's missing so the downstream dpkg
--compare-versions logic cannot silently treat an API failure as
NEEDS_UPDATE=false.
Type
Checklist
Changes
Other information
Summary by CodeRabbit
New Features
Chores