Skip to content

Harden CI workflows and document stores against SAST findings#3539

Open
FahimaGold wants to merge 2 commits into
deepset-ai:mainfrom
edenai:fix_code_security_issues
Open

Harden CI workflows and document stores against SAST findings#3539
FahimaGold wants to merge 2 commits into
deepset-ai:mainfrom
edenai:fix_code_security_issues

Conversation

@FahimaGold

Copy link
Copy Markdown

Address high-severity Bastion SAST findings:

  • gha-workflow-env-secret: move secrets out of workflow-level env: in 48 integration test workflows, scoping each to the step(s) that actually run integration tests. e2b uses job-level scoping so the secret stays available to the "Run integration tests" step's if: condition.
  • run-shell-injection (CI_pypi_release.yml): pass github.ref_name through an intermediate env var instead of interpolating it directly into run: scripts.
  • SQL/AQL injection (arangodb document_store.py): validate collection_name against an allowlist before interpolating it into AQL, mirroring the Oracle integration's identifier validation.
  • dependabot-missing-cooldown: raise cooldown default-days from 1 to 7.
  • uv-missing-dependency-cooldown: raise exclude-newer from 24 hours to 7 days.

Related Issues

  • fixes #issue-number

Proposed Changes:

How did you test it?

Notes for the reviewer

Checklist

Address high-severity Bastion SAST findings:

- gha-workflow-env-secret: move secrets out of workflow-level `env:` in 48
  integration test workflows, scoping each to the step(s) that actually run
  integration tests. e2b uses job-level scoping so the secret stays available
  to the "Run integration tests" step's `if:` condition.
- run-shell-injection (CI_pypi_release.yml): pass `github.ref_name` through an
  intermediate env var instead of interpolating it directly into `run:` scripts.
- SQL/AQL injection (arangodb document_store.py): validate `collection_name`
  against an allowlist before interpolating it into AQL, mirroring the Oracle
  integration's identifier validation.
- dependabot-missing-cooldown: raise cooldown `default-days` from 1 to 7.
- uv-missing-dependency-cooldown: raise `exclude-newer` from 24 hours to 7 days.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@FahimaGold FahimaGold requested a review from a team as a code owner July 2, 2026 17:05
@FahimaGold FahimaGold requested review from julian-risch and removed request for a team July 2, 2026 17:05
@CLAassistant

CLAassistant commented Jul 2, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ Fahima Mokhtari
❌ FahimaGold


Fahima Mokhtari seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (huggingface_api)

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  integrations/huggingface_api/src/haystack_integrations/components/rankers/huggingface_api
  ranker.py
Project Total  

This report was generated by python-coverage-comment-action

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (twelvelabs)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (e2b)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (mem0)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (firecrawl)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (paddleocr)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (amazon_bedrock)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (nvidia)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (fastembed)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (searchapi)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (whisper)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (lara)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (orcarouter)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (togetherai)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (cognee)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (dspy)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (anthropic)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (deepeval)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (watsonx)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (azure_ai_search)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (openrouter)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (cometapi)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (azure_doc_intelligence)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (mcp)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (google_genai)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (meta_llama)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (chonkie)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (ragas)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (optimum)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Coverage report (llama_cpp)

This PR does not seem to contain any modification to coverable code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants