RTECO-1411 - Implement integration tests for Agent Plugins #3543
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| name: Agent Plugins Tests | ||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: | ||
| - "master" | ||
| # Triggers the workflow on PRs to master branch only. | ||
| pull_request: | ||
| branches: | ||
| - "master" | ||
| pull_request_target: | ||
| types: [labeled] | ||
| branches: | ||
| - "master" | ||
|
|
||
| # Ensures that only the latest commit is running for each PR at a time. | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| Agent-Plugins-Tests: | ||
| name: agent-plugins ${{ matrix.os.name }} | ||
| if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || github.event_name == 'pull_request' || contains(github.event.pull_request.labels.*.name, 'safe to test') | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| os: | ||
| - name: ubuntu | ||
| version: 24.04 | ||
| - name: windows | ||
| version: 2022 | ||
| runs-on: ${{ matrix.os.name }}-${{ matrix.os.version }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | ||
|
There was a problem hiding this comment. [CRITICAL] Checking out forked PR HEAD under When triggered by There was a problem hiding this comment. Critical — Security: "pwn request" vulnerability
Fix options:
|
||
|
|
||
| - name: Setup FastCI | ||
| uses: jfrog-fastci/fastci@v1 | ||
| with: | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| fastci_otel_token: ${{ secrets.FASTCI_TOKEN }} | ||
|
|
||
| - name: Setup Go with cache | ||
| uses: jfrog/.github/actions/install-go-with-cache@main | ||
|
There was a problem hiding this comment. Minor — Unpinned
|
||
|
|
||
| - name: Install local Artifactory | ||
| uses: jfrog/.github/actions/install-local-artifactory@main | ||
| with: | ||
| RTLIC: ${{ secrets.RTLIC }} | ||
| RT_CONNECTION_TIMEOUT_SECONDS: ${{ env.RT_CONNECTION_TIMEOUT_SECONDS || '1200' }} | ||
|
|
||
| - name: Run agent plugins tests | ||
| run: go test -v github.com/jfrog/jfrog-cli --timeout 0 --test.agentPlugins | ||
|
There was a problem hiding this comment. [CRITICAL] If any test hangs (network stall, deadlock, missing prerequisite), the runner job blocks indefinitely and starves other PRs waiting for a runner slot. Suggested: Replace There was a problem hiding this comment. Nit — If a test deadlocks or hangs on a network call, this job runs forever and requires manual cancellation. A generous but finite value (e.g. |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[CRITICAL] Security:
pull_request_target+ forked HEAD checkout + secretsThis is the classic "pwn-request" attack vector.
pull_request_targetruns with write permissions and exposesRTLICandFASTCI_TOKENto the workflow. Checking out the forked PR's HEAD SHA (line 38) means a malicious PR author can execute arbitrary code with access to those secrets.The
safe to testlabel guard reduces but does not eliminate the risk — a maintainer applying the label without scrutinising every changed file still grants secret access.Safe pattern: for
pull_request_targetevents, always check outgithub.sha(the base branch), never the fork head SHA. Or use a repository-dispatch approach where a separate, secret-free job validates the label then triggers a dispatch event.