Core 1345 support skipping image build and testing when only nomad or nomad pack change made skip test by tundeaoni · Pull Request #137 · remerge/workflows

tundeaoni · 2025-10-31T18:42:39Z

https://remerge.atlassian.net/browse/CORE-1345

remerge-hal · 2025-10-31T18:43:00Z

This comment ensures that the correct Slack channel is notified after the team/project label CORE has been added to this pull request.

See this comment for details.

.github/workflows/go-checks.yml

+
+      - name: Get changed files
+        id: changed
+        uses: tj-actions/changed-files@v45


.github/workflows/go-checks.yml

+             "Dockerfile"
+          )
+          echo "🔍 Changed files:"
+          echo "${{ steps.changed.outputs.all_changed_files }}"


To fix this code injection vulnerability, we should avoid placing ${{ steps.changed.outputs.all_changed_files }} directly inside shell commands. Instead, we should pass the value as an environment variable and reference it using native shell syntax ($ALL_CHANGED_FILES). Specifically, in the affected step, set up an env mapping:

env: ALL_CHANGED_FILES: ${{ steps.changed.outputs.all_changed_files }}

and then refer to $ALL_CHANGED_FILES in the shell script. This change should be made in the step named "Check if only irrelevant files changed," covering all uses of steps.changed.outputs.all_changed_files inside the run block.

The affected lines are:

100: echo "${{ steps.changed.outputs.all_changed_files }}"

123: done <<< "$(echo "${{ steps.changed.outputs.all_changed_files }}" | tr ',' '\n')"

These should both refer to the environment variable using the shell-native form:

On line 100, change to echo "$ALL_CHANGED_FILES"

On line 123, change to done <<< "$(echo "$ALL_CHANGED_FILES" | tr ',' '\n')"

We will also add the appropriate env mapping in the step definition.

.github/workflows/go-checks.yml

+              ONLY_IRRELEVANT=false
+              break
+            fi
+          done <<< "$(echo "${{ steps.changed.outputs.all_changed_files }}" | tr ',' '\n')"


To fix the issue, we need to avoid interpolating the untrusted input using ${{ ... }} directly in the shell context inside the run: block. The best practice is to pass the value to the shell via an intermediate environment variable (set via env:), and then reference it using $VARIABLE.

Steps to fix:

In the affected step (Check if only irrelevant files changed), under env:, add a variable like ALL_CHANGED_FILES: ${{ steps.changed.outputs.all_changed_files }}.

In the shell script, replace direct usage of ${{ steps.changed.outputs.all_changed_files }} with $ALL_CHANGED_FILES.

Specifically, the line:
done <<< "$(echo "${{ steps.changed.outputs.all_changed_files }}" | tr ',' '\n')"
should become:
done <<< "$(echo "$ALL_CHANGED_FILES" | tr ',' '\n')"

Also, any other echo or usage of the same variable via ${{ ... }} should be updated to $ALL_CHANGED_FILES for consistency and safety.

No additional libraries are needed. You only need to add the environment variable definition and reference it using the shell’s $ syntax inside the script.

tundeaoni added 2 commits October 31, 2025 19:39

CORE-1345 Support skip test steps if non app code changes made

46e474e

CORE-1345 Support skip test steps if non app code changes made

e3ca8a4

tundeaoni requested a review from a team as a code owner October 31, 2025 18:42

remerge-hal added the CORE label Oct 31, 2025

github-advanced-security bot found potential problems Oct 31, 2025

View reviewed changes

tundeaoni marked this pull request as draft November 4, 2025 13:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Core 1345 support skipping image build and testing when only nomad or nomad pack change made skip test#137

Core 1345 support skipping image build and testing when only nomad or nomad pack change made skip test#137
tundeaoni wants to merge 2 commits intomainfrom
CORE-1345-support-skipping-image-build-and-testing-when-only-nomad-or-nomad-pack-change-made-skip-test

tundeaoni commented Oct 31, 2025 •

edited by remerge-hal

Loading

Uh oh!

remerge-hal commented Oct 31, 2025

Uh oh!

Check warning

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

@@ -80,6 +80,8 @@
                   - name: Check if only irrelevant files changed
                     id: check
+                    env:
+                      ALL_CHANGED_FILES: ${{ steps.changed.outputs.all_changed_files }}
                     run: |
                       #!/usr/bin/env bash
                       set -euo pipefail
@@ -97,7 +99,7 @@
                          "Dockerfile"
                       )
                       echo "🔍 Changed files:"
-                      echo "${{ steps.changed.outputs.all_changed_files }}"
+                      echo "$ALL_CHANGED_FILES"
                       echo
                       ONLY_IRRELEVANT=true
@@ -120,7 +122,7 @@
                           ONLY_IRRELEVANT=false
                           break
                         fi
-                      done <<< "$(echo "${{ steps.changed.outputs.all_changed_files }}" | tr ',' '\n')"
+                      done <<< "$(echo "$ALL_CHANGED_FILES" | tr ',' '\n')"
                       echo "🔎 Result: only_irrelevant=$ONLY_IRRELEVANT"
                       echo "only_irrelevant=$ONLY_IRRELEVANT" >> "$GITHUB_OUTPUT"

Conversation

tundeaoni commented Oct 31, 2025 • edited by remerge-hal Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

remerge-hal commented Oct 31, 2025

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

tundeaoni commented Oct 31, 2025 •

edited by remerge-hal

Loading