chore: ci/cd workflow improvements and fixes#6127
Conversation
|
ACTION NEEDED The PR title and description are used as the merge commit message. Please update your PR title and description to match the specification. For details on the error please inspect the "PR Title Check" action. |
Code ReviewGood security hygiene PR overall. SHA-pinning GHA actions, tightening author association checks, fixing the tar path traversal (CVE-2007-4559), and escaping SQL-like filter strings are all solid improvements. P0: Missed SQL filter escape in delete_from_manifest The PR escapes object_id in manifest_contains_object, query_manifest_for_table, query_manifest_for_namespace, and the starts_with check in drop_namespace but misses delete_from_manifest at line 905 in rust/lance-namespace-impls/src/dir/manifest.rs. This is the same injection pattern and should get the same single-quote escaping treatment. Arguably more critical since it is a DELETE operation. Minor: upload-artifact v3 to v4 bump in benchmarks.yml The benchmarks.yml change pins the SHA but also bumps from upload-artifact v3 to v4. v4 has breaking changes (e.g. requires unique artifact names, different merge behavior). This should work fine here since artifact names are unique per matrix entry, but worth a sanity check that the consuming workflow still downloads correctly. Generated with Claude Code |
esteban
changed the title
|
Thank you for working on this! Especially thank you the effort to pin github actions. But this PR seems to mix different changes inside the same PR. This can make this PR hard to review and cherry pick. Would you like to split them into different PRs? |
|
Approve after offline discussion. |
- Pin GitHub Actions to immutable SHA digests - Tighten workflow permissions and authorization checks - Improve input validation in build scripts and namespace queries - Replace unsafe download patterns Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
esteban
force-pushed
the
chore/gha-updates-2026-03-07
branch
from
e079aaf to
671874d
Compare
|
FAILED python/tests/test_integration.py::test_duckdb_pushdown_extension_types - _duckdb.Error: DeprecationWarning: fetch_arrow_table() is deprecated, use to_arrow_table() instead. I think it's because duckdb has a new release. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
2 participants
Summary
🤖 Generated with Claude Code