[CLIENT-4350] Add runtime flag /RTC1 to raise an error when uninitialized read occurs#990
Conversation
…reter. This build will use /RTC1 to check for uninitialized reads.
…reter. This build will use /RTC1 to check for uninitialized reads.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ["self-hosted", "Windows", "X64"] | ||
| steps: | ||
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Get tests and Github action scripts | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
| with: | ||
| ref: ${{ inputs.use_jfrog_builds && inputs.jfrog-build-version-to-test || github.sha }} | ||
|
|
||
| - run: Invoke-WebRequest -UseBasicParsing -Uri "https://raw.githubusercontent.com/pyenv-win/pyenv-win/master/pyenv-win/install-pyenv-win.ps1" -OutFile "./install-pyenv-win.ps1"; &"./install-pyenv-win.ps1" | ||
|
|
||
| - run: | | ||
| pyenv --version | ||
| pyenv install --debug 3.10 | ||
|
|
||
| - uses: ./.github/actions/run-ee-server | ||
| with: | ||
| registry-name: ${{ inputs.registry-name }} | ||
| registry-username: ${{ env.REGISTRY_USERNAME }} | ||
| registry-password: ${{ env.REGISTRY_PASSWORD }} | ||
| image-name: ${{ inputs.image-name }} | ||
| server-tag: ${{ inputs.server-tag }} | ||
| where-is-client-connecting-from: 'remote-connection' | ||
|
|
||
| - name: Install wheel | ||
| run: | | ||
| python3-dbg -m pip install build -c requirements.txt | ||
| python3-dbg -m pip -m build | ||
| python3-dbg -m pip install dist/*.whl | ||
|
|
||
| - name: Install test dependencies | ||
| run: python3-dbg -m pip install pytest -c requirements.txt | ||
| working-directory: test | ||
|
|
||
| - name: Run tests | ||
| run: python3-dbg -m pytest new_tests/ | ||
| working-directory: test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
In general, to fix this issue you must explicitly declare a permissions: block in the workflow or in the specific job, restricting the GITHUB_TOKEN to the least privileges required (typically contents: read for workflows that only need to check out code). This overrides potentially broader repo/org defaults.
For this specific workflow, the simplest, non‑breaking fix is to add a root‑level permissions: block that applies to all jobs, immediately under the on: section. The job uses actions/checkout (which needs contents: read) but does not appear to need to write to the repository or manage issues, PRs, etc. Therefore contents: read is sufficient and safe. No changes are needed to steps or secrets usage; they are unaffected by the GITHUB_TOKEN scope.
Concretely, in .github/workflows/build-and-run-dev-tests-with-windows-python-dbg.yml, insert:
permissions:
contents: readbetween the trigger block (on: ...) and the jobs: key. No imports or additional methods are needed since this is a YAML configuration change only.
| @@ -3,6 +3,9 @@ | ||
| workflow_dispatch: | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| windows-python-dbg: | ||
| runs-on: ["self-hosted", "Windows", "X64"] |
| working-directory: test | ||
|
|
||
| windows-dbg: | ||
| uses: .github/workflows/build-and-run-dev-tests-with-windows-python-dbg.yml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the problem is fixed by adding an explicit permissions: block to the workflow or to the specific job so that the GITHUB_TOKEN is limited to the minimum required scope, typically contents: read (and other read scopes if needed). This documents the workflow’s expectations and prevents accidental elevation if repository or organization defaults change.
For this specific workflow, the smallest, least intrusive fix is to add a permissions: block at the root level of .github/workflows/stage-tests.yml, right after the on: definition. That block will apply to all jobs that do not override permissions, including windows-dbg. Since the shown jobs only check out code, run tests, pull Docker images, and use reusable workflows, they only need read access to repository contents; write permissions are not required. Therefore, we can safely set permissions: contents: read globally. No imports or additional methods are needed because this is a YAML configuration change only.
Concretely, in .github/workflows/stage-tests.yml, add:
permissions:
contents: readimmediately after the on: block (after the workflow_call: configuration). This will satisfy CodeQL’s requirement and enforce least privilege for the GITHUB_TOKEN used by all jobs, including the windows-dbg job that reuses another workflow.
| @@ -41,6 +41,9 @@ | ||
| description: 'Test macOS x86 wheels (unstable)' | ||
|
|
||
| env: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| REGISTRY_USERNAME: ${{ inputs.registry-name == 'docker.io' && secrets.DOCKER_HUB_BOT_USERNAME || secrets.QE_DOCKER_REGISTRY_USERNAME }} | ||
| REGISTRY_PASSWORD: ${{ inputs.registry-name == 'docker.io' && secrets.DOCKER_HUB_BOT_PW || secrets.QE_DOCKER_REGISTRY_PASSWORD }} | ||
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #990 +/- ##
=======================================
Coverage 83.48% 83.48%
=======================================
Files 99 99
Lines 14402 14402
=======================================
Hits 12024 12024
Misses 2378 2378 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
juliannguyen4
changed the title
juliannguyen4
changed the title
…re returning, but Start-Process does
…andalone installer is deprecated
…hat python_d.exe should be called instead..
…itten. Check out both repos side by side
…. If cloning aerospike-client-python in a different location than GITHUB_WORKSPACE, we have to set the working-directory for the entire run-ee-server action (it assumes cwd is aerospike-client-python)
… optimizations disabled, do the same for the python client.
…ing-admin-tests to build the client with the debug config
2 participants
No description provided.