Bump codecov/codecov-action from 5 to 6#88
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
cmeans
added
Ready for QA
github-actions
Bot
removed
the
Ready for QA
cmeans
reviewed
Mar 29, 2026
Owner
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA Review — PR #88:
Single-line version bump of a GitHub Actions dependency. Change is a major version tag update — no logic changes.
- Diff: version tag only (
@vN→@vN+1) - Files: workflow YAML only
- CI: no failing checks
- No code, no runtime impact
Note for PRs #85-87: all three modify docker-publish.yml and will conflict after the first merge. Merge sequentially and rebase remaining.
Ready for QA Signoff.
Owner
|
Adding Ready for QA Signoff — dependabot version bump, workflow-only change, no failing checks. |
cmeans
added
Ready for QA Signoff
cmeans
added
QA Approved
Owner
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/github_actions/codecov/codecov-action-6
branch
from
52c29fe to
e1aaa52
Compare
github-actions
Bot
added
Awaiting CI
cmeans
added
Ready for QA
github-actions
Bot
removed
the
Ready for QA
cmeans
reviewed
Mar 29, 2026
Owner
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA re-review: diff unchanged from prior review — version tag bump only, CI green. Ready for QA Signoff.
Owner
|
Adding Ready for QA Signoff — re-verified, same single-line version bump, CI green. |
cmeans
added
Ready for QA Signoff
dependabot
Bot
force-pushed
the
dependabot/github_actions/codecov/codecov-action-6
branch
from
e1aaa52 to
5df2120
Compare
github-actions
Bot
added
Awaiting CI
dependabot
Bot
force-pushed
the
dependabot/github_actions/codecov/codecov-action-6
branch
from
5df2120 to
7c48072
Compare
Owner
|
@dependabot rebase |
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5 to 6. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v5...v6) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/codecov/codecov-action-6
branch
from
7c48072 to
0d4c3dc
Compare
cmeans
added
QA Approved
cmeans
pushed a commit
that referenced
this pull request
Apr 20, 2026
Addresses QA round-1 finding #1 on PR #333. The actually-merged mcp-clipboard PRs are: - #88 (merged 2026-04-20T01:31:47Z) — original env-routing hardening. #87 does not exist in that repo. - #92 (merged 2026-04-20T20:26:12Z) — comment-escape cascade. #90 was superseded and closed without merging. No code change; CHANGELOG narrative only. PR body updated in parallel with the same corrections (including the pull_request / pull_request_target trigger correction for pr-labels.yml). Symmetric hardening follow-up for pr-labels.yml filed as #334 (P3, non-blocking). Refs #332. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 20, 2026
…on (#332) (#333) Closes #332. ## Summary `.github/workflows/pr-labels-ci.yml` on this repo was in the pre-`cmeans/mcp-clipboard#88` state for the sibling `cmeans/*` cascade: contributor-controlled `workflow_run` fields (`head_branch`, `id`, `repository`) were inlined directly as `${{ ... }}` expressions inside `run:` bodies. Git refnames allow shell metacharacters (`$`, backtick, `;`, `&`, `|`, etc.), so a malicious fork-PR branch name would render as directly-executed shell once GHA substituted the expression at queue time. This PR cascades the hardening from `cmeans/mcp-clipboard`: 1. **#88 pattern — env routing.** All contributor-controlled values now flow through step-level `env:` blocks and are referenced as shell variables (`"$HEAD_BRANCH"`, `"$REPO"`, `"$RUN_ID"`). Job-level `if:` conditionals continue to use `${{ ... }}` (that expression context is safe — it's evaluated by GHA itself, not handed to a shell). 2. **#92 pattern — comment escape.** Comments inside `run:` blocks avoid any literal `${{ }}` sequence. GHA's queue-time parser substitutes expressions even inside shell `#` comments and rejects empty expressions with `An expression was expected` on `workflow_dispatch` / fresh-repo registration. Without this, the #88 hardening would have landed a latent trap. Cascaded verbatim from `cmeans/mcp-clipboard`'s `.github/workflows/pr-labels-ci.yml` at the `main` HEAD after PR #92 merged (2026-04-20T20:26:12Z), preserving this repo's AGPL-3.0 header at lines 1–16. No functional behavior change — label transitions, PR lookup, force-push tolerance, and Dev Active skip logic are all byte-identical to before, just with shell values now arriving via environment instead of via text substitution. ## Scope - `.github/workflows/pr-labels-ci.yml` — hardened (22 lines changed) - `CHANGELOG.md` — `[Unreleased] → ### Security` entry No source, tests, migrations, or docs. ## References - Root diagnosis of the GHA parser quirk: [cmeans/yt-dont-recommend#28](cmeans/yt-dont-recommend#28) - Original security hardening (merged): [cmeans/mcp-clipboard#88](cmeans/mcp-clipboard#88) - Comment-escape cascade source (merged): [cmeans/mcp-clipboard#92](cmeans/mcp-clipboard#92) - Follow-up for symmetric `pr-labels.yml` hardening (non-blocking, P3): [#334](#334) ## QA ### Prerequisites Pure workflow-file change. No deploy, no env setup, no Python changes. All verification is static (`yq`/`python -c`, `grep`) plus an optional post-merge Actions UI smoke. ### Automated checks The CHANGELOG check, ruff, mypy, pytest, Codecov — none of these touch the workflow file. They should all pass unchanged against `main`. Confirm via the green CI checks on this PR before approving. ### Manual tests All local verification runs from the repo root on the PR branch (`fix/pr-labels-ci-hardening-332`). 1. - [x] **YAML parse is clean.** ``` python3 -c "import yaml; yaml.safe_load(open('.github/workflows/pr-labels-ci.yml')); print('OK')" ``` Expected: prints `OK`, exit 0. Confirms no syntax regression. 2. - [x] **No literal empty `${{ }}` anywhere in the file.** ``` grep -n '\${{ }}' .github/workflows/pr-labels-ci.yml || echo "(none — good)" ``` Expected: prints `(none — good)`. Guarantees the `#92` parser trap can't surface on `workflow_dispatch` / fresh-repo registration. 3. - [x] **No contributor-controlled field appears inside a `run:` body as an expression.** ``` awk '/^ run: \|/,/^ - name:|^ [^ ]|^jobs:/' .github/workflows/pr-labels-ci.yml | grep -nE '\$\{\{ *github\.event\.workflow_run\.(head_branch|id) *\}\}' || echo "(none — good)" ``` Expected: prints `(none — good)`. The only remaining `${{ github.event.workflow_run.head_branch }}` references are inside job-level `if:` conditionals (safe context, evaluated by GHA not a shell) and step-level `env:` assignments (safe by design — the whole point of the cascade). 4. - [x] **`env:` blocks route the three contributor-controlled fields.** ``` grep -nE '^[[:space:]]+(REPO|RUN_ID|HEAD_BRANCH):' .github/workflows/pr-labels-ci.yml ``` Expected: six lines total (three per job), each assigning from the matching `${{ github.event.workflow_run.* }}` / `${{ github.repository }}` expression. 5. - [x] **`workflows: [CI]` still matches the CI workflow name in this repo.** ``` grep -A1 'workflows:' .github/workflows/pr-labels-ci.yml | head -3; grep '^name:' .github/workflows/ci.yml ``` Expected: `workflows: [CI]` appears in this file AND `name: CI` appears in `.github/workflows/ci.yml`. Names match, so `workflow_run` will still fire on CI completion. 6. - [x] **AGPL header preserved.** ``` sed -n '1,16p' .github/workflows/pr-labels-ci.yml ``` Expected: lines 1–16 are the existing `mcp-awareness — ambient system awareness for AI agents` / `Copyright (C) 2026 Chris Means` / AGPLv3 preamble. Unchanged from `main`. 7. - [x] **Diff against `main` is hardening-only (no behavior drift).** ``` git diff origin/main -- .github/workflows/pr-labels-ci.yml ``` Expected: only adds `REPO:`, `RUN_ID:`, `HEAD_BRANCH:` to the two `env:` blocks, deletes the shell-level `REPO=${{...}}` / `HEAD_BRANCH=${{...}}` assignments, rewrites `API_OUT=...${{ ... }}/pull_requests` to `.../$RUN_ID/pull_requests`, and updates two comment blocks to avoid `${{ }}` literals. No changes to `if:` conditionals, `permissions`, `on:`, job names, label manipulation logic, or `exit 0` paths. 8. - [ ] **(Post-merge) Smoke the label automation end-to-end.** This workflow is `workflow_run`-triggered (no `workflow_dispatch`), so pre-merge dispatch isn't available. After merge, take any in-flight `Awaiting CI` PR and confirm the label transitions still happen on the next CI completion: - Watch `.github/workflows/pr-labels-ci.yml` runs at https://github.com/cmeans/mcp-awareness/actions/workflows/pr-labels-ci.yml - Expected on CI pass: `on-ci-pass` succeeds (~5 s), target PR moves `Awaiting CI → Ready for QA`. - Expected on CI fail: `on-ci-fail` succeeds, target PR gains `CI Failed`. ### Out of scope (explicitly) - **`pr-labels.yml`** (the `on: pull_request:` sibling) is not in this PR. Its current trigger makes `secrets.GITHUB_TOKEN` read-only for fork PRs and the values it does inline into `run:` blocks today are all safe types (numeric, repo name, hex SHA), so no injection vector exists at the current configuration. Symmetric env-routing as defense-in-depth tracked in [#334](#334) (P3, non-blocking). - **Adding `workflow_dispatch` to `pr-labels-ci.yml`** for post-merge verifiability. Not cascaded because mcp-clipboard doesn't have it either. Track separately if desired. --------- Co-authored-by: cmeans-claude-dev[bot] <3223881+cmeans-claude-dev[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps codecov/codecov-action from 5 to 6.
Release notes
Sourced from codecov/codecov-action's releases.
... (truncated)
Changelog
Sourced from codecov/codecov-action's changelog.
... (truncated)
Commits
57e3a13Th/6.0.0 (#1928)f67d33dRevert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0""...