* docs: add design for manifest path traversal fix
* docs: add implementation plan for manifest path traversal fix
* fix: confine manifest paths to workspace
moveFileToTmpDir previously used path.join(tempDirectory, originalFilepath),
which normalizes ../ sequences. A manifests input containing a traversal
sequence caused the action to read .yaml/.yml files from outside the
workspace and write copies outside RUNNER_TEMP. Directory inputs made
this stronger because recurisveManifestGetter enumerated YAML files
under the traversed directory.
Add assertPathWithinWorkspace, which resolves symlinks via realpathSync
and rejects any path not contained in GITHUB_WORKSPACE. Apply it in
getFilesFromDirectoriesAndURLs before lstat / readdir / file inclusion.
Rewrite moveFileToTmpDir to use a basename-only destination under
RUNNER_TEMP with a getCurrentTime() uniquifier to avoid collisions,
matching the safer pattern already used by getNewTempManifestFileName.
* fix: handle errors in writeYamlFromURLToFile
The https.get callback was marked async without any await, which caused
thrown errors to be silently swallowed as floating promise rejections.
There were no error listeners on the response stream or the file
writer, so socket or disk errors hung the promise instead of rejecting
it. On HTTP status >= 400 the function called reject but then fell
through and opened a write stream anyway.
Drop the misleading async, return after rejecting HTTP errors, drain
the response, and add error listeners on both streams. Wrap the string
verification error in new Error so stack traces are preserved.
* fix: harden verifyYaml and warn on unset GITHUB_WORKSPACE
Two follow-ups from review of the path-traversal series:
verifyYaml is called inside writeYamlFromURLToFile's finish listener.
If the body parsed to a null YAML document (e.g. "---" or a multi-doc
file with a trailing separator), the loop dereferenced obj.kind on
null and threw. Because the throw happened inside an EventEmitter
listener attached to a WriteStream rather than the Promise executor,
it was not routed to reject, so the promise hung. Wrap the finish
body in try/catch and add a null guard inside verifyYaml.
assertPathWithinWorkspace previously returned silently when
GITHUB_WORKSPACE was unset. In a real Action run the runner always
sets it, so unset is a signal that something is wrong with the
environment, not "skip the security check". Emit core.warning so a
misconfigured self-hosted runner does not lose the containment
protection without notice.
* test: realpath both sides of dirname comparison
On macOS, RUNNER_TEMP under /var/folders/... resolves through a
/private symlink. moveFileToTmpDir builds its destination from the
raw RUNNER_TEMP, so comparing path.dirname(out) directly with
realpathSync(tmpDir) would fail on macOS. Normalize both sides.
* fix: resolve relative manifest paths against workspace and clean up URL temp files
Address two Copilot review comments on PR #528:
- assertPathWithinWorkspace now resolves relative inputPath values
against the realpathed GITHUB_WORKSPACE instead of process.cwd().
Previously a step that changed CWD could cause unexpected
rejections (or false acceptances) for relative manifests inputs.
Absolute paths are still passed through and validated unchanged.
- writeYamlFromURLToFile now unlinks the partial temp file on any
rejection that occurs after the write stream is created
(writer error, response error, verification failure, sync throw
in verify). The success path still resolves without unlinking.
Pre-stream request errors leave nothing to clean up.
Tests added: a workspace-relative resolution test that deliberately
chdirs elsewhere, plus two cleanup-assertion tests covering
verification-failure and mid-stream response error.
* Migrate build toolchain from ncc/Jest to esbuild/Vitest
Replace the legacy ncc/Jest/Babel build stack with a modern ESM toolchain:
Build:
- Replace @vercel/ncc with esbuild (--platform=node --target=node20 --format=esm)
- Add createRequire banner for CJS interop in ESM bundle
- Add "type": "module" to package.json
- Add tsc --noEmit typecheck script (esbuild strips types without checking)
- Add typecheck to husky pre-commit hook
Dependencies:
- Bump @actions/core@3, exec@3, io@3, tool-cache@4 (ESM-only)
- Replace jest/ts-jest/@babel/* with vitest@4
Tests:
- Convert 29 test files: jest.fn()→vi.fn(), jest.mock()→vi.mock(), jest.spyOn()→vi.spyOn()
- Fix vitest 4 compat: mockImplementation requires args, mock call tracking, await .rejects
CI:
- Update build step from ncc build → npm run build
- Update composite action to use npm run build
* Switch tsconfig to NodeNext module resolution
Change module/moduleResolution from ES2022/bundler to NodeNext/NodeNext
and target from ES2022 to ES2020.
- Add .js extensions to all relative imports across 59 source/test files
(required by NodeNext module resolution)
- Add vitest/globals to tsconfig types array for global test API declarations
* changed ubuntu runner
* changed minikube action
* Version formatting
* nonedriveR
* update kube version
* installing conntrack'
* updated other actions
* update bg ingress api version
* prettify
* updated ingress backend for new api version
* Added path type
* prettify
* added logging
* added try catch logic to prevent future failures if annotations fail since failing annotations shouldn't affect users
* added nullcheck
* Added fallback filename if workflow fails to get github filepath due to runner issues
* cleanup
* added oliver's feedback + unit test demonstrating regex glitch and fix
* no longer using blank string for failed regex
* add tests and dont split so much
* testing
* file fix
* without fix
* Revert "without fix"
This reverts commit 8da79a8190.
* fixing labels test
* pretty
* refactored getting tmp filename to use entire path, and refactored private to use filepath relative to tmp dir
* wip
* merging master
* this should fail
* added UTs
* restructured plus UTs plus debug logs
* resolved dir not existing and UTs
* cleanup
* no silent failure
* Reverting private logic
* this might work
* root level files for temp... bizarre issue
* need to actually write contents
* no more cwdir
* moving everything out of temp
* deleting unused function
* supporting windows filepaths for private cluster shallow path generation
---------
Co-authored-by: David Gamero <david340804@gmail.com>
* Added some tests, not sure what else to try but gonna think of more examples
* forgot some files
* reverted package-lock.json
* Added empty dir test
* Cleaned up some extra spaces
* Add node modules and compiled JavaScript from main
* forgot to actually include functionality
* removed unnecessary files
* Update .gitignore
* Update .gitignore
* Update .gitignore
* thx david
* renamed searchFilesRec
* integrations test fix
* added examples to README
* added note about depth
* added additional note
* removed ticks
* changed version string
* removed conflict on readme
* Added tests for bluegreen helper and resolved issue with ingress not being read correctly, still have to figure out why new services aren't showing up
* resolved services name issue
* looks functional, beginning refactor now
* refactored deploy methods for type error
* Removed refactor comments
* prettier
* implemented Oliver's feedback
* prettier
* added optional chaining operator
* removed refactor comment
Co-authored-by: Jaiveer Katariya <jaiveerkatariya@Jaiveers-MacBook-Pro.local>
Co-authored-by: Oliver King <oking3@uncc.edu>
Co-authored-by: Jaiveer Katariya <jaiveerkatariya@Jaiveers-MBP.lan>
Tom Gamble