mirror of
https://github.com/github/awesome-copilot.git
synced 2026-05-30 10:31:47 +00:00
Fix skill-check command injection (#1869)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Aaron Powell
GitHub
@@ -58,45 +58,56 @@ jobs:
|
|||||||
- name: Detect changed skills and agents
|
- name: Detect changed skills and agents
|
||||||
id: detect
|
id: detect
|
||||||
run: |
|
run: |
|
||||||
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
|
declare -A SEEN_SKILL_DIRS=()
|
||||||
|
declare -A SEEN_AGENT_FILES=()
|
||||||
|
SKILL_DIRS=()
|
||||||
|
AGENT_FILES=()
|
||||||
|
|
||||||
# Extract unique skill directories that were touched
|
while IFS= read -r -d '' file; do
|
||||||
SKILL_DIRS=$(echo "$CHANGED_FILES" | grep -oP '^skills/[^/]+' | sort -u || true)
|
case "$file" in
|
||||||
|
skills/*)
|
||||||
|
skill_dir="${file#skills/}"
|
||||||
|
skill_dir="skills/${skill_dir%%/*}"
|
||||||
|
if [ -d "$skill_dir" ] && [ -z "${SEEN_SKILL_DIRS[$skill_dir]+x}" ]; then
|
||||||
|
SEEN_SKILL_DIRS["$skill_dir"]=1
|
||||||
|
SKILL_DIRS+=("$skill_dir")
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
plugins/*/skills/*)
|
||||||
|
IFS='/' read -r seg1 seg2 seg3 seg4 _ <<< "$file"
|
||||||
|
skill_dir="$seg1/$seg2/$seg3/$seg4"
|
||||||
|
if [ -d "$skill_dir" ] && [ -z "${SEEN_SKILL_DIRS[$skill_dir]+x}" ]; then
|
||||||
|
SEEN_SKILL_DIRS["$skill_dir"]=1
|
||||||
|
SKILL_DIRS+=("$skill_dir")
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
# Extract agent files that were touched
|
case "$file" in
|
||||||
AGENT_FILES=$(echo "$CHANGED_FILES" | grep -oP '^agents/[^/]+\.agent\.md$' | sort -u || true)
|
agents/*.agent.md|plugins/*/agents/*.agent.md)
|
||||||
|
if [ -f "$file" ] && [ -z "${SEEN_AGENT_FILES[$file]+x}" ]; then
|
||||||
|
SEEN_AGENT_FILES["$file"]=1
|
||||||
|
AGENT_FILES+=("$file")
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done < <(git diff --name-only -z "origin/${{ github.base_ref }}...HEAD")
|
||||||
|
|
||||||
# Extract plugin skill directories
|
SKILL_COUNT=${#SKILL_DIRS[@]}
|
||||||
PLUGIN_SKILL_DIRS=$(echo "$CHANGED_FILES" | grep -oP '^plugins/[^/]+/skills/[^/]+' | sort -u || true)
|
AGENT_COUNT=${#AGENT_FILES[@]}
|
||||||
|
|
||||||
# Extract plugin agent files
|
|
||||||
PLUGIN_AGENT_FILES=$(echo "$CHANGED_FILES" | grep -oP '^plugins/[^/]+/agents/[^/]+\.agent\.md$' | sort -u || true)
|
|
||||||
|
|
||||||
# Build CLI arguments for --skills
|
|
||||||
SKILL_ARGS=""
|
|
||||||
for dir in $SKILL_DIRS $PLUGIN_SKILL_DIRS; do
|
|
||||||
if [ -d "$dir" ]; then
|
|
||||||
SKILL_ARGS="$SKILL_ARGS $dir"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Build CLI arguments for --agents
|
|
||||||
AGENT_ARGS=""
|
|
||||||
for f in $AGENT_FILES $PLUGIN_AGENT_FILES; do
|
|
||||||
if [ -f "$f" ]; then
|
|
||||||
AGENT_ARGS="$AGENT_ARGS $f"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
SKILL_COUNT=$(echo "$SKILL_ARGS" | xargs -n1 2>/dev/null | wc -l || echo 0)
|
|
||||||
AGENT_COUNT=$(echo "$AGENT_ARGS" | xargs -n1 2>/dev/null | wc -l || echo 0)
|
|
||||||
TOTAL=$((SKILL_COUNT + AGENT_COUNT))
|
TOTAL=$((SKILL_COUNT + AGENT_COUNT))
|
||||||
|
|
||||||
echo "skill_args=$SKILL_ARGS" >> "$GITHUB_OUTPUT"
|
{
|
||||||
echo "agent_args=$AGENT_ARGS" >> "$GITHUB_OUTPUT"
|
echo "total=$TOTAL"
|
||||||
echo "total=$TOTAL" >> "$GITHUB_OUTPUT"
|
echo "skill_count=$SKILL_COUNT"
|
||||||
echo "skill_count=$SKILL_COUNT" >> "$GITHUB_OUTPUT"
|
echo "agent_count=$AGENT_COUNT"
|
||||||
echo "agent_count=$AGENT_COUNT" >> "$GITHUB_OUTPUT"
|
echo "skill_dirs<<EOF"
|
||||||
|
printf '%s\n' "${SKILL_DIRS[@]}"
|
||||||
|
echo "EOF"
|
||||||
|
echo "agent_files<<EOF"
|
||||||
|
printf '%s\n' "${AGENT_FILES[@]}"
|
||||||
|
echo "EOF"
|
||||||
|
} >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
echo "Found $SKILL_COUNT skill dir(s) and $AGENT_COUNT agent file(s) to check."
|
echo "Found $SKILL_COUNT skill dir(s) and $AGENT_COUNT agent file(s) to check."
|
||||||
|
|
||||||
@@ -104,25 +115,42 @@ jobs:
|
|||||||
- name: Run skill-validator check
|
- name: Run skill-validator check
|
||||||
id: check
|
id: check
|
||||||
if: steps.detect.outputs.total != '0'
|
if: steps.detect.outputs.total != '0'
|
||||||
|
env:
|
||||||
|
SKILL_DIRS_RAW: ${{ steps.detect.outputs.skill_dirs }}
|
||||||
|
AGENT_FILES_RAW: ${{ steps.detect.outputs.agent_files }}
|
||||||
run: |
|
run: |
|
||||||
SKILL_ARGS="${{ steps.detect.outputs.skill_args }}"
|
SKILL_DIRS=()
|
||||||
AGENT_ARGS="${{ steps.detect.outputs.agent_args }}"
|
AGENT_FILES=()
|
||||||
|
|
||||||
CMD=".skill-validator/skill-validator check --verbose"
|
if [ -n "$SKILL_DIRS_RAW" ]; then
|
||||||
|
while IFS= read -r dir; do
|
||||||
if [ -n "$SKILL_ARGS" ]; then
|
[ -n "$dir" ] && SKILL_DIRS+=("$dir")
|
||||||
CMD="$CMD --skills $SKILL_ARGS"
|
done <<< "$SKILL_DIRS_RAW"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$AGENT_ARGS" ]; then
|
if [ -n "$AGENT_FILES_RAW" ]; then
|
||||||
CMD="$CMD --agents $AGENT_ARGS"
|
while IFS= read -r file; do
|
||||||
|
[ -n "$file" ] && AGENT_FILES+=("$file")
|
||||||
|
done <<< "$AGENT_FILES_RAW"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Running: $CMD"
|
CMD=(.skill-validator/skill-validator check --verbose)
|
||||||
|
|
||||||
|
if [ ${#SKILL_DIRS[@]} -gt 0 ]; then
|
||||||
|
CMD+=(--skills "${SKILL_DIRS[@]}")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ${#AGENT_FILES[@]} -gt 0 ]; then
|
||||||
|
CMD+=(--agents "${AGENT_FILES[@]}")
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf 'Running: '
|
||||||
|
printf '%q ' "${CMD[@]}"
|
||||||
|
echo
|
||||||
|
|
||||||
# Capture output; don't fail the workflow (warn-only mode)
|
# Capture output; don't fail the workflow (warn-only mode)
|
||||||
set +e
|
set +e
|
||||||
OUTPUT=$($CMD 2>&1)
|
OUTPUT=$("${CMD[@]}" 2>&1)
|
||||||
EXIT_CODE=$?
|
EXIT_CODE=$?
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user