Skip to content

[Sync] Update project files from source repository (2f986b0)#206

Merged
mrz1836 merged 1 commit intomasterfrom
chore/sync-files-mrz-sdks-20260307-165359-2f986b0
Mar 7, 2026
Merged

[Sync] Update project files from source repository (2f986b0)#206
mrz1836 merged 1 commit intomasterfrom
chore/sync-files-mrz-sdks-20260307-165359-2f986b0

Conversation

@mrz1836
Copy link
Copy Markdown
Owner

@mrz1836 mrz1836 commented Mar 7, 2026

What Changed

  • Modified .github/actions/parse-env/action.yml to move the ENV_JSON input from an inline shell variable to the env: context for improved security
  • Added a new github-token input parameter to .github/actions/setup-go-with-cache/action.yml for private module authentication (optional, defaults to empty string)
  • Added a new conditional step "🔐 Configure private module authentication" in setup-go-with-cache that configures git authentication for private Go modules when both github-token and GOPRIVATE are set
  • Updated multiple workflow files to pass github-token: ${{ secrets.GITHUB_TOKEN }} to the setup-go-with-cache action
  • Modified environment variable files including 00-core.env, 10-mage-x.env, and 10-pre-commit.env (specific changes to variables like MAGE_X_VERSION from v1.12.1 to v1.12.2)
  • Added or updated permissions: blocks in various workflow files to explicitly set contents: read

Why It Was Necessary

  • Moving ENV_JSON to the environment context prevents potential injection attacks by avoiding direct interpolation of user input into shell scripts
  • Private Go module support enables workflows to access dependencies hosted in private repositories without manual git configuration
  • Explicit permission declarations follow GitHub Actions security best practices by implementing least-privilege access
  • Version updates ensure workflows use the latest stable releases of tooling dependencies

Testing Performed

  • Validated that environment variable parsing continues to work with the new env: context approach
  • Verified that private module authentication only triggers when both GOPRIVATE is set and a token is provided
  • Confirmed existing workflows continue to function with the new permission blocks and token passing
  • Tested that GONOSUMDB is automatically set to match GOPRIVATE when not explicitly defined

Impact / Risk

  • Breaking Change: None - all changes are backward compatible with optional parameters and conditional logic
  • Security Improvement: Reduced injection attack surface by moving input handling to environment context, explicit permissions limit workflow scope
  • Risk: Low - private module authentication is opt-in and only activates when explicitly configured with both GOPRIVATE and a token

@mrz1836 mrz1836 self-assigned this Mar 7, 2026
@mrz1836 mrz1836 added automated-sync Automated sync PR, e.g. from a fork or external repo automerge Label to automatically merge pull requests that meet all required conditions chore Simple dependency updates or version bumps labels Mar 7, 2026
@github-actions github-actions Bot added size/M Medium change (51–200 lines) update General updates labels Mar 7, 2026
@mrz1836 mrz1836 merged commit aba2763 into master Mar 7, 2026
46 checks passed
@github-actions github-actions Bot deleted the chore/sync-files-mrz-sdks-20260307-165359-2f986b0 branch March 7, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mrz1836 mrz1836

Labels

automated-sync Automated sync PR, e.g. from a fork or external repo automerge Label to automatically merge pull requests that meet all required conditions chore Simple dependency updates or version bumps size/M Medium change (51–200 lines) update General updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrz1836