fix CVE-2025-62518 #1935
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "**/*.rs" | |
| - "**/Cargo.toml" | |
| - Cargo.lock | |
| pull_request: | |
| paths: | |
| - "**/*.rs" | |
| - "**/Cargo.toml" | |
| - Cargo.lock | |
| - .github/workflows/ci.yml | |
| name: ci·rs | |
| concurrency: | |
| group: ci/rs/${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| fmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - run: cargo fmt --all -- --check | |
| clippy: | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - run: cargo clippy --all-features | |
| env: | |
| RUSTFLAGS: "-D warnings" | |
| test: | |
| needs: fmt | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - run: cargo test --all-features | |
| env: | |
| RUSTFLAGS: "-D warnings" | |
| coverage-unit: | |
| needs: fmt | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-tarpaulin | |
| - run: cargo tarpaulin -o lcov --output-dir coverage | |
| - uses: coverallsapp/github-action@v2 | |
| with: | |
| path-to-lcov: coverage/lcov.info | |
| parallel: true | |
| flag-name: ${{ matrix.os }}-unit | |
| coverage-integration: | |
| needs: fmt | |
| strategy: | |
| matrix: | |
| os: | |
| - ubuntu-latest | |
| - macos-latest | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: taiki-e/install-action@v2 | |
| with: | |
| tool: rustfilt | |
| - name: build | |
| run: | | |
| RUSTFLAGS="-C instrument-coverage" cargo build | |
| echo "$PWD/target/debug" >> $GITHUB_PATH | |
| # testing for installing multiple of the same thing at once is ok | |
| - run: pkgx +gnome.org/libxml2 & pkgx +gnome.org/libxml2 & pkgx +gnome.org/libxml2 | |
| # ^^ KEEP FIRST, IT MUST INSTALL | |
| - run: pkgx --help | |
| - run: pkgx --version | |
| - run: pkgx +git | |
| - run: pkgx +git --json | |
| - run: pkgx +git --json=v1 | |
| - run: pkgx +git --json=v2 | |
| - run: pkgx git --version | |
| - run: pkgx git@latest --version | |
| - run: pkgx --silent +git | |
| - run: pkgx --quiet +git | |
| - run: pkgx +git -- git --version # lib/utils.rs:find_program | |
| - run: pkgx --shellcode || true | |
| - run: pkgx -qq git --version | |
| - run: pkgx -s git --version | |
| - run: pkgx -j +git | |
| - run: pkgx git\* --version # test star constraints are valid | |
| - run: pkgx /usr/bin/awk --version | |
| - run: pkgx +yarnpkg.com yarn --version | |
| - run: pkgx +yarnpkg.com -- yarn --version | |
| # coverage for conflict error messages | |
| - run: "! pkgx yarn --version" | |
| # coverage for display-name resolution | |
| - run: pkgx -v +agg | |
| # testing we correctly handle +pkg syntax for pkgs with no env | |
| - run: pkgx +curl.se/ca-certs | |
| # regression test: cargo has deep deps on linux that exercise range intersection | |
| - run: pkgx +cargo | |
| - run: "! pkgx flubber-flubbles" # cmd not found machinery | |
| - run: "! pkgx --sync flubber-flubbles" # cmd not found machinery separate if branch | |
| # create a fork bomb, but since it’s via pkgx we prevent it | |
| - run: | | |
| echo '#!/bin/sh' > foo | |
| echo 'pkgx -- /bin/sh "$0"' >> foo | |
| chmod u+x foo | |
| if ./foo; then | |
| exit 1 | |
| fi | |
| # check that we update the pantry for unknown programs | |
| # this works by deleting the entry for git then forcing | |
| # pkgx to update the db, then trying to get git again | |
| - run: | | |
| set -x | |
| rm -rf ~/.pkgx | |
| rm -rf ~/.local/share/pkgx/pantry/projects/git-scm.org | |
| rm ~/.cache/pkgx/pantry.2.db | |
| pkgx curl --version | |
| test -f ~/.cache/pkgx/pantry.2.db | |
| test ! -d ~/.local/share/pkgx/pantry/projects/git-scm.org | |
| pkgx git --version | |
| test -d ~/.local/share/pkgx/pantry/projects/git-scm.org | |
| if: ${{ matrix.os == 'ubuntu-latest' }} | |
| # ^^ only on one platform as wasteful otherwise | |
| - run: | | |
| pkgx -Q hyperfine | |
| ! test -d ~/.pkgx/crates.io/hyperfine | |
| ! pkgx -Q flubber-flubber | |
| ! pkgx -Qqq flubber-flubber | |
| pkgx -Q | |
| - name: query --json | |
| run: | | |
| pkgx -Q --json=v2 git | pkgx jq -e '.[0].project == "git-scm.org"' | |
| pkgx -Q --json=v2 git | pkgx jq -e '.[0].programs | length > 0' | |
| pkgx -Q --json=v2 | pkgx jq -e 'length > 0' | |
| - name: query pkgspecs | |
| run: | | |
| pkgx -Q git-scm.org | grep -q git-scm.org | |
| pkgx -Q node git | grep -q nodejs.org | |
| ! pkgx -Q git-scm.org@99999 | |
| - name: test PKGX_NO_INSTALL | |
| run: | | |
| rm -r ~/.pkgx/stedolan.github.io/jq || true | |
| ! PKGX_NO_INSTALL=1 pkgx jq --version | |
| pkgx jq --version | |
| PKGX_NO_INSTALL=1 pkgx jq --version | |
| - run: if [ $(find ~/.pkgx -name .tmp\* -type d | wc -l) -gt 0 ]; then | |
| exit 1; | |
| fi | |
| - name: --shebang test 1 | |
| run: | | |
| echo "#!/usr/bin/env -S pkgx --shebang echo" > ./stub.sh | |
| chmod +x stub.sh | |
| test "$(./stub.sh hi)" = hi | |
| - name: --shebang test 2 | |
| run: test $(pkgx -q! echo fail hi) = hi | |
| - name: "@latest" | |
| run: | | |
| pkgx semverator eq $(pkgx krampus=0.2.0 --version) 0.2.0 | |
| pkgx semverator gt $(pkgx krampus@latest --version) 0.2.0 | |
| env: | |
| XDG_DATA_HOME: ${{ github.workspace }}/.data | |
| - name: PKGX_PANTRY_DIR | |
| run: | | |
| git clone https://github.com/pkgxdev/pantry | |
| pkgx hyperfine --version | |
| PKGX_PANTRY_DIR=pantry pkgx hyperfine --version | |
| env: | |
| PKGX_PANTRY_DIR: ${{ github.workspace }}/pantry | |
| PKGX_DIR: ${{ github.workspace }}/pkgx | |
| PKGX_DIST_URL: https://dist.pkgx.dev | |
| - name: --chdir | |
| run: | | |
| d=$(realpath $(mktemp -d)) | |
| test $(pwd) != $d | |
| test $(pkgx -C $d -- pwd) = $d | |
| test $(pkgx --chdir $d -- pwd) = $d | |
| - name: generate coverage | |
| run: | | |
| pkgx +llvm.org -- llvm-profdata merge -sparse $(find . -name default_\*.prof\*) -o default.profdata | |
| pkgx +llvm.org -- llvm-cov export \ | |
| ./target/debug/pkgx \ | |
| --format=lcov \ | |
| --ignore-filename-regex="$HOME/.cargo" \ | |
| --instr-profile=default.profdata \ | |
| -Xdemangler=rustfilt \ | |
| > lcov.info | |
| - uses: coverallsapp/github-action@v2 | |
| with: | |
| path-to-lcov: lcov.info | |
| parallel: true | |
| flag-name: ${{ matrix.os }}-integration | |
| upload-coverage: | |
| needs: [coverage-unit, coverage-integration] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: coverallsapp/github-action@v2 | |
| with: | |
| parallel-finished: true | |
| test-minimal-container: | |
| needs: fmt | |
| runs-on: ubuntu-latest | |
| container: debian:bullseye-slim | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - run: apt-get update && apt-get install -y curl make gcc perl | |
| - uses: dtolnay/rust-toolchain@stable | |
| - run: apt-get remove curl ca-certificates openssl --yes | |
| - run: cargo build | |
| - run: ./target/debug/pkgx +git |