From 2eaf9b2ec2e88aa36056cbf362d479a8c70d1bd1 Mon Sep 17 00:00:00 2001 From: Tomasz Wojno Date: Fri, 19 Dec 2025 09:38:31 +0000 Subject: [PATCH 1/5] Address semgrep security issue in `create_release_branch.yml` workflow Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. Instead, we should use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. --- .github/workflows/create_release_branch.yml | 27 +++++++-------------- 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/.github/workflows/create_release_branch.yml b/.github/workflows/create_release_branch.yml index cb5042794..d67633d79 100644 --- a/.github/workflows/create_release_branch.yml +++ b/.github/workflows/create_release_branch.yml @@ -3,47 +3,38 @@ on: workflow_dispatch: inputs: versionName: - description: 'Name of version (ie 5.5.0)' + description: 'Name of version (ie 5.5.0)' required: true jobs: createrelease: runs-on: ubuntu-latest - + env: + VERSION: ${{ github.event.inputs.versionName }} steps: - name: Check out code uses: actions/checkout@v2 - name: Create release branch - run: git checkout -b release/v${{ github.event.inputs.versionName }} + run: git checkout -b "release/v${VERSION}" - name: Initialize mandatory git config run: | git config user.name "GitHub Actions" git config user.email noreply@github.com - name: Change version number and name run: | - sed -i 's/__version__ = .*/__version__ = "${{ github.event.inputs.versionName }}"/' tangelo/_version.py + sed -i "s/__version__ = .*/__version__ = \"${VERSION}\"/" tangelo/_version.py git commit tangelo/_version.py --message "Bumping Tangelo version number in _version.py" -# - name: Update Changelog -# uses: thomaseizinger/keep-a-changelog-new-release@v1 -# with: -# version: ${{ github.event.inputs.versionName }} -# - name: Commit changelog and manifest files -# id: make-commit -# run: | -# git add CHANGELOG.md -# git commit --message "Prepare release ${{ github.event.inputs.versionName }}" -# echo "::set-output name=commit::$(git rev-parse HEAD)" - name: Push new branch - run: git push origin release/v${{ github.event.inputs.versionName }} + run: git push origin "release/v${VERSION}" - name: Create pull request into main uses: thomaseizinger/create-pull-request@1.0.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - head: release/v${{ github.event.inputs.versionName }} + head: release/v${{ env.VERSION }} base: main - title: New release v${{ github.event.inputs.versionName }} into main + title: New release v${{ env.VERSION }} into main reviewers: ${{ github.event.issue.user.login }} body: | - This PR was created in response to "create_release_branch" workflow running. + This PR was created in response to \"create_release_branch\" workflow running. It automatically updated the version number. Don't forget to update CHANGELOGS.md, and then merge back main into develop after this PR goes through. For the review, only version bumping files are of interest, and making sure tests are passing. From 261dd8c71f8c9e6c61deb8253ed5be148c4ef6d0 Mon Sep 17 00:00:00 2001 From: Tomasz Wojno Date: Fri, 19 Dec 2025 09:40:01 +0000 Subject: [PATCH 2/5] Small tweaks to create_release_branch.yml --- .github/workflows/create_release_branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/create_release_branch.yml b/.github/workflows/create_release_branch.yml index d67633d79..b6579bb7e 100644 --- a/.github/workflows/create_release_branch.yml +++ b/.github/workflows/create_release_branch.yml @@ -34,7 +34,7 @@ jobs: title: New release v${{ env.VERSION }} into main reviewers: ${{ github.event.issue.user.login }} body: | - This PR was created in response to \"create_release_branch\" workflow running. + This PR was created in response to "create_release_branch" workflow running. It automatically updated the version number. Don't forget to update CHANGELOGS.md, and then merge back main into develop after this PR goes through. For the review, only version bumping files are of interest, and making sure tests are passing. From f90e130da7141f54f9a31de9d2f1f6ff2a2a0244 Mon Sep 17 00:00:00 2001 From: Tomasz Wojno Date: Fri, 19 Dec 2025 09:44:05 +0000 Subject: [PATCH 3/5] Update continuous_integration.yml Bump `actions/upload-artifact` to version v4 --- .github/workflows/continuous_integration.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/continuous_integration.yml b/.github/workflows/continuous_integration.yml index d9d3cc993..329027398 100755 --- a/.github/workflows/continuous_integration.yml +++ b/.github/workflows/continuous_integration.yml @@ -89,19 +89,19 @@ jobs: if: always() - name: Upload nopyscf test results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: tangelo-no-pyscf-test-results path: tangelo/toolboxes/molecular_computation/tests/junit/nopyscf-test-results_${{ matrix.python-version }}.xml - name: Upload pytest test results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: tangelo-test-results path: tangelo/junit/tangelo-test-results_${{ matrix.python-version }}.xml - name: Upload pytest html results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: tangelo-tests-coverage_${{ matrix.python-version }} path: tangelo/htmlcov From a0b1890c0daf1ec41b2bbaead36287fcab5918d5 Mon Sep 17 00:00:00 2001 From: Tomasz Wojno Date: Fri, 19 Dec 2025 09:45:12 +0000 Subject: [PATCH 4/5] Update continuous_integration.yml Bump version of `download-artifact` to v4 --- .github/workflows/continuous_integration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/continuous_integration.yml b/.github/workflows/continuous_integration.yml index 329027398..bae527616 100755 --- a/.github/workflows/continuous_integration.yml +++ b/.github/workflows/continuous_integration.yml @@ -108,5 +108,5 @@ jobs: if: always() - name: Download all workflow run artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 if: always() From 2354f4458c2f3f7763ebb039e9bd3d1ce21e4707 Mon Sep 17 00:00:00 2001 From: Tomasz Wojno Date: Fri, 19 Dec 2025 09:46:57 +0000 Subject: [PATCH 5/5] Update run_psi4_test.yml Bump `download-artifact` and `upload-artifact` actions to v4. --- .github/workflows/run_psi4_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run_psi4_test.yml b/.github/workflows/run_psi4_test.yml index 7f2bf7b2b..eefd6b827 100755 --- a/.github/workflows/run_psi4_test.yml +++ b/.github/workflows/run_psi4_test.yml @@ -64,17 +64,17 @@ jobs: if: always() - name: Upload psi4 test results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: tangelo-psi4-test-results path: tangelo/toolboxes/molecular_computation/tests/junit/psi4-test-results_${{ matrix.python-version }}.xml - name: Upload classical psi4 test results - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: tangelo-classical-psi4-test-results path: tangelo/algorithms/classical/tests/junit/psi4-classical-test-results_${{ matrix.python-version }}.xml - name: Download all workflow run artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 if: always()