From 8fa7b5519c8269d5458e87fac5e21903c8b41bba Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 14:54:15 +0000
Subject: [PATCH 1/2] Initial plan


From 5379c4d1e0b5abf36861c88f2700872dd72f3386 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 14:55:17 +0000
Subject: [PATCH 2/2] Add security comments to extra-args validation in
 setup-python-env action

Co-authored-by: pmalarme <686568+pmalarme@users.noreply.github.com>
---
 .github/actions/setup-python-env/action.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/actions/setup-python-env/action.yml b/.github/actions/setup-python-env/action.yml
index 8e764b5..f4ea0e5 100644
--- a/.github/actions/setup-python-env/action.yml
+++ b/.github/actions/setup-python-env/action.yml
@@ -35,6 +35,8 @@ runs:
           args="$args --group docs"
         fi
         if [[ -n "$EXTRA_ARGS" ]]; then
+          # Validate each whitespace-split token: must start with '-' and contain only safe flag characters.
+          # NOTE: '--' (end-of-options marker) is intentionally allowed; positional args would fail validation.
           for arg in $EXTRA_ARGS; do
             if [[ ! "$arg" =~ ^-[a-zA-Z0-9=._:/@+-]+$ ]]; then
               echo "::error::Unsafe extra-args token: '$arg'. Each token must start with '-' and contain only safe flag characters." >&2
@@ -42,5 +44,5 @@ runs:
             fi
           done
         fi
-        # shellcheck disable=SC2086  # intentional word-splitting for uv flags
+        # shellcheck disable=SC2086  # intentional word-splitting for uv flags (all tokens validated above)
         uv sync $args $EXTRA_ARGS