Develop#222
Conversation
MOSIP-22861 Added template for send and verify OTP.
…es-in-arabic-language-make-sure-the-templates-are-in-well-structured-format fixed arabic templates placeholders issue
…es-in-arabic-language-make-sure-the-templates-are-in-well-structured-format Mosip 23967 update templates in arabic language make sure the templates are in well structured format
MOSIP-22865 Added template for service history table view.
MOSIP-22865 Added template for service history table view.
…ooter-content-in-the-pdf-of-all-the-downloadable-documents added mosip logo and other details
MOSIP-25438 corrected template for resident service.
MOSIP-24372 Corrected template for resident service ack api.
MOSIP-25463 Corrected template for service history pdf in resident service.
Create NOTICES.txt
Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
Create NOTICE
| git branch | ||
| git add . | ||
| git commit -s -m "Added converted CSV files" || echo "No changes to commit" | ||
| git push "https://x-access-token:${{ secrets.ACTION_PAT }}@github.com/${{ github.event.pull_request.head.repo.full_name }}.git" HEAD:${{ github.event.pull_request.head.ref }} |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Use GitHub’s recommended safe pattern: assign untrusted context values to environment variables in the step, then reference them via shell variables (e.g., "$PR_HEAD_REF"), not ${{ ... }} inside the script body.
For this workflow, the best minimal fix is in .github/workflows/xlsx-to-csv.yml, step “Commit and push changes” (lines 73–80):
- Add
env:entries for:PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}ACTION_PAT: ${{ secrets.ACTION_PAT }}
- Update line 80 to use shell vars:
git push "https://x-access-token:${ACTION_PAT}@github.com/${PR_HEAD_REPO}.git" "HEAD:${PR_HEAD_REF}"
This keeps functionality unchanged while removing direct expression interpolation from the shell command and properly quoting the refspec argument.
| @@ -72,9 +72,13 @@ | ||
|
|
||
| - name: Commit and push changes | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| env: | ||
| ACTION_PAT: ${{ secrets.ACTION_PAT }} | ||
| PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | ||
| PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} | ||
| run: | | ||
| cd mosip-data | ||
| git branch | ||
| git add . | ||
| git commit -s -m "Added converted CSV files" || echo "No changes to commit" | ||
| git push "https://x-access-token:${{ secrets.ACTION_PAT }}@github.com/${{ github.event.pull_request.head.repo.full_name }}.git" HEAD:${{ github.event.pull_request.head.ref }} | ||
| git push "https://x-access-token:${ACTION_PAT}@github.com/${PR_HEAD_REPO}.git" "HEAD:${PR_HEAD_REF}" |
Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
license folder
* Create NOTICE Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Delete licenses directory Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Added converted CSV files Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Delete licenses directory Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> * Add files via upload Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com> --------- Signed-off-by: rajapandi1234 <138785181+rajapandi1234@users.noreply.github.com>
Signed-off-by: Nidhi0201 <nidhi.k@cyberpwn.com>
Signed-off-by: NidhiKumari0201 <nidhi.k@cyberpwn.com>
…ySchema [MOSIP-43633] packetCreatedOn added in identity_schema (release-1.3x)
* [MOSIP-32075]: Updated Templates for PMS Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> * Added converted CSV files Signed-off-by: chetankh239 <chetankumar.h.239@gmail.com> * [MOSIP-32075]: Updated Templates for PMS Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> * Added converted CSV files Signed-off-by: chetankh239 <chetankumar.h.239@gmail.com> * [MOSIP-32075]: Updated Templates for PMS Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> * Added converted CSV files Signed-off-by: chetankh239 <chetankumar.h.239@gmail.com> --------- Signed-off-by: Chetan Kumar Hirematha <chetankumar.h.239@gmail.com> Signed-off-by: chetankh239 <chetankumar.h.239@gmail.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com>
#404 fixed push-trigger.yml according to dynamic db changes
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v2 | ||
| - name: Create Docker Network | ||
| run: docker network create mosip_network | ||
| - name: Setup PostgreSQL Container | ||
| run: | | ||
| echo "[DB] Starting PostgreSQL container..." | ||
| docker run -d \ | ||
| --name postgresql \ | ||
| --network mosip_network \ | ||
| -p 5432:5432 \ | ||
| -e POSTGRES_USER=postgres \ | ||
| -e POSTGRES_PASSWORD=${{ env.SU_USER_PWD }} \ | ||
| -e POSTGRES_HOST_AUTH_METHOD=trust \ | ||
| postgres:16 | ||
| echo "[DB] PostgreSQL container started." | ||
|
|
||
| - name: Wait for PostgreSQL to be ready | ||
| run: | | ||
| echo "[DB] Waiting for PostgreSQL to accept connections..." | ||
| for i in $(seq 1 30); do | ||
| if docker exec postgresql pg_isready -U postgres -q; then | ||
| echo "[DB] PostgreSQL is ready after ${i} attempt(s)." | ||
| break | ||
| fi | ||
| echo "[DB] Attempt $i/30 - not ready yet, retrying in 2s..." | ||
| sleep 2 | ||
| done | ||
| docker exec postgresql pg_isready -U postgres || \ | ||
| (echo "[DB] ERROR: PostgreSQL did not become ready in time." && exit 1) | ||
|
|
||
| - name: Initialise mosip_master DB | ||
| run: | | ||
| echo "[DB] Starting mosip_master_container (postgres-init)..." | ||
| docker run -itd \ | ||
| --name mosip_master_container \ | ||
| --network mosip_network \ | ||
| -e MOSIP_DB_NAME=mosip_master \ | ||
| -e DB_SERVERIP=postgresql \ | ||
| -e DB_PORT=5432 \ | ||
| -e DEFAULT_DB_NAME=postgres \ | ||
| -e DB_UNAME=masteruser \ | ||
| -e DB_SCRIPTS_DIR=mosip_master \ | ||
| -e SU_USER=postgres \ | ||
| -e DML_FLAG=1 \ | ||
| -e GIT_REPO_URL=https://github.com/mosip/admin-services.git \ | ||
| -e GIT_BRANCH=develop \ | ||
| -e SU_USER_PWD=${{ env.SU_USER_PWD }} \ | ||
| -e DBUSER_PWD=${{ env.DBUSER_PWD }} \ | ||
| mosipdev/postgres-init:develop | ||
| echo "[DB] mosip_master_container launched." | ||
|
|
||
| - name: docker ps command | ||
| run: docker ps -a | ||
|
|
||
| - name: Stream mosip_master_container logs | ||
| run: | | ||
| echo "[DB] Streaming mosip_master_container logs (live)..." | ||
| docker logs -f mosip_master_container | ||
| echo "[DB] mosip_master_container has exited." | ||
|
|
||
| - name: Verify mosip_master_container exit code | ||
| run: | | ||
| EXIT_CODE=$(docker inspect mosip_master_container --format='{{.State.ExitCode}}') | ||
| echo "[DB] mosip_master_container exit code: $EXIT_CODE" | ||
| if [ "$EXIT_CODE" != "0" ]; then | ||
| echo "[DB] ERROR: mosip_master_container exited with non-zero code $EXIT_CODE" | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Check whether db_init has errors in Logs | ||
| run: | | ||
| echo "[DB] Scanning mosip_master_container logs for errors..." | ||
| if docker logs mosip_master_container 2>&1 | grep -qiE "\berror\b|\bfatal\b"; then | ||
| echo "[DB] ERROR: Problem keywords found in mosip_master_container logs:" | ||
| docker logs mosip_master_container 2>&1 | grep -iE "\berror\b|\bfatal\b" | ||
| exit 1 | ||
| else | ||
| echo "[DB] No errors found in mosip_master_container logs." | ||
| fi | ||
|
|
||
| - name: Verify masteruser role exists | ||
| run: | | ||
| echo "[DB] Verifying masteruser role exists in PostgreSQL..." | ||
| ROLE=$(docker exec postgresql psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname='masteruser';") | ||
| if [ "$ROLE" = "masteruser" ]; then | ||
| echo "[DB] masteruser role confirmed." | ||
| else | ||
| echo "[DB] ERROR: masteruser role not found. DB init may have failed." | ||
| echo "[DB] Existing roles:" | ||
| docker exec postgresql psql -U postgres -c "\du" | ||
| exit 1 | ||
| fi | ||
|
|
||
|
|
||
| - name: Set environment variables | ||
| run: | | ||
| if [ "${{ github.event_name }}" = "pull_request" ]; then | ||
| REPO_URL="${{ github.event.pull_request.head.repo.clone_url }}" | ||
| BRANCH_NAME="${{ github.event.pull_request.head.ref }}" | ||
| else | ||
| REPO_URL="https://github.com/${{ github.repository }}.git" | ||
| BRANCH_NAME="${{ github.ref_name }}" | ||
| fi | ||
| echo "REPO_URL=${REPO_URL}" >> $GITHUB_ENV | ||
| echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV | ||
|
|
||
| - name: Run masterdata-loader | ||
| run: | | ||
| docker run -itd \ | ||
| --name masterdata_loader \ | ||
| --network mosip_network \ | ||
| -e DB_HOST=postgresql \ | ||
| -e DB_USER=masteruser \ | ||
| -e DB_PORT=5432 \ | ||
| -e DB_PWD=${{ env.DBUSER_PWD }} \ | ||
| -e REPOSITORY=${{ env.REPO_URL }}\ | ||
| -e BRANCH=${{ env.BRANCH_NAME }} \ | ||
| mosipdev/masterdata-loader:develop | ||
|
|
||
| - name: docker ps command | ||
| run: docker ps -a | ||
| - name: Print Logs of masterdata_loader | ||
| run: | | ||
| # Display masterdata_loader logs | ||
| docker logs -f masterdata_loader | ||
|
|
||
| - name: Check whether masterdata_loader has errors in Logs | ||
| run: | | ||
| echo "[DB] Scanning masterdata_loader logs for errors..." | ||
| if docker logs masterdata_loader 2>&1 | grep -qiE "\berror\b|\bfatal\b"; then | ||
| echo "[DB] ERROR: Problem keywords found in masterdata_loader logs:" | ||
| docker logs masterdata_loader 2>&1 | grep -iE "\berror\b|\bfatal\b" | ||
| exit 1 | ||
| else | ||
| echo "[DB] No errors found in masterdata_loader logs." | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 25 days ago
Add an explicit permissions block in .github/workflows/push-trigger.yml at the workflow root (top-level), so it applies to all jobs unless overridden.
The least-privilege fix for this workflow is:
permissions:contents: read
This preserves existing behavior (checkout still works) while ensuring the token is not implicitly overprivileged.
| @@ -15,6 +15,8 @@ | ||
| - develop | ||
| - 1.2.0.1 | ||
| - MOSIP* | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| DBUSER_PWD: mosip123 | ||
| SU_USER_PWD: abc123 |
Signed-off-by: Gokulraj C <110164849+GOKULRAJ136@users.noreply.github.com>
Fixes #1830 Merge v1.3.2-rc.1 into develop for mosip-data
Signed-off-by: Abhishek S <127825992+abhishek8shankar@users.noreply.github.com>
…ts (#407) * Security vulnerabilities and runtime bugs fix upgrade scripts Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com> * Update data-uploader.py Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com> * Update data-uploader.py Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com> --------- Signed-off-by: GOKULRAJ136 <110164849+GOKULRAJ136@users.noreply.github.com>
[MOSIP-44260] Update xlsx-to-csv.yml
| - name: Clone the repository | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| git clone -b ${{ github.event.pull_request.head.ref }} https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Use GitHub Actions’ safe pattern for untrusted input in run steps:
- Put
${{ github.* }}values that may be attacker-controlled intoenv:entries. - In the shell script, use
"$VAR"(native shell variable expansion), not${{ env.VAR }}insiderun. - Quote all variable usages in commands.
Best minimal fix in .github/workflows/xlsx-to-csv.yml:
- In the Clone the repository step, add
envvariables for:PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
- Replace line 36 command to use these env vars:
git clone -b "$PR_HEAD_REF" "https://github.com/$PR_HEAD_REPO.git"
This preserves behavior while preventing expression-time injection in shell script text.
| @@ -32,8 +32,11 @@ | ||
|
|
||
| - name: Clone the repository | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| env: | ||
| PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} | ||
| PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | ||
| run: | | ||
| git clone -b ${{ github.event.pull_request.head.ref }} https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git | ||
| git clone -b "$PR_HEAD_REF" "https://github.com/$PR_HEAD_REPO.git" | ||
|
|
||
| - name: Get author email | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check for xlsx changes | ||
| id: check_xlsx | ||
| run: | | ||
| PR_NUMBER=${{ github.event.number }} | ||
| FILES=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | ||
| -H "Accept: application/vnd.github.v3+json" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER/files") | ||
| XLSX_CHANGED=$(echo "$FILES" | jq '[.[].filename | select(endswith(".xlsx"))] | length') | ||
| echo "xlsx_changed=$XLSX_CHANGED" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: Skip if no xlsx changes | ||
| if: steps.check_xlsx.outputs.xlsx_changed == '0' && github.event_name != 'workflow_dispatch' | ||
| run: | | ||
| echo "No xlsx files changed. Skipping workflow." | ||
| exit 0 | ||
|
|
||
| - name: Clone the repository | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| git clone -b ${{ github.event.pull_request.head.ref }} https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git | ||
|
|
||
| - name: Get author email | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| PR_NUMBER=${{ github.event.number }} | ||
| commits=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | ||
| -H "Accept: application/vnd.github.v3+json" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER/commits") | ||
| email=$(echo "$commits" | jq -r '.[0].commit.author.email // "${{ github.event.pull_request.user.login }}@users.noreply.github.com"') | ||
| echo "author_email=$email" >> $GITHUB_ENV | ||
|
|
||
| - name: Set up Git identity | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| git config --global user.name "${{ github.event.pull_request.user.login }}" | ||
| git config --global user.email "${{ env.author_email }}" | ||
|
|
||
| - name: Install xlsx2csv | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: sudo apt-get install -y xlsx2csv | ||
|
|
||
| - name: Create output directory | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| rm -rf mosip-data/mosip_master_csv/csv | ||
| mkdir -p mosip-data/mosip_master_csv/csv | ||
|
|
||
| - name: Convert all XLSX to CSV | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| for xlsx_file in mosip-data/mosip_master/xlsx/*.xlsx; do | ||
| csv_file="mosip-data/mosip_master_csv/csv/$(basename "${xlsx_file%.xlsx}.csv")" | ||
| xlsx2csv "$xlsx_file" > "$csv_file" | ||
| echo "Converted $xlsx_file to $csv_file" | ||
| done | ||
|
|
||
| - name: Commit and push changes | ||
| if: steps.check_xlsx.outputs.xlsx_changed != '0' || github.event_name == 'workflow_dispatch' | ||
| run: | | ||
| cd mosip-data | ||
| git branch | ||
| git add . | ||
| git commit -s -m "Added converted CSV files" || echo "No changes to commit" | ||
| git push "https://x-access-token:${{ secrets.ACTION_PAT }}@github.com/${{ github.event.pull_request.head.repo.full_name }}.git" HEAD:${{ github.event.pull_request.head.ref }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Add an explicit permissions block in .github/workflows/xlsx-to-csv.yml at the workflow root (best here since there is one job), setting only the minimum needed for this workflow’s GITHUB_TOKEN usage.
Best minimal, non-functional-change fix:
- Add:
contents: read(for repository metadata access)pull-requests: read(for PR files/commits API reads)
This preserves existing behavior because writes are done through ACTION_PAT, not GITHUB_TOKEN.
| @@ -10,6 +10,10 @@ | ||
| default: 'Triggered for Updates' | ||
| type: string | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
||
| jobs: | ||
| convert_xlsx_to_csv: | ||
| runs-on: ubuntu-latest |
No description provided.