[DO NOT MERGE] Test#1154
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo "Skipped" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, the workflow should explicitly specify restricted GITHUB_TOKEN permissions instead of relying on repository defaults. Since this job only runs a shell command and does not need to interact with the GitHub API, the safest and least-privileged configuration is to set permissions: { contents: read } (or even permissions: {} if your policies allow that). Adding the permissions block at the workflow root will apply to all jobs that do not override it.
The single best way to fix this without changing existing behavior is to add a permissions block near the top of .github/workflows/ci_weekly.yml, just under the name: (or under on: if you prefer), setting contents: read. No imports or additional definitions are needed because this is a YAML configuration change only. The donothing job can remain unchanged and will inherit these minimal permissions.
Concretely:
- Edit
.github/workflows/ci_weekly.yml. - Insert a top-level
permissions:section after line 1 (or between lines 2 and 3) withcontents: read. - Leave the
jobssection anddonothingjob untouched so functionality stays the same.
| @@ -1,4 +1,6 @@ | ||
| name: WIP Placeholder CI Weekly | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| # For AMD GPU families that expect_failure, we run builds and tests from this scheduled trigger |
| run: | | ||
| RUN_ID="$GITHUB_RUN_ID" # Use the current run ID | ||
|
|
||
| ORG_NAME="${{ github.repository_owner }}" |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix this class of problems in GitHub Actions, you avoid interpolating ${{ ... }} expressions directly in a shell script. Instead, you assign the untrusted value to an environment variable in the env: block of the step, and then reference it using normal shell variable syntax (e.g. $ORG_NAME) inside the script. This prevents GitHub’s expression engine from injecting content directly into the script body and keeps all potentially unsafe characters confined to data variables, which the shell will handle as data rather than code.
For this specific workflow, we should move ${{ github.repository_owner }} (and for consistency, ${{ github.event.repository.name }} and ${{ inputs.JOB_NAME_TO_MATCH }}) into the step’s env: block, then update the script to use the corresponding shell variables. Concretely, in .github/workflows/teams_notifier.yml within the “Calculate URLs and Fetch Manifest” step, extend the env: section to define ORG_NAME, PROJECT_NAME, and JOB_NAME_TO_MATCH using GitHub expression syntax. Then, in the run: script, replace the lines that assign ORG_NAME and PROJECT_NAME using ${{ ... }} with references to the shell environment variables directly, and change the jq invocation to use the JOB_NAME_TO_MATCH shell variable instead of injecting ${{ inputs.JOB_NAME_TO_MATCH }}. This keeps current behavior (same values, same logic) while eliminating the direct expression interpolation inside the script.
| @@ -22,15 +22,17 @@ | ||
| id: extract_urls | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| ORG_NAME: ${{ github.repository_owner }} | ||
| PROJECT_NAME: ${{ github.event.repository.name }} | ||
| JOB_NAME_TO_MATCH: ${{ inputs.JOB_NAME_TO_MATCH }} | ||
| run: | | ||
| RUN_ID="$GITHUB_RUN_ID" # Use the current run ID | ||
|
|
||
| ORG_NAME="${{ github.repository_owner }}" | ||
| PROJECT_NAME="${{ github.event.repository.name }}" | ||
| # ORG_NAME, PROJECT_NAME, and JOB_NAME_TO_MATCH are provided via env | ||
|
|
||
| JOBS_URL="https://api.github.com/repos/$ORG_NAME/$PROJECT_NAME/actions/runs/$RUN_ID/jobs" | ||
| JOB_ID=$(curl -H "Authorization: token $GITHUB_TOKEN" -L "$JOBS_URL" \ | ||
| | jq -r --arg JOB_NAME "${{ inputs.JOB_NAME_TO_MATCH }}" \ | ||
| | jq -r --arg JOB_NAME "$JOB_NAME_TO_MATCH" \ | ||
| '.jobs[] | select(.name==$JOB_NAME) | .id') | ||
|
|
||
|
|
| RUN_ID="$GITHUB_RUN_ID" # Use the current run ID | ||
|
|
||
| ORG_NAME="${{ github.repository_owner }}" | ||
| PROJECT_NAME="${{ github.event.repository.name }}" |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
General approach: avoid using the GitHub expression ${{ github.event.repository.name }} directly within the shell script body. Instead, assign that expression to an environment variable at the step level, and inside the script read it using normal shell variable expansion ($PROJECT_NAME). This follows the documented pattern: set untrusted input in env: and use it with native shell syntax.
Best concrete fix here:
- Modify the
Calculate URLs and Fetch Manifeststep to includeORG_NAMEandPROJECT_NAMEin theenv:section:ORG_NAME: ${{ github.repository_owner }}PROJECT_NAME: ${{ github.event.repository.name }}
- In the
run:script, remove the direct${{ ... }}usage and rely on the environment variables already populated by GitHub:- Delete the lines that assign
ORG_NAMEandPROJECT_NAMEvia expressions. - The rest of the script (
JOBS_URL="https://api.github.com/repos/$ORG_NAME/$PROJECT_NAME/actions/runs/$RUN_ID/jobs" ...) can remain unchanged, since$ORG_NAMEand$PROJECT_NAMEwill now come fromenv.
- Delete the lines that assign
This change is localized to .github/workflows/teams_notifier.yml, within the shown step. No new methods or external tools are needed; we just adjust the env: section and simplify the script.
| @@ -22,12 +22,11 @@ | ||
| id: extract_urls | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| ORG_NAME: ${{ github.repository_owner }} | ||
| PROJECT_NAME: ${{ github.event.repository.name }} | ||
| run: | | ||
| RUN_ID="$GITHUB_RUN_ID" # Use the current run ID | ||
|
|
||
| ORG_NAME="${{ github.repository_owner }}" | ||
| PROJECT_NAME="${{ github.event.repository.name }}" | ||
|
|
||
| JOBS_URL="https://api.github.com/repos/$ORG_NAME/$PROJECT_NAME/actions/runs/$RUN_ID/jobs" | ||
| JOB_ID=$(curl -H "Authorization: token $GITHUB_TOKEN" -L "$JOBS_URL" \ | ||
| | jq -r --arg JOB_NAME "${{ inputs.JOB_NAME_TO_MATCH }}" \ |
|
|
||
| JOBS_URL="https://api.github.com/repos/$ORG_NAME/$PROJECT_NAME/actions/runs/$RUN_ID/jobs" | ||
| JOB_ID=$(curl -H "Authorization: token $GITHUB_TOKEN" -L "$JOBS_URL" \ | ||
| | jq -r --arg JOB_NAME "${{ inputs.JOB_NAME_TO_MATCH }}" \ |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
To fix the problem, move the untrusted inputs.JOB_NAME_TO_MATCH expression out of the shell script and into an environment variable defined in the step’s env: section, then reference that variable using normal shell syntax ($VAR) inside the run: block. This prevents GitHub Actions from inlining the expression directly into the generated shell code and aligns with the recommended pattern for avoiding code injection.
Concretely, in the Calculate URLs and Fetch Manifest step, add an environment variable such as JOB_NAME_TO_MATCH: ${{ inputs.JOB_NAME_TO_MATCH }} under env:. Then, inside the run: script, replace ${{ inputs.JOB_NAME_TO_MATCH }} in the jq invocation with $JOB_NAME_TO_MATCH. No functional behavior changes: jq --arg JOB_NAME ... still receives the same string value, but the value is now passed through the environment rather than interpolated into the script text. No additional imports or external tooling are needed beyond what is already used.
| @@ -22,6 +22,7 @@ | ||
| id: extract_urls | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| JOB_NAME_TO_MATCH: ${{ inputs.JOB_NAME_TO_MATCH }} | ||
| run: | | ||
| RUN_ID="$GITHUB_RUN_ID" # Use the current run ID | ||
|
|
||
| @@ -30,7 +31,7 @@ | ||
|
|
||
| JOBS_URL="https://api.github.com/repos/$ORG_NAME/$PROJECT_NAME/actions/runs/$RUN_ID/jobs" | ||
| JOB_ID=$(curl -H "Authorization: token $GITHUB_TOKEN" -L "$JOBS_URL" \ | ||
| | jq -r --arg JOB_NAME "${{ inputs.JOB_NAME_TO_MATCH }}" \ | ||
| | jq -r --arg JOB_NAME "$JOB_NAME_TO_MATCH" \ | ||
| '.jobs[] | select(.name==$JOB_NAME) | .id') | ||
|
|
||
|
|
| run: | | ||
| echo "ORG_NAME=ROCm" >> $GITHUB_ENV | ||
| echo "PROJECT_NAME=llvm-project" >> $GITHUB_ENV | ||
| echo "RUN_ID=${{ github.run_id }}" >> $GITHUB_ENV |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
To fix this, we should avoid using ${{ github.run_id }} directly in the shell script body and instead inject it into the step’s environment via env:. Inside the script, we then use normal shell variable expansion ($RUN_ID) when writing to $GITHUB_ENV. This matches the recommended “indirect” pattern and removes the code injection concern, without changing the effective behavior of the workflow.
Concretely, in the “Set environment variables” step (lines 59–65):
- Add an
env:section that defines a temporary environment variable, e.g.RUN_ID_INPUT: ${{ github.run_id }}. - In the
run:block, change the line that currently writesRUN_ID=${{ github.run_id }}to instead writeRUN_ID=$RUN_ID_INPUT, using shell syntax. - The other
echolines remain unchanged. - No additional imports or external dependencies are needed because this is purely YAML and shell changes inside the workflow.
| @@ -57,10 +57,12 @@ | ||
| fi | ||
|
|
||
| - name: Set environment variables | ||
| env: | ||
| RUN_ID_INPUT: ${{ github.run_id }} | ||
| run: | | ||
| echo "ORG_NAME=ROCm" >> $GITHUB_ENV | ||
| echo "PROJECT_NAME=llvm-project" >> $GITHUB_ENV | ||
| echo "RUN_ID=${{ github.run_id }}" >> $GITHUB_ENV | ||
| echo "RUN_ID=$RUN_ID_INPUT" >> $GITHUB_ENV | ||
| echo "MANIFEST_FILE=manifest.json" >> $GITHUB_ENV | ||
| echo "OUTPUT_FILE=results.json" >> $GITHUB_ENV | ||
|
|
| # Default notification content setup | ||
| START_DATE=$(date +"%Y-%m-%d") | ||
| # Initialize STATUS based on job results | ||
| if [ "${{ needs.windows_build_and_test.result }}" = "success" ] && [ "${{ needs.linux_build_and_test.result }}" = "success" ]; then |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
General approach: avoid interpolating GitHub expression syntax directly into the shell script in the run: | block. Instead, assign any such values to environment variables via the env: mapping and then reference those variables using normal shell syntax ($VAR) inside the script. This follows GitHub’s documented pattern to prevent code injection.
Best concrete fix here: add environment variables for the needed job results in the Notify status step, and change the if condition to compare those shell variables rather than embedding ${{ needs.*.result }} inside the script. That is, in the env: section of the Notify status step, define e.g. WINDOWS_RESULT: ${{ needs.windows_build_and_test.result }} and LINUX_RESULT: ${{ needs.linux_build_and_test.result }}. Then, in the run: block, replace the condition on line 91 with one that uses $WINDOWS_RESULT and $LINUX_RESULT. No additional imports or external tools are required; all changes are confined to .github/workflows/teams_notifier.yml in the Notify status step.
Specifically:
- Edit the
Notify statusstep’senv:block (around lines 83–87) to add two new entries:WINDOWS_RESULT: ${{ needs.windows_build_and_test.result }}LINUX_RESULT: ${{ needs.linux_build_and_test.result }}
- Edit the
run:block so that theifstatement on line 91 becomes:if [ "$WINDOWS_RESULT" = "success" ] && [ "$LINUX_RESULT" = "success" ]; then
Functionality remains identical, but the workflow now follows the safe pattern and satisfies the CodeQL rule.
| @@ -84,11 +84,13 @@ | ||
| TZ: 'America/Chicago' | ||
| JSON_RESULT_FILE: results.json | ||
| RUN_ID: ${{ env.RUN_ID }} | ||
| WINDOWS_RESULT: ${{ needs.windows_build_and_test.result }} | ||
| LINUX_RESULT: ${{ needs.linux_build_and_test.result }} | ||
| run: | | ||
| # Default notification content setup | ||
| START_DATE=$(date +"%Y-%m-%d") | ||
| # Initialize STATUS based on job results | ||
| if [ "${{ needs.windows_build_and_test.result }}" = "success" ] && [ "${{ needs.linux_build_and_test.result }}" = "success" ]; then | ||
| if [ "$WINDOWS_RESULT" = "success" ] && [ "$LINUX_RESULT" = "success" ]; then | ||
| STATUS="success" | ||
| else | ||
| STATUS="failure" |
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
To fix the issue, we should stop using ${{ github.repository }}, ${{ github.ref_name }}, and ${{ github.run_id }} directly inside the shell script body. Instead, set them as environment variables in the env: block of the step, and then use standard shell variable expansion ($REPOSITORY, $REF_NAME, $GITHUB_RUN_ID) within run:. This follows the recommended pattern: use expressions only in env: and let the shell read them from the environment.
Concretely, in .github/workflows/teams_notifier.yml, in the “Notify status” step:
- Extend the
env:section to include:REPOSITORY: ${{ github.repository }}REF_NAME: ${{ github.ref_name }}GITHUB_RUN_ID: ${{ github.run_id }}
- In the
run:script:- Replace all
${{ github.repository }}occurrences with$REPOSITORY. - Replace
${{ github.ref_name }}with$REF_NAME. - Replace
${{ github.run_id }}with$GITHUB_RUN_ID.
- Replace all
- Keep
RUN_IDusage as is (it already comes fromenv.RUN_ID), or, if needed, reference it consistently as$RUN_ID.
This change does not alter the logical behavior: the same values are used, just passed via environment variables, removing the direct expression usage from the script and eliminating the code-injection warning.
| @@ -84,6 +84,9 @@ | ||
| TZ: 'America/Chicago' | ||
| JSON_RESULT_FILE: results.json | ||
| RUN_ID: ${{ env.RUN_ID }} | ||
| REPOSITORY: ${{ github.repository }} | ||
| REF_NAME: ${{ github.ref_name }} | ||
| GITHUB_RUN_ID: ${{ github.run_id }} | ||
| run: | | ||
| # Default notification content setup | ||
| START_DATE=$(date +"%Y-%m-%d") | ||
| @@ -107,7 +110,7 @@ | ||
| FAILURE_TABLE=$(jq -r '.failure_table' < "$JSON_RESULT_FILE") | ||
|
|
||
| # Construct JSON content without EOF | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/$RUN_ID) \\n\\n**Manifest, Artifacts, and Logs:** \\n\\n$MANIFEST_ARTIFACTS_TABLE\\n\\n**Details:** \\n\\n$SUBMODULE_TABLE\\n\\n" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** $REPOSITORY \\n\\n**Branch:** $REF_NAME \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/$REPOSITORY/actions/runs/$RUN_ID) \\n\\n**Manifest, Artifacts, and Logs:** \\n\\n$MANIFEST_ARTIFACTS_TABLE\\n\\n**Details:** \\n\\n$SUBMODULE_TABLE\\n\\n" | ||
|
|
||
| if [[ "$FAILURE_TABLE" != "No failures found" ]]; then | ||
| NOTIFICATION_CONTENT+="**Failure Jobs:** \\n\\n$FAILURE_TABLE \\n\\n" | ||
| @@ -116,11 +119,10 @@ | ||
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** $REPOSITORY \\n\\n**Branch:** $REF_NAME \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/$REPOSITORY/actions/runs/$GITHUB_RUN_ID) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| fi | ||
|
|
||
| echo "Notification JSON Content:" | ||
| echo "$NOTIFICATION_CONTENT" | ||
|
|
||
| curl -H "Content-Type: application/json" -d "$NOTIFICATION_CONTENT" ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }} | ||
|
|
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix this issue we must not interpolate ${{ github.ref_name }} directly inside the shell script body. Instead, we should assign it to an environment variable using GitHub Actions expression syntax, and then access it using standard shell expansion ($REF_NAME). This avoids mixing GitHub’s expression syntax with the shell’s parsing in run: blocks and aligns with recommended patterns for untrusted inputs.
Concretely, in .github/workflows/teams_notifier.yml, within the Notify status step, add an environment variable like REF_NAME: ${{ github.ref_name }} under the env: section. Then, replace both occurrences of ${{ github.ref_name }} in the JSON construction with $REF_NAME. The rest of the step remains unchanged. No additional imports or external tools are required because we are only modifying how the existing input is wired into the script.
| @@ -84,6 +84,7 @@ | ||
| TZ: 'America/Chicago' | ||
| JSON_RESULT_FILE: results.json | ||
| RUN_ID: ${{ env.RUN_ID }} | ||
| REF_NAME: ${{ github.ref_name }} | ||
| run: | | ||
| # Default notification content setup | ||
| START_DATE=$(date +"%Y-%m-%d") | ||
| @@ -107,7 +108,7 @@ | ||
| FAILURE_TABLE=$(jq -r '.failure_table' < "$JSON_RESULT_FILE") | ||
|
|
||
| # Construct JSON content without EOF | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/$RUN_ID) \\n\\n**Manifest, Artifacts, and Logs:** \\n\\n$MANIFEST_ARTIFACTS_TABLE\\n\\n**Details:** \\n\\n$SUBMODULE_TABLE\\n\\n" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** $REF_NAME \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/$RUN_ID) \\n\\n**Manifest, Artifacts, and Logs:** \\n\\n$MANIFEST_ARTIFACTS_TABLE\\n\\n**Details:** \\n\\n$SUBMODULE_TABLE\\n\\n" | ||
|
|
||
| if [[ "$FAILURE_TABLE" != "No failures found" ]]; then | ||
| NOTIFICATION_CONTENT+="**Failure Jobs:** \\n\\n$FAILURE_TABLE \\n\\n" | ||
| @@ -116,7 +117,7 @@ | ||
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** $REF_NAME \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| fi | ||
|
|
||
| echo "Notification JSON Content:" |
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix this type of issue in GitHub Actions, avoid using ${{ ... }} directly inside the shell script body. Instead, map any potentially untrusted values into environment variables via env: and then reference them using the shell’s own variable expansion ($VAR). This way, the expression is resolved by the Actions runner outside the shell script, and the shell only ever sees plain environment variables.
For this specific workflow, the risky values are the GitHub context fields used inside the run: script: github.repository, github.ref_name, github.run_id, and the existing env.RUN_ID. We should: (1) add environment variables in the env: section of the “Notify status” step for each of these values; (2) update the script body so that it uses $REPOSITORY, $BRANCH, and $RUN_ID instead of inlined ${{ github.* }} expressions. This preserves all existing behavior (the same strings end up in the JSON) while following the recommended safe pattern.
Concretely, within .github/workflows/teams_notifier.yml in the “Notify status” step (around lines 81–120):
- Extend the
env:block with:REPOSITORY: ${{ github.repository }}BRANCH: ${{ github.ref_name }}- (Optionally) ensure
RUN_IDcomes from${{ github.run_id }}if it is not already set elsewhere; since we are constrained to this snippet, we will leave the existingRUN_ID: ${{ env.RUN_ID }}intact and only use$RUN_IDin the script.
- In the two
NOTIFICATION_CONTENT=...assignments, replace all${{ github.repository }}and${{ github.ref_name }}(and${{ github.run_id }}) with the corresponding shell variables:$REPOSITORY,$BRANCH, and$RUN_ID.
This removes the direct use of untrusted GitHub context expressions within the script body, avoids introducing any new behavior, and resolves the CodeQL “code injection” warning.
| @@ -84,6 +84,8 @@ | ||
| TZ: 'America/Chicago' | ||
| JSON_RESULT_FILE: results.json | ||
| RUN_ID: ${{ env.RUN_ID }} | ||
| REPOSITORY: ${{ github.repository }} | ||
| BRANCH: ${{ github.ref_name }} | ||
| run: | | ||
| # Default notification content setup | ||
| START_DATE=$(date +"%Y-%m-%d") | ||
| @@ -107,7 +109,7 @@ | ||
| FAILURE_TABLE=$(jq -r '.failure_table' < "$JSON_RESULT_FILE") | ||
|
|
||
| # Construct JSON content without EOF | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/$RUN_ID) \\n\\n**Manifest, Artifacts, and Logs:** \\n\\n$MANIFEST_ARTIFACTS_TABLE\\n\\n**Details:** \\n\\n$SUBMODULE_TABLE\\n\\n" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** $REPOSITORY \\n\\n**Branch:** $BRANCH \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/$REPOSITORY/actions/runs/$RUN_ID) \\n\\n**Manifest, Artifacts, and Logs:** \\n\\n$MANIFEST_ARTIFACTS_TABLE\\n\\n**Details:** \\n\\n$SUBMODULE_TABLE\\n\\n" | ||
|
|
||
| if [[ "$FAILURE_TABLE" != "No failures found" ]]; then | ||
| NOTIFICATION_CONTENT+="**Failure Jobs:** \\n\\n$FAILURE_TABLE \\n\\n" | ||
| @@ -116,7 +118,7 @@ | ||
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** $REPOSITORY \\n\\n**Branch:** $BRANCH \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/$REPOSITORY/actions/runs/$RUN_ID) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| fi | ||
|
|
||
| echo "Notification JSON Content:" |
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix this class of problems in GitHub Actions, any data that might be considered untrusted (or that a scanner flags) should be passed from the workflow expression context into an environment variable, and then used inside run: via shell-native variable expansion ($VAR), not via ${{ ... }}. This prevents the shell from interpreting injected syntax because the interpolation happens before the shell and the value is treated as data.
For this specific case, we only need to adjust the usage of github.run_id in the run: script. The job already defines RUN_ID: ${{ env.RUN_ID }} in env: at line 86, and then uses $RUN_ID in the main branch of the if (line 110). In the else block at line 119, it still uses the expression ${{ github.run_id }} directly. The best fix is to use the same $RUN_ID variable there, so the run id always comes from the environment, accessed via shell syntax. Concretely:
- In
.github/workflows/teams_notifier.yml, within theNotify statusstep, change theBuild LinkURL in theelsebranch (line 119) to reference$RUN_IDinstead of${{ github.run_id }}. - No new imports or actions are needed; we are only changing the string interpolation method in that line.
| @@ -116,7 +116,7 @@ | ||
| NOTIFICATION_CONTENT+="\"}" | ||
| else | ||
| echo "Error reading JSON file $JSON_RESULT_FILE! Falling back to short notification content." | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| NOTIFICATION_CONTENT="{\"title\":\"$START_DATE - $ICON Build $STATUS\", \"text\":\"**Repository:** ${{ github.repository }} \\n\\n**Branch:** ${{ github.ref_name }} \\n\\n**Status:** $STATUS \\n\\n🔗 [Build Link](https://github.com/${{ github.repository }}/actions/runs/$RUN_ID) \\n\\n**Details:** Unable to fetch detailed results. Please check logs.\\n\\n\"}" | ||
| fi | ||
|
|
||
| echo "Notification JSON Content:" |
| echo "Notification JSON Content:" | ||
| echo "$NOTIFICATION_CONTENT" | ||
|
|
||
| curl -H "Content-Type: application/json" -d "$NOTIFICATION_CONTENT" ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }} |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix this kind of issue in GitHub Actions, you should avoid placing expressions like ${{ secrets.* }} or ${{ github.* }} directly into run: script bodies where the shell will interpolate them as part of a command. Instead, assign the value to an environment variable in the step’s env: block, and then reference that value using native shell syntax ($VAR) within the script. This breaks the expression interpolation from the shell parsing step and aligns with GitHub’s secure usage guidance.
For this specific case, we should move ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }} into an environment variable, e.g. TEAMS_WEBHOOK_URL, in the "Notify status" step’s env: section. Then, in the run: script, replace the direct use of ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }} in the curl command with the shell variable $TEAMS_WEBHOOK_URL. Functionality remains identical: we still send the same JSON payload to the same URL, but the secret is no longer embedded as a GitHub expression inside the shell command.
Concretely:
- Edit
.github/workflows/teams_notifier.ymlin the "Notify status" step. - Add a new
env:entry:TEAMS_WEBHOOK_URL: ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }}. - Change the
curlline fromcurl ... ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }}tocurl ... "$TEAMS_WEBHOOK_URL".
No extra methods or external libraries are needed.
| @@ -84,6 +84,7 @@ | ||
| TZ: 'America/Chicago' | ||
| JSON_RESULT_FILE: results.json | ||
| RUN_ID: ${{ env.RUN_ID }} | ||
| TEAMS_WEBHOOK_URL: ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }} | ||
| run: | | ||
| # Default notification content setup | ||
| START_DATE=$(date +"%Y-%m-%d") | ||
| @@ -122,5 +123,4 @@ | ||
| echo "Notification JSON Content:" | ||
| echo "$NOTIFICATION_CONTENT" | ||
|
|
||
| curl -H "Content-Type: application/json" -d "$NOTIFICATION_CONTENT" ${{ secrets.AMD_STAGING_NIGHTLY_TEAMS_WEBHOOK_URL }} | ||
|
|
||
| curl -H "Content-Type: application/json" -d "$NOTIFICATION_CONTENT" "$TEAMS_WEBHOOK_URL" |
…lvm#187020) The `CallEvent` has data members that store the `LocationContext` and the `CFGElementRef` (i.e. `CFGBlock` + index of statement within that block); but the method `getReturnValueUnderConstruction` ignored these and used the currently analyzed `LocationContext` and `CFGBlock` instead of them. This was logically incorrect and would have caused problems if the `CallEvent` was used later when the "currently analyzed" things are different. However, the lit tests do pass even if I assert that the currently analyzed `LocationContext` and `CFGBlock` is the same as the ones saved in the `CallEvent`, so I'm pretty sure that there was no actual problem caused by this bad logic and this commit won't cause functional changes. I also evaluated this change on a set of open source projects (postgres, tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, openrct2) and validated that it doesn't change the results of the analysis.
When SatWidth < DstWidth, type legalization left narrow SatVT in carrier-width nodes. Example: v8i32 = fp_to_sint_sat v8f32, sat=i24 Canonicalize narrow SatVT forms on AVX10.2. Preserve existing legal full-width lowering. Rewrite narrow SatVT forms to full-width sat + clamp. Results: v8i32 = fp_to_sint_sat v8f32, sat=i32 v8i32 = smax ..., min_i24 v8i32 = smin ..., max_i24 Avoid scalar i48 isel failures. Reduce vector narrow-width scalarization. Fixes llvm#186572
This reverts commit 6bc7795 (llvm#172479) Some concerns were raised on discourse: https://discourse.llvm.org/t/can-we-link-clang-format-into-clanganalysis/89014/7 To be on the safe side, let's revert this for now.
This was originally ported from rocm device libs in efeafa1, merge in more recent changes.
The initial version of SymbolLocatorSymStore supported servers only on local paths. This patch extends it to HTTP/HTTPS end-points. For that to work on Windows, we add a WinHTTP-based HTTP client backend in LLVM next to the existing CURL-based implementation. We don't add a HTTP server implementation, because there is no use right now. Test coverage for the LLVM part is built on llvm-debuginfod-find and works server-less, since it checks textual output of request headers. The existing CURL-based implementation uses the same approach. The LLDB API test for the specific SymbolLocatorSymStore feature spawns a HTTP server from Python. To keep the size of this patch within reasonable limits, the initial implementation of the SymbolLocatorSymStore feature is dump: There is no caching, no verification of downloaded files and no protection against file corruptions. We use a local implementation of LLVM's HTTPResponseHandler, but should think about extracting and reusing Debuginfod's StreamedHTTPResponseHandler in the future. The goal of this patch is a basic working implementation that is testable in isolation. We will iterate on it to improve it further. This should be fine since downloading from SymStores is not default-enabled yet. Users have to set their server URLs explicitly. --------- Co-authored-by: Alexandre Ganea <aganea@havenstudios.com>
Simplify exactly as InstCombine does. A follow-up would include simplifying add x, (sub 0, y) -> sub x, y. Alive2 proof: https://alive2.llvm.org/ce/z/Af7QiD
…uilt libc (llvm#181913) This is to add GPU wrappers for headers that are currently supported by libc built for SPIRV.
…7080) Ensure that the analyzer doesn't rule out the equality (or guarantee disequality) of a pointer to the stack and a symbolic pointer in unknown space. Previously the analyzer incorrectly assumed that stack pointers cannot be equal to symbolic pointers in unknown space. It is true that functions cannot validly return pointers to their own stack frame, but they can easily return a pointer to some other stack frame (e.g. a function can return a pointer recieved as an argument). The old behavior was introduced intentionally in 2012 by commit 3563fde, but it causes incorrect analysis, e.g. it prevents the correct handling of some testcases from the Juliet suite because it rules out the "fgets succeeds" branch. Reported-by: Daniel Krupp <daniel.krupp@ericsson.com>
Corrected language and spelling errors in a comment within file.cpp. Credit GH user @iBlanket for identifying this typo.
…m#187016) When narrowing interleave groups, the main vector loop processes IC iterations instead of VF * IC. Update selectEpilogueVectorizationFactor to use the effective VF, checking if the canonical IV controlling the loop now steps by UF instead of VFxUF. This avoids epilogue vectorization with dead epilogue vector loops and also prevents crashes in cases where we can prove both the epilogue and scalar loop are dead. Fixes llvm#186846 PR: llvm#187016
…part 36) (llvm#187628) Tests converted from test/Lower/Intrinsics: maxloc.f90, maxval.f90, merge.f90, merge_bits.f90, minloc.f90
By using a native `v_cvt_i16/u16_f16` conversion and saturation at `i16` we avoid additional `f16` to `f32` conversion that is required to perform saturation at `i32`. It also allows to perform clamping using `i16` instructions, reducing number of registers needed in *true16* mode in some of the lit tests. The behavior is disabled for pre-gfx8 targets by checking `has16BitInsts()`.
…87268) This is part of patches to port BBAddrMap to COFF. Introduce BBAddrMap.h and move BBAddrMap/PGOAnalysisMap type definitions out of ELFTypes.h.
This patch introduces the following reduction operators: spirv.Tosa.ReduceAll spirv.Tosa.ReduceAny spirv.Tosa.ReduceMax spirv.Tosa.ReduceMin spirv.Tosa.ReduceProduct spirv.Tosa.ReduceSum Also dialect and serialization round-trip tests have been added. Signed-off-by: Davide Grohmann <davide.grohmann@arm.com>
As detailed here: https://github.com/InstLatx64/InstLatX64_Demo/blob/master/GFNI_Demo.h These are a bit more complicated than gf2p8affine look ups, requiring us to convert a SHL shift value / amount into a GF so we can perform a multiplication. SRL/SRA need to be converted to SHL via bitreverse/variable-sign-extension. Followup to llvm#89115
…#184333) When rematerializing S_MOV_B64 or S_MOV_B64_IMM_PSEUDO and only a single 32-bit lane of the result is used at the remat point, emit S_MOV_B32 with the appropriate half of the 64-bit immediate instead. This reduces register pressure by defining a 32-bit register instead of a 64-bit pair when the other half is unused.
…lvm#186448) Extract intrinsic maps shared by the classic and CIR codegen into a new header, AArch64CodeGenUtils.h, which is reused by both. This keeps the implementations in sync and avoids code duplication. The maps are moved without modification. The accompanying code (e.g. `ARMVectorIntrinsicInfo`) is updated to follow Clang coding style (CamelCase instead of the camelCase used in CIR).
This patch introduces a new bitcast operation for integer, float, character, and logical. The main rational for it is that it is currently not possible to express such bitcast in FIR without going trough memory and there is a need to have some bitcast support when interfacing with the memref dialect where one cannot use fir.char<> and fir.logical and must use the underlying storage type. Using fir.convert is not a good idea because it is a semantic cast and it will for instance normalize integers when converting from/to logical. This could also be used to simplify the implementation of TRANSFER for the cases of simple scalars of those types. Assisted by: Claude
…64 (llvm#183932) When compiling a function that uses `x86_fp80` on x86_64 with x87 disabled (`-mattr=-x87`), LLVM crashes with a cryptic internal error. Fixes llvm#182450
Fixed a todo where empty tensor with cast fold can't fold encoding or attributes.
Remove some unused code in BOLT: - `RewriteInstance::linkRuntime` is declared but not defined - `BranchContext` typedef is never used - `FuncBranchData::getBranch` is defined but never used - `FuncBranchData::getDirectCallBranch` is defined but never used
…adowing-base-method (llvm#185741) (llvm#185875) This commit fixes a false positive in the derived-method-shadowin-base-method clang-tidy check, as described in [ticket 185741](llvm#185741) Fixes llvm#185741 --------- Co-authored-by: Tom James <tom.james@siemens.com> Co-authored-by: Zeyi Xu <mitchell.xu2@gmail.com>
The comment says there shouldn't be any free registers, so update the inline assembly to clobber all non-preserved SGPRs.
…m#187703) Many backends rely on TII reporting correct instruction sizes for MIR level branch relaxation passes. Reporting a too small size can result in MC fixup failures (or silent miscompiles for unvalidated fixups). Some time ago I added validation to the PPC asm printer to verify that the TII instruction size matches the actually emitted size. This was very helpful to systematically fix all incorrectly reported instruction sizes. However, the same problem also exists in lots of other backends, so this moves the validation into AsmPrinter, controlled by a new getInstSizeVerifyMode() hook in TII, which is disabled by default. The intention here is to gradually enable this validation for more backends (which requires fixing them first).
Check the elements directly for initialization state and keep track of whether we found a NUL byte.
…m#187948) Add additional "constrained" intrinsic ops. A rounding mode can be specified for these ops. Assisted by: claude-4.6-opus-high
This was failing in the float case without -cl-denorms-are-zero and failing for double. This now passes in all cases. This was originally ported from rocm device libs in 8db45e4. This is mostly a port in of more recent changes with a few changes. - Templatification, which almost but doesn't quite enable vectorization yet due to the outer branch and loop. - Merging of the 3 types into one shared code path, instead of duplicating per type with 3 different functions implemented together. There are only some slight differences for the half case, which mostly evaluates as float. - Splitting out of the is_odd tracking, instead of deriving it from the accumulated quotient. This costs an extra register, but saves several instructions. This also enables automatic elimination of all of the quo output handling when this code is reused for remainder. I'm guessing this would be unnecessary if SimplifyDemandedBits handled phis. - Removal of the slow FMA path. I don't see how this would ever be faster with the number of instructions replacing it. This is really a problem for the compiler to solve anyway.
(llvm#187999) This fixes conformance failures for double and without -cl-denorms-are-zero. Optimizations are able to eliminate the unusued quo handling without duplicating most of the code.
Changes are quite big but most of them is just copypasting and creating mocks.
This patch fixes lowering of _sys builtin, which used to lower into invalid MSR S1... instruction. This was fixed by adding new sys llvm intrinsic and proper lowering into sys instruction and its aliases. I also fixed the sema check for _sys, _ReadStatusRegister and _WriteStatusRegister builtins so they correctly capture invalid usecases.
…lvm#187843) Combine cases for `ORRWri`, `ORRXri`, `ANDXri` and `EORXri` in `AArch64ExpandPseudoImpl::expandMOVImm`, because these cases are handled with exactly the same code.
The function is mentioned in `Legalizer.rst` but has been missing. This also fixes the asymetry between `narrowScalarXXX()` that has both `narrowScalarFor()` and `narrowScalarIf()`, and `widenScalarXXX()` that only had `widenScalarIf()`.
This affects the behavior of SIPreEmitPeephole and AMDGPULowerVGPREncoding.
The attached test case otherwise results in a function with one jump op but no source info at all.
…versions (llvm#187711) We attempt to select `s_cvt_i32/u32_f32` where possible, with some considerations: * For `f64` default to `v_` instructions as there is no support for `f64` in SALU. * For `f16` to `i16` select `v_cvt_i16/u16_f16` which is consistent with non-saturating conversions behavior. However we could emit `s_cvt_f32_f16` followed by `s_cvt_i32/u32_f32` to keep the computation in SALU, as SALU does not have `s_cvt_i16_f16`. Happy to look into it if beneficial. * When it comes to clamping, ISel turns min and max sequence into `v_med3` with `v0` destination, whereas globalisel keeps min and max as `s_min` and `s_max` and then moves the result into `v0`, as lit tests expect the return value to be in `v0` in both cases. This is unrelated to this change but I thought it is worth highlighting.
…171144) Adding a generator into Perf2bolt is the initial step to support the large end-to-end tests for Arm SPE. This functionality proves unified format of pre-parsed profile that Perf2bolt is able to consume. Why does the test need to have a textual format SPE profile? * To collect an Arm SPE profile by Linux Perf, it needs to have an arm developer device which has SPE support. * To decode SPE data, it also needs to have the proper version of Linux Perf. * The minimum required version of Linux Perf is v6.15. Bypassing these technical difficulties, that easier to prove a pre-generated textual profile format. The generator relies on the aggregator work to spawn the required perf-script jobs based on the the aggregation type, and merges the results of the pref-script jobs into a single file. This hybrid profile will contain all required events such as BuildID, MMAP, TASK, BRSTACK, or MEM event for the aggregation. Two examples below how to generate a pre-parsed perf data as an input for ARM SPE aggregation: `perf2bolt -p perf.data BINARY -o perf.text --spe --generate-perf-script` Or for basic aggregation: `perf2bolt -p perf.data BINARY -o perf.text --ba --generate-perf-script`
Update isl to include https://repo.or.cz/isl.git/commit/ee3677039011f2f87f3630f8b2a004f9e4944a08 which fixes llvm#187216 Closes llvm#187216 Thanks @skimo-openhub for the fix and @thapgua for the bugreport.
20 participants
No description provided.