microsoft · zhogu · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025 · Oct 15, 2025
@@ -55,9 +55,8 @@ jobs:
           changed_files=$(git diff --name-only "$base_sha" "$head_sha")
           echo "Changed files: $changed_files"
 
-          # extract service folders under src/, skip alert-manager
+          # extract service folders under src/
           folders=$(echo "$changed_files" | grep '^src/' \
-            | grep -v 'alert-manager' \
             |  awk -F'/' '{print $2}' \
             | sort -u | tr '\n' ' ')
           echo "Changed folders: $folders"
@@ -84,6 +83,17 @@ jobs:
         if: steps.check.outputs.has_changed == 'true'
         run: python -m pip install --break-system-packages pyyaml jinja2 paramiko etcd3 protobuf==3.20.3 kubernetes gitpython
 
+      - name: Install Special libs
+        if: steps.check.outputs.has_changed == 'true'
+        run: |
+          # check whether steps.changes.outputs.folders contains 'alert-manager'
+          if echo "${{ steps.changes.outputs.folders }}" | grep -q "alert-manager"; then
+            echo "Installing python-icm alertmanager dependencies..."
+            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
-            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
+            tmpfile=$(mktemp)
+            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > "$tmpfile"
+            chmod 600 "$tmpfile"
+            mv "$tmpfile" python-icm.zip
-            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
+            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
+            # Validate zip contents before extraction
+            if unzip -l python-icm.zip | awk '{print $4}' | grep -E '(^/|(\.\./))'; then
+              echo "Error: Zip file contains unsafe paths. Aborting extraction." >&2
+              exit 1
+            fi
-            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
+            tmpfile=$(mktemp)
+            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > "$tmpfile"
+            chmod 600 "$tmpfile"
+            mv "$tmpfile" python-icm.zip
-            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
+            echo "${{ secrets.ICM_PACKAGE_B64 }}" | base64 -d > python-icm.zip
+            # Validate zip contents before extraction
+            if unzip -l python-icm.zip | awk '{print $4}' | grep -E '(^/|(\.\./))'; then
+              echo "Error: Zip file contains unsafe paths. Aborting extraction." >&2
+              exit 1
+            fi
+            unzip -o python-icm.zip -d $GITHUB_WORKSPACE/src/alert-manager/src/node-recycler/python-icm
+            ls -l $GITHUB_WORKSPACE/src/alert-manager/src/node-recycler/python-icm
+          fi
+
       - name: Decode and unzip config file
         if: steps.check.outputs.has_changed == 'true'
         run: |
@@ -169,4 +179,3 @@ jobs:
             exit 1
           fi
           echo "Virtual cluster info: $vc_info"
-
diff --git a/src/alert-manager/.gitignore b/src/alert-manager/.gitignore
@@ -1,4 +1,6 @@
 # Dependency directories
 node_modules/
 
-deploy/icm-certs/
+deploy/icm-certs/
+
+**/kusto-sdk/