Replace change detection GitHub Action #12188
Conversation
charliermarsh
force-pushed
the
charlie/change
branch
3 times, most recently
from
db0fc27 to
dd7e0b0
Compare
charliermarsh
had a problem deploying
to
uv-test-publish
GitHub Actions
Error
charliermarsh
force-pushed
the
charlie/change
branch
from
dd7e0b0 to
1d92054
Compare
charliermarsh
added
testing
charliermarsh
changed the title
charliermarsh
had a problem deploying
to
uv-test-publish
GitHub Actions
Error
charliermarsh
force-pushed
the
charlie/change
branch
from
1d92054 to
9f9acdf
Compare
charliermarsh
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
.github/workflows/ci.yml
Outdated
| while IFS= read -r file; do | ||
| # Skip if file matches exclusion patterns. | ||
| if [[ "$file" =~ ^docs/ && ! "$file" =~ ^docs/reference/(cli|settings).md && ! "$file" =~ ^docs/configuration/environment.md ]]; then | ||
| echo "Skipping $file (matches `docs/` pattern)" |
There was a problem hiding this comment.
These backticks are going to evaluate
❯ echo "foo `bar`"
zsh: command not found: bar
foo
9f9acdf to
2dfd32a
Compare
charliermarsh
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
.github/workflows/ci.yml
Outdated
|
|
||
| while IFS= read -r file; do | ||
| # Skip if file matches exclusion patterns. | ||
| if [[ "$file" =~ ^docs/ && ! "$file" =~ ^docs/reference/(cli|settings).md && ! "$file" =~ ^docs/configuration/environment.md ]]; then |
There was a problem hiding this comment.
I'd use "${file}" throughout — I don't think there's an attack vector here because of the way you're iterating but it's safer.
.github/workflows/ci.yml
Outdated
| CODE_CHANGED=true | ||
| break | ||
|
|
||
| done <<< "$CHANGED_FILES" |
There was a problem hiding this comment.
| done <<< "$CHANGED_FILES" | |
| done <<< "${CHANGED_FILES}" |
.github/workflows/ci.yml
Outdated
| break | ||
|
|
||
| done <<< "$CHANGED_FILES" | ||
| echo "code_any_changed=$CODE_CHANGED" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
| echo "code_any_changed=$CODE_CHANGED" >> "$GITHUB_OUTPUT" | |
| echo "code_any_changed=${CODE_CHANGED}" >> "$GITHUB_OUTPUT" |
| - "!**/*.md" | ||
| - "!bin/**" | ||
| - "!assets/**" | ||
| # Generated markdown and JSON files are checked during test runs |
There was a problem hiding this comment.
It might be worth retaining the comment on why we run tests on these files
charliermarsh
force-pushed
the
charlie/change
branch
from
2dfd32a to
d057844
Compare
charliermarsh
temporarily deployed
to
uv-test-publish
GitHub Actions
Inactive
|
Hi, @charliermarsh. First of all, thank you for the above remediating security risk quickly. Could you please kindly comment if you have plans to disclose some sort of post-mortem outlining potential impact on uv users? Are there any actions which should be done on user side to remediate impact of potentially leaked uv CI secrets? |
|
Good question: There's no action required on the user side and no impact to our users. We rotated all secrets in the repository, and no secrets that facilitate PyPI publishing were exposed since we use Trusted Publishing. |
|
Good! Thank you so much for quick response! |
Summary
tj-actions/changed-filesno longer exists due to a malicious commit. This PR replaces it with a minimal shell script to get us unblocked.