wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-05-10 01:02:56 +08:00
Code Issues Actions 23 Packages Projects Releases Wiki Activity

fix: address coderabbit findings - replace exec() with AST parse, gate summary on job.status, persist-credentials false

Browse Source 
Amp-Thread-ID: https://ampcode.com/threads/T-019e042d-d972-7559-b462-6e838c2da164
Co-authored-by: Amp <amp@ampcode.com>
This commit is contained in:
Jedrzej Kosinski 2026-05-08 15:18:09 -07:00
parent 3566e6b6a6
commit a0a65f51bc
1 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.github/workflows/cut-release.yml vendored
View File

@ -127,18 +127,38 @@ jobs:
with: with:
ref: ${{ inputs.source_branch }} ref: ${{ inputs.source_branch }}
fetch-depth: 0 fetch-depth: 0
# Defense in depth: don't leave a usable git credential on disk
# for any code that runs against the checked-out branch.
persist-credentials: false
- name: Verify version files at source HEAD - name: Verify version files at source HEAD
env: env:
EXPECTED: ${{ steps.names.outputs.version }} EXPECTED: ${{ steps.names.outputs.version }}
run: | run: |
set -euo pipefail set -euo pipefail
# pyproject.toml is parsed with tomllib (safe — pure data, no code).
PYPROJECT_VERSION=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])") PYPROJECT_VERSION=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
if [ "$PYPROJECT_VERSION" != "$EXPECTED" ]; then if [ "$PYPROJECT_VERSION" != "$EXPECTED" ]; then
echo "::error::pyproject.toml version is '$PYPROJECT_VERSION' but expected '$EXPECTED'." echo "::error::pyproject.toml version is '$PYPROJECT_VERSION' but expected '$EXPECTED'."
exit 1 exit 1
fi fi
MODULE_VERSION=$(python3 -c "v={}; exec(open('comfyui_version.py').read(),v); print(v['__version__'])") # comfyui_version.py contains Python — never `exec()` it. A
# malicious candidate branch could replace it with arbitrary code
# that would then run in CI with RELEASE_BOT_TOKEN in scope.
# Statically parse the AST to extract __version__ instead.
MODULE_VERSION=$(python3 - <<'PY'
import ast, pathlib, sys
tree = ast.parse(pathlib.Path("comfyui_version.py").read_text(encoding="utf-8"))
for node in tree.body:
if isinstance(node, ast.Assign):
for target in node.targets:
if isinstance(target, ast.Name) and target.id == "__version__":
if isinstance(node.value, ast.Constant) and isinstance(node.value.value, str):
print(node.value.value)
sys.exit(0)
sys.exit("Could not statically read __version__ from comfyui_version.py")
PY
)
if [ "$MODULE_VERSION" != "$EXPECTED" ]; then if [ "$MODULE_VERSION" != "$EXPECTED" ]; then
echo "::error::comfyui_version.py __version__ is '$MODULE_VERSION' but expected '$EXPECTED'." echo "::error::comfyui_version.py __version__ is '$MODULE_VERSION' but expected '$EXPECTED'."
exit 1 exit 1
@ -225,12 +245,15 @@ jobs:
env: env:
REL_BRANCH: ${{ steps.names.outputs.release_branch }} REL_BRANCH: ${{ steps.names.outputs.release_branch }}
TAG_NAME: ${{ steps.names.outputs.tag_name }} TAG_NAME: ${{ steps.names.outputs.tag_name }}
JOB_STATUS: ${{ job.status }}
run: | run: |
set -euo pipefail set -euo pipefail
{ {
echo "" echo ""
echo "### Result" echo "### Result"
if [ "$INPUT_DRY_RUN" = "true" ]; then if [ "$JOB_STATUS" != "success" ]; then
echo "❌ Workflow did not complete successfully (job status: \`$JOB_STATUS\`). See the run logs for details. No branch or tag should be assumed to have been created."
elif [ "$INPUT_DRY_RUN" = "true" ]; then
echo "🔍 **Dry run** — no branch or tag was created." echo "🔍 **Dry run** — no branch or tag was created."
else else
echo "✅ Created \`$REL_BRANCH\` and tagged \`$TAG_NAME\` from \`$INPUT_SOURCE_BRANCH\`." echo "✅ Created \`$REL_BRANCH\` and tagged \`$TAG_NAME\` from \`$INPUT_SOURCE_BRANCH\`."