8000 [DI-48] fix: replace vulnerable tj-actions actions with dorny/paths-filter by trajan0x · Pull Request #3595 · synapsecns/sanguine · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

[DI-48] fix: replace vulnerable tj-actions actions with dorny/paths-filter #3595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 16, 2025
Merged

[DI-48] fix: replace vulnerable tj-actions actions with dorny/paths-filter #3595

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 34 additions & 30 deletions .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,29 +53,31 @@ jobs:

- name: Check For Solidity Changes
id: filter_solidity
uses: tj-actions/changed-files@v26.1
uses: dorny/paths-filter@v2
with:
files: |
**/*.sol
filters: |
sol:
- '**/*.sol'
Comment on lines +56 to +60
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

❓ Verification inconclusive

Update dorny/paths-filter Version for Solidity Changes

The step for checking Solidity file changes uses dorny/paths-filter@v2, which static analysis flagged as outdated. Consider upgrading to a newer version (e.g. v3) to ensure compatibility and improved performance on GitHub Actions.

Action Required: Upgrade dorny/paths-filter Version in Workflow

In .github/workflows/go.yml at lines 56–60, the workflow currently uses:

uses: dorny/paths-filter@v2

Static analysis indicates that version 2 is outdated for handling recent Solidity file changes. Upgrading to dorny/paths-filter@v3 should improve compatibility and performance on GitHub Actions. Please update the version accordingly. For example:

-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@v3
🧰 Tools
🪛 actionlint (1.7.4)

56-56: the runner of "dorny/paths-filter@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


- name: Check For GolangCI Changes
id: golangci_changed
uses: tj-actions/changed-files@v26.1
uses: dorny/paths-filter@v2
with:
# note: without building a yaml tree of our workflow, we won't be able to tell if golangci version changed so any ci change triggers full lint.
files: |
.golangci.yml
.golangci-version
.github/workflows/go.yml
filters: |
config:
- '.golangci.yml'
- '.golangci-version'
Comment on lines 63 to +70
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🛠️ Refactor suggestion

❓ Verification inconclusive

Update dorny/paths-filter Version for GolangCI Check

Similarly, the “Check For GolangCI Changes” step is using dorny/paths-filter@v2. Upgrading this action to a newer version would help avoid potential runtime issues and align with current best practices.

Action Required: Upgrade dorny/paths-filter to a newer version

In the workflow file (.github/workflows/go.yml, lines 63–70) the “Check For GolangCI Changes” step currently uses dorny/paths-filter@v2. To help prevent potential runtime issues and to stay in line with current best practices, please update this action to the latest available version (e.g., dorny/paths-filter@v3 if available). Ensure that after updating you verify the filtering behavior—especially the detection of changes to .golangci.yml and .golangci-version—remains as expected.

🧰 Tools
🪛 actionlint (1.7.4)

64-64: the runner of "dorny/paths-filter@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

- '.github/workflows/go.yml'


- name: Run step if any of the listed files above change
if: steps.filter_solidity.outputs.any_changed == 'true'
if: steps.filter_solidity.outputs.sol == 'true'
run: |
echo "One or more files listed above has changed."

- name: Golangci changed
if: steps.golangci_changed.outputs.any_changed == 'true'
if: steps.golangci_changed.outputs.config == 'true'
run: |
echo "Golangci has changed."

Expand Down Expand Up @@ -458,28 +460,29 @@ jobs:
GOMEMLIMIT: 6GiB
GOGC: -1

- name: Verify Changed files
uses: tj-actions/verify-changed-files@v11.1
id: verify-changed-files
- name: Filter Changed files
uses: dorny/paths-filter@v2
id: filter-changed-files
with:
files: |
*.go
filters: |
go:
- '*.go'
Comment on lines +464 to +469
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

❓ Verification inconclusive

Upgrade dorny/paths-filter in Go Files Change Detection

The “Filter Changed files” step (for Go files) is implemented with dorny/paths-filter@v2. As static analysis indicates that this version is too old, please consider updating to a supported release (such as v3) for enhanced reliability.

Action Required: Upgrade dorny/paths-filter Action in Workflow

Our search confirms that the workflow file at .github/workflows/go.yml (lines 464–469) still uses dorny/paths-filter@v2. Static analysis indicates that this version is outdated, and upgrading to a supported release (e.g., v3) would provide enhanced reliability. Please update the version reference and verify that the new version integrates smoothly with the existing workflow configuration.

  • File: .github/workflows/go.yml
  • Lines: 464–469 (update the uses directive from dorny/paths-filter@v2 to dorny/paths-filter@v3)
🧰 Tools
🪛 actionlint (1.7.4)

464-464: the runner of "dorny/paths-filter@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


- name: List all changed files tracked and untracked files
if: steps.verify-changed-files.outputs.files_changed == 'true'
- name: List changed files
if: steps.filter-changed-files.outputs.go == 'true'
run: |
echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
echo "Go files have been changed"

# Fail if files need regeneration
# TODO: this can run into a bit of a race condition if any other label is removed/added while this is run, look into fixing this by dispatching another workflow
- name: Add Label
if: ${{ !contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.verify-changed-files.outputs.files_changed == 'true' }}
if: ${{ !contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.filter-changed-files.outputs.go == 'true' }}
uses: ./.github/actions/add-label
with:
label: 'needs-go-generate-${{matrix.package}}'

- name: Remove Label
if: ${{ contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.verify-changed-files.outputs.files_changed != 'true' }}
if: ${{ contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.filter-changed-files.outputs.go != 'true' }}
uses: ./.github/actions/remove-label
with:
label: 'needs-go-generate-${{matrix.package}}'
Expand Down Expand Up @@ -613,28 +616,29 @@ jobs:
GOMEMLIMIT: 6GiB
GOGC: -1

- name: Verify Changed files
uses: tj-actions/verify-changed-files@v11
id: verify-changed-files
- name: Filter Changed files
uses: dorny/paths-filter@v2
id: filter-changed-files
with:
files: |
*.go
filters: |
go:
- '*.go'

Comment on lines +619 to 626
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Upgrade dorny/paths-filter in Module Generation

Another instance of dorny/paths-filter@v2 appears in the module generation section. Upgrading this action to a current version will improve consistency and compatibility across your workflows.

Action Required: Upgrade dorny/paths-filter to the Latest Version Across Workflows

It appears that the dorny/paths-filter@v2 action is used in multiple workflow files:

  • In .github/workflows/go.yml at lines 619–626.
  • In the module generation workflow (as mentioned in your comment).

For improved consistency and compatibility, please upgrade all usages of this action (including the module generation instance) to the latest released version.

🏁 Script executed:

#!/bin/bash
# Search for all usages of dorny/paths-filter with version "v2" in GitHub workflow files.
rg "dorny/paths-filter@v2" .github/workflows

Length of output: 357

Upgrade dorny/paths-filter Action Version Across Workflows

The GitHub workflows currently reference dorny/paths-filter@v2 in multiple locations:

  • In .github/workflows/go.yml (including lines 619–626).
  • In .github/workflows/packages.yml (which appears to cover module generation).

Upgrading all instances to the latest version will improve consistency and compatibility across your workflows. Please update these references accordingly.

🧰 Tools
🪛 actionlint (1.7.4)

620-620: the runner of "dorny/paths-filter@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

- name: List all changed files tracked and untracked files
if: steps.verify-changed-files.outputs.files_changed == 'true'
- name: List changed files
if: steps.filter-changed-files.outputs.go == 'true'
run: |
echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
echo "Go files have been changed"

# Fail if files need regeneration
# TODO: this can run into a bit of a race condition if any other label is removed/added while this is run, look into fixing this by dispatching another workflow
- name: Add Label
if: ${{ !contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.verify-changed-files.outputs.files_changed == 'true' }}
if: ${{ !contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.filter-changed-files.outputs.go == 'true' }}
uses: ./.github/actions/add-label
with:
label: 'needs-go-generate-${{matrix.package}}'

- name: Remove Label
if: ${{ contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.verify-changed-files.outputs.files_changed != 'true' }}
if: ${{ contains(fromJson(needs.pr_metadata.outputs.labels), format('needs-go-generate-{0}', matrix.package)) && steps.filter-changed-files.outputs.go != 'true' }}
uses: ./.github/actions/remove-label
with:
label: 'needs-go-generate-${{matrix.package}}'
4 changes: 3 additions & 1 deletion .github/workflows/goreleaser-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,9 @@ jobs:

- name: Get branch name
id: branch-name
uses: tj-actions/branch-names@v6
run: |
echo "is_default=$([ "$GITHUB_REF" == "refs/heads/${{ github.event.repository.default_branch }}" ] && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT
echo "current_branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT

- name: Bump version and push tag
id: tag_version
Expand Down
21 changes: 11 additions & 10 deletions .github/workflows/packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,29 +66,30 @@ jobs:
with:
version: nightly

- name: Verify Changed files
uses: tj-actions/verify-changed-files@v11.1
id: verify-yarn-lock
- name: Filter changed files
uses: dorny/paths-filter@v2
id: filter-yarn-lock
with:
files: |
yarn.lock
filters: |
yarn:
- 'yarn.lock'

- name: Add Label
if: ${{ steps.verify-yarn-lock.outputs.files_changed == 'true' && github.event_name != 'push' }}
if: ${{ steps.filter-yarn-lock.outputs.yarn == 'true' && github.event_name != 'push' }}
uses: ./.github/actions/add-label
with:
label: 'needs-yarn-install'

- name: Remove Label
if: ${{ steps.verify-yarn-lock.outputs.files_changed != 'true' && github.event_name != 'push' }}
if: ${{ steps.filter-yarn-lock.outputs.yarn != 'true' && github.event_name != 'push' }}
uses: ./.github/actions/remove-label
with:
label: 'needs-yarn-install'

- name: List all changed files tracked and untracked files
if: steps.verify-changed-files.outputs.files_changed == 'true'
- name: List changed files
if: steps.filter-yarn-lock.outputs.yarn == 'true'
run: |
echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
echo "Changed files: yarn.lock"

- name: Run tests # Run tests of all packages
run: yarn test:coverage
Expand Down
Loading
0