carverauto/serviceradar

Fork 0

fix: security #3004

Merged

mfreeman451 merged 1 commit from refs/pull/3004/head into staging

2026-03-02 03:28:41 +00:00

mfreeman451 commented

2026-03-02 03:19:33 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2977
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2977
Original created: 2026-03-02T03:19:33Z
Original updated: 2026-03-02T03:28:43Z
Original head: carverauto/serviceradar:2976-security-fix-e2e-testingyml
Original base: staging
Original merged: 2026-03-02T03:28:41Z by @mfreeman451

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

Imported from GitHub pull request. Original GitHub pull request: #2977 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2977 Original created: 2026-03-02T03:19:33Z Original updated: 2026-03-02T03:28:43Z Original head: carverauto/serviceradar:2976-security-fix-e2e-testingyml Original base: staging Original merged: 2026-03-02T03:28:41Z by @mfreeman451 --- ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test?

qodo-code-review[bot] commented

2026-03-02 03:19:43 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2977#issuecomment-3981788600
Original created: 2026-03-02T03:19:43Z

Review Summary by Qodo

Secure GitHub Actions workflow with environment variables

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Refactor GitHub Actions workflow to use environment variables
• Replace direct context interpolation with safer env variable references
• Improve shell script security by avoiding direct GitHub context injection

Diagram

flowchart LR
  A["GitHub Context Variables"] -- "Extract to env" --> B["Environment Variables"]
  B -- "Reference in script" --> C["Shell Script Execution"]
  C -- "Safer execution" --> D["Reduced injection risk"]

File Changes

1. .github/workflows/e2e-tests.yml Security +6/-3

Secure workflow with environment variable extraction

• Extract GitHub context variables into environment variables in the env section
• Replace direct ${{ }} context interpolation with ${VAR} environment variable references
• Update conditional checks to use environment variables instead of inline context injection
• Improve security posture by reducing direct GitHub context exposure in shell scripts

.github/workflows/e2e-tests.yml

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2977#issuecomment-3981788600 Original created: 2026-03-02T03:19:43Z --- <h3>Review Summary by Qodo</h3> Secure GitHub Actions workflow with environment variables <code>🐞 Bug fix</code> <code>✨ Enhancement</code> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <h3>Walkthroughs</h3> <details open> <summary>Description</summary> <br/> <pre> • Refactor GitHub Actions workflow to use environment variables • Replace direct context interpolation with safer env variable references • Improve shell script security by avoiding direct GitHub context injection </pre> </details> <details> <summary>Diagram</summary> <br/> > ```mermaid flowchart LR A["GitHub Context Variables"] -- "Extract to env" --> B["Environment Variables"] B -- "Reference in script" --> C["Shell Script Execution"] C -- "Safer execution" --> D["Reduced injection risk"] ``` </details> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <h3>File Changes</h3> <details> <summary>1. .github/workflows/e2e-tests.yml <code> Security </code> <code> +6/-3 </code> </summary> <br/> >Secure workflow with environment variable extraction ><pre> >• Extract GitHub context variables into environment variables in the <b><i>env</i></b> section >• Replace direct <b><i>${{ }}</i></b> context interpolation with <b><i>${VAR}</i></b> environment variable references >• Update conditional checks to use environment variables instead of inline context injection >• Improve security posture by reducing direct GitHub context exposure in shell scripts ></pre> > ><a href='https://github.com/carverauto/serviceradar/pull/2977/files#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3'> .github/workflows/e2e-tests.yml </a> <hr/> </details> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <a href="https://www.qodo.ai"><img src="https://www.qodo.ai/wp-content/uploads/2025/03/qodo-logo.svg" width="80" alt="Qodo Logo"></a>

qodo-code-review[bot] commented

2026-03-02 03:19:44 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2977#issuecomment-3981788649
Original created: 2026-03-02T03:19:44Z

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2977#issuecomment-3981788649 Original created: 2026-03-02T03:19:44Z --- <h3>Code Review by Qodo</h3> <code>🐞 Bugs (0)</code> <code>📘 Rule violations (0)</code> <code>📎 Requirement gaps (0)</code> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <img src="https://www.qodo.ai/wp-content/uploads/2025/06/qodo-anteater.svg" width="25%"> <h3>Great, no issues found!</h3> Qodo reviewed your code and found no material issues that require review <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <pre>ⓘ The new review experience is currently in Beta. <a href="https://docs.qodo.ai/qodo-documentation/code-review">Learn more</a></pre> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider">  <a href="https://www.qodo.ai"><img src="https://www.qodo.ai/wp-content/uploads/2025/03/qodo-logo.svg" width="80" alt="Qodo Logo"></a>

qodo-code-review[bot] commented

2026-03-02 03:20:53 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2977#issuecomment-3981791442
Original created: 2026-03-02T03:20:53Z

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: build

Failed stage: Configure SRQL fixture database for tests [❌]

Failed test name: ""

Failure summary:

The action failed because a required secret/env var for the test setup was missing:
- The job exited
with code 1 after printing SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL
fixture TLS. (log lines 707-708). The environment shows SRQL_TEST_DATABASE_CA_CERT: is empty, so the
workflow intentionally aborts when the CA cert is not provided.

Additional issue observed during post-job cleanup (not the primary failure):
- git submodule foreach
--recursive ... failed with fatal: No url found for submodule path
swift/FieldSurvey/LocalPackages/arrow-swift in .gitmodules (log line 718), producing a warning with
exit code 128.

Relevant error logs:

1:  Runner name: 'arc-runner-set-hk6mk-runner-tvgc5'
2:  Runner group name: 'Default'
...

139:  ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m
140:  ^[[36;1m  sudo apt-get update^[[0m
141:  ^[[36;1m  sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m
142:  ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m
143:  ^[[36;1m  sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
144:  ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m
145:  ^[[36;1m  sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
146:  ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m
147:  ^[[36;1m  sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
148:  ^[[36;1melse^[[0m
149:  ^[[36;1m  echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m
150:  ^[[36;1m  exit 1^[[0m
151:  ^[[36;1mfi^[[0m
152:  ^[[36;1m^[[0m
153:  ^[[36;1mensure_pkg_config^[[0m
154:  ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m
155:  shell: /usr/bin/bash -e {0}
...

387:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
388:  env:
389:  BUILDBUDDY_ORG_API_KEY: ***
390:  SRQL_TEST_DATABASE_URL: ***
391:  SRQL_TEST_ADMIN_URL: ***
392:  SRQL_TEST_DATABASE_CA_CERT: 
393:  DOCKERHUB_USERNAME: ***
394:  DOCKERHUB_TOKEN: ***
395:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
396:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
397:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
398:  ##[endgroup]
399:  ##[group]Run : install rustup if needed
400:  ^[[36;1m: install rustup if needed^[[0m
401:  ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m
402:  ^[[36;1m  curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m
403:  ^[[36;1m  echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m
...

543:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
544:  env:
545:  BUILDBUDDY_ORG_API_KEY: ***
546:  SRQL_TEST_DATABASE_URL: ***
547:  SRQL_TEST_ADMIN_URL: ***
548:  SRQL_TEST_DATABASE_CA_CERT: 
549:  DOCKERHUB_USERNAME: ***
550:  DOCKERHUB_TOKEN: ***
551:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
552:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
553:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
554:  CARGO_HOME: /home/runner/.cargo
555:  CARGO_INCREMENTAL: 0
556:  CARGO_TERM_COLOR: always
557:  ##[endgroup]
558:  ##[group]Run : work around spurious network errors in curl 8.0
559:  ^[[36;1m: work around spurious network errors in curl 8.0^[[0m
560:  ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m
...

611:  SRQL_TEST_DATABASE_CA_CERT: 
612:  DOCKERHUB_USERNAME: ***
613:  DOCKERHUB_TOKEN: ***
614:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
615:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
616:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
617:  CARGO_HOME: /home/runner/.cargo
618:  CARGO_INCREMENTAL: 0
619:  CARGO_TERM_COLOR: always
620:  ##[endgroup]
621:  Attempting to download 1.x...
622:  Acquiring v1.28.1 from https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64
623:  Adding to the cache ...
624:  Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.28.1/x64
625:  Added bazelisk to the path
626:  ##[warning]Failed to restore: Cache service responded with 400
627:  Restored bazelisk cache dir @ /home/runner/.cache/bazelisk
...

693:  env:
694:  BUILDBUDDY_ORG_API_KEY: ***
695:  SRQL_TEST_DATABASE_URL: ***
696:  SRQL_TEST_ADMIN_URL: ***
697:  SRQL_TEST_DATABASE_CA_CERT: 
698:  DOCKERHUB_USERNAME: ***
699:  DOCKERHUB_TOKEN: ***
700:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
701:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
702:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
703:  CARGO_HOME: /home/runner/.cargo
704:  CARGO_INCREMENTAL: 0
705:  CARGO_TERM_COLOR: always
706:  ##[endgroup]
707:  SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.
708:  ##[error]Process completed with exit code 1.
709:  Post job cleanup.
710:  [command]/usr/bin/git version
711:  git version 2.52.0
712:  Temporarily overriding HOME='/home/runner/_work/_temp/a2bdf1ca-ceaa-4b62-b6f4-d2d3d3423bac' before making global git config changes
713:  Adding repository directory to the temporary git global config as a safe directory
714:  [command]/usr/bin/git config --global --add safe.directory /home/runner/_work/serviceradar/serviceradar
715:  Removing SSH command configuration
716:  [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
717:  [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
718:  fatal: No url found for submodule path 'swift/FieldSurvey/LocalPackages/arrow-swift' in .gitmodules
719:  ##[warning]The process '/usr/bin/git' failed with exit code 128
720:  Cleaning up orphan processes

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2977#issuecomment-3981791442 Original created: 2026-03-02T03:20:53Z --- ## CI Feedback 🧐 A test triggered by this PR failed. Here is an AI-generated analysis of the failure: <table><tr><td> **Action:** build</td></tr> <tr><td> **Failed stage:** [Configure SRQL fixture database for tests](https://github.com/carverauto/serviceradar/actions/runs/22559980236/job/65344529516) [❌] </td></tr> <tr><td> **Failed test name:** "" </td></tr> <tr><td> **Failure summary:** The action failed because a required secret/env var for the test setup was missing:<br> - The job exited <br>with code 1 after printing <code>SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL </code><br><code>fixture TLS.</code> (log lines 707-708). The environment shows <code>SRQL_TEST_DATABASE_CA_CERT:</code> is empty, so the <br>workflow intentionally aborts when the CA cert is not provided.<br> <br> Additional issue observed during post-job cleanup (not the primary failure):<br> - <code>git submodule foreach </code><br><code>--recursive ...</code> failed with <code>fatal: No url found for submodule path </code><br><code></code>swift/FieldSurvey/LocalPackages/arrow-swift<code> in .gitmodules</code> (log line 718), producing a warning with <br>exit code 128.<br> </td></tr> <tr><td> <details><summary>Relevant error logs:</summary> ```yaml 1: Runner name: 'arc-runner-set-hk6mk-runner-tvgc5' 2: Runner group name: 'Default' ... 139: ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m 140: ^[[36;1m sudo apt-get update^[[0m 141: ^[[36;1m sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m 142: ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m 143: ^[[36;1m sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 144: ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m 145: ^[[36;1m sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 146: ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m 147: ^[[36;1m sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 148: ^[[36;1melse^[[0m 149: ^[[36;1m echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m 150: ^[[36;1m exit 1^[[0m 151: ^[[36;1mfi^[[0m 152: ^[[36;1m^[[0m 153: ^[[36;1mensure_pkg_config^[[0m 154: ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m 155: shell: /usr/bin/bash -e {0} ... 387: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 388: env: 389: BUILDBUDDY_ORG_API_KEY: *** 390: SRQL_TEST_DATABASE_URL: *** 391: SRQL_TEST_ADMIN_URL: *** 392: SRQL_TEST_DATABASE_CA_CERT: 393: DOCKERHUB_USERNAME: *** 394: DOCKERHUB_TOKEN: *** 395: TEST_CNPG_DATABASE: serviceradar_web_ng_test 396: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 397: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 398: ##[endgroup] 399: ##[group]Run : install rustup if needed 400: ^[[36;1m: install rustup if needed^[[0m 401: ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m 402: ^[[36;1m curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m 403: ^[[36;1m echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m ... 543: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 544: env: 545: BUILDBUDDY_ORG_API_KEY: *** 546: SRQL_TEST_DATABASE_URL: *** 547: SRQL_TEST_ADMIN_URL: *** 548: SRQL_TEST_DATABASE_CA_CERT: 549: DOCKERHUB_USERNAME: *** 550: DOCKERHUB_TOKEN: *** 551: TEST_CNPG_DATABASE: serviceradar_web_ng_test 552: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 553: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 554: CARGO_HOME: /home/runner/.cargo 555: CARGO_INCREMENTAL: 0 556: CARGO_TERM_COLOR: always 557: ##[endgroup] 558: ##[group]Run : work around spurious network errors in curl 8.0 559: ^[[36;1m: work around spurious network errors in curl 8.0^[[0m 560: ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m ... 611: SRQL_TEST_DATABASE_CA_CERT: 612: DOCKERHUB_USERNAME: *** 613: DOCKERHUB_TOKEN: *** 614: TEST_CNPG_DATABASE: serviceradar_web_ng_test 615: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 616: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 617: CARGO_HOME: /home/runner/.cargo 618: CARGO_INCREMENTAL: 0 619: CARGO_TERM_COLOR: always 620: ##[endgroup] 621: Attempting to download 1.x... 622: Acquiring v1.28.1 from https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64 623: Adding to the cache ... 624: Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.28.1/x64 625: Added bazelisk to the path 626: ##[warning]Failed to restore: Cache service responded with 400 627: Restored bazelisk cache dir @ /home/runner/.cache/bazelisk ... 693: env: 694: BUILDBUDDY_ORG_API_KEY: *** 695: SRQL_TEST_DATABASE_URL: *** 696: SRQL_TEST_ADMIN_URL: *** 697: SRQL_TEST_DATABASE_CA_CERT: 698: DOCKERHUB_USERNAME: *** 699: DOCKERHUB_TOKEN: *** 700: TEST_CNPG_DATABASE: serviceradar_web_ng_test 701: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 702: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 703: CARGO_HOME: /home/runner/.cargo 704: CARGO_INCREMENTAL: 0 705: CARGO_TERM_COLOR: always 706: ##[endgroup] 707: SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. 708: ##[error]Process completed with exit code 1. 709: Post job cleanup. 710: [command]/usr/bin/git version 711: git version 2.52.0 712: Temporarily overriding HOME='/home/runner/_work/_temp/a2bdf1ca-ceaa-4b62-b6f4-d2d3d3423bac' before making global git config changes 713: Adding repository directory to the temporary git global config as a safe directory 714: [command]/usr/bin/git config --global --add safe.directory /home/runner/_work/serviceradar/serviceradar 715: Removing SSH command configuration 716: [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand 717: [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :" 718: fatal: No url found for submodule path 'swift/FieldSurvey/LocalPackages/arrow-swift' in .gitmodules 719: ##[warning]The process '/usr/bin/git' failed with exit code 128 720: Cleaning up orphan processes ``` </details></td></tr></table>