Compare commits

..

1 Commits

Author SHA1 Message Date
copilot-swe-agent[bot]
d8f3cc5f1d skip running unsafe pr check if input is default (backport #2518 to releases/v4) 2026-07-15 14:55:26 +00:00
3 changed files with 7 additions and 72 deletions

View File

@@ -12,24 +12,15 @@ const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
// Inputs for mock @actions/core // Inputs for mock @actions/core
let inputs = {} as any let inputs = {} as any
// Replicate @actions/core getInput behavior: it trims whitespace by default
// (String.prototype.trim(), which strips characters such as a leading U+FEFF BOM)
// unless trimWhitespace is explicitly set to false.
const getInputImpl = (name: string, options?: {trimWhitespace?: boolean}) => {
const val = inputs[name] ?? ''
if (options && options.trimWhitespace === false) {
return val
}
return typeof val === 'string' ? val.trim() : val
}
// Shallow clone original @actions/github context // Shallow clone original @actions/github context
let originalContext = {...github.context} let originalContext = {...github.context}
describe('input-helper tests', () => { describe('input-helper tests', () => {
beforeAll(() => { beforeAll(() => {
// Mock getInput // Mock getInput
jest.spyOn(core, 'getInput').mockImplementation(getInputImpl as any) jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
return inputs[name]
})
// Mock error/warning/info/debug // Mock error/warning/info/debug
jest.spyOn(core, 'error').mockImplementation(jest.fn()) jest.spyOn(core, 'error').mockImplementation(jest.fn())
@@ -150,26 +141,6 @@ describe('input-helper tests', () => {
expect(settings.commit).toBeFalsy() expect(settings.commit).toBeFalsy()
}) })
it('does not reclassify a ref as sha when a BOM is prefixed', async () => {
// A fork branch named "<U+FEFF>" + 40 hex chars. core.getInput trims the
// BOM by default, which previously collapsed this into a bare SHA and
// bypassed the unsafe fork PR checkout guard.
inputs.ref = '\uFEFF522d932fae5296da51fdf431934425ecf891c6a2'
const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings.commit).toBeFalsy()
expect(settings.ref).toBe('522d932fae5296da51fdf431934425ecf891c6a2')
})
it('treats a sha surrounded by ascii whitespace as a commit', async () => {
// ASCII whitespace can only come from the workflow author's YAML (git ref
// names cannot contain it), so trimming it and treating the value as a
// commit is safe.
inputs.ref = ' 1111111111222222222233333333334444444444 '
const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings.ref).toBeFalsy()
expect(settings.commit).toBe('1111111111222222222233333333334444444444')
})
it('sets workflow organization ID', async () => { it('sets workflow organization ID', async () => {
const settings: IGitSourceSettings = await inputHelper.getInputs() const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings.workflowOrganizationId).toBe(123456) expect(settings.workflowOrganizationId).toBe(123456)
@@ -190,7 +161,6 @@ describe('input-helper tests', () => {
it('allows the default self-checkout on a fork pull_request_target', async () => { it('allows the default self-checkout on a fork pull_request_target', async () => {
const originalEvent = github.context.eventName const originalEvent = github.context.eventName
const originalPayload = github.context.payload const originalPayload = github.context.payload
const originalSha = github.context.sha
try { try {
github.context.eventName = 'pull_request_target' github.context.eventName = 'pull_request_target'
github.context.payload = forkPayload as any github.context.payload = forkPayload as any
@@ -202,7 +172,6 @@ describe('input-helper tests', () => {
} finally { } finally {
github.context.eventName = originalEvent github.context.eventName = originalEvent
github.context.payload = originalPayload github.context.payload = originalPayload
github.context.sha = originalSha
} }
}) })

21
dist/index.js vendored
View File

@@ -1895,23 +1895,6 @@ function getInputs() {
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase(); `${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
// Source branch, source version // Source branch, source version
result.ref = core.getInput('ref'); result.ref = core.getInput('ref');
// core.getInput()'s default trim strips a range of Unicode characters such as a
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
// guard.
//
// The trim below strips only the ASCII whitespace characters which are all forbidden
// in a git branch name.
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
// \n U+000A line feed - ASCII control, forbidden in ref names
// \v U+000B vertical tab - ASCII control, forbidden in ref names
// \f U+000C form feed - ASCII control, forbidden in ref names
// \r U+000D carriage return - ASCII control, forbidden in ref names
// ' ' U+0020 space - forbidden in ref names
const asciiTrimmedRef = core
.getInput('ref', { trimWhitespace: false })
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '');
if (!result.ref) { if (!result.ref) {
if (isWorkflowRepository) { if (isWorkflowRepository) {
result.ref = github.context.ref; result.ref = github.context.ref;
@@ -1924,8 +1907,8 @@ function getInputs() {
} }
} }
// SHA? // SHA?
else if (asciiTrimmedRef.match(/^[0-9a-fA-F]{40}$/)) { else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
result.commit = asciiTrimmedRef; result.commit = result.ref;
result.ref = ''; result.ref = '';
} }
core.debug(`ref = '${result.ref}'`); core.debug(`ref = '${result.ref}'`);

View File

@@ -59,23 +59,6 @@ export async function getInputs(): Promise<IGitSourceSettings> {
// Source branch, source version // Source branch, source version
result.ref = core.getInput('ref') result.ref = core.getInput('ref')
// core.getInput()'s default trim strips a range of Unicode characters such as a
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
// guard.
//
// The trim below strips only the ASCII whitespace characters which are all forbidden
// in a git branch name.
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
// \n U+000A line feed - ASCII control, forbidden in ref names
// \v U+000B vertical tab - ASCII control, forbidden in ref names
// \f U+000C form feed - ASCII control, forbidden in ref names
// \r U+000D carriage return - ASCII control, forbidden in ref names
// ' ' U+0020 space - forbidden in ref names
const asciiTrimmedRef = core
.getInput('ref', {trimWhitespace: false})
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '')
if (!result.ref) { if (!result.ref) {
if (isWorkflowRepository) { if (isWorkflowRepository) {
result.ref = github.context.ref result.ref = github.context.ref
@@ -89,8 +72,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
} }
} }
// SHA? // SHA?
else if (asciiTrimmedRef.match(/^[0-9a-fA-F]{40}$/)) { else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
result.commit = asciiTrimmedRef result.commit = result.ref
result.ref = '' result.ref = ''
} }
core.debug(`ref = '${result.ref}'`) core.debug(`ref = '${result.ref}'`)