Skip to content

Address semgrep security issue in create_release_branch.yml workflow #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
k0walik wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Address semgrep security issue in create_release_branch.yml workflow #416

k0walik wants to merge 5 commits into from
+15 −24

Conversation

@k0walik
Copy link

@k0walik k0walik commented Dec 19, 2025
edited
Loading

This pull request introduces two changes:

  • It updates download-artefact and upload-artefact actions to version v4. This change is necessary because Github Actions workflows (Continuous Integration and psi4) are failing due to the use of a deprecated version.
  • It addresses a semgrep issue in create_release_workflow.yml. Previously, using variable interpolation ${{…}} with github context data in a run: step could have allowed an attacker to inject their own code into the runner. To prevent this, we should use an intermediate environment variable with env: to store the data, and then use the environment variable in the run: script.

@k0walik
Address semgrep security issue in create_release_branch.yml workflow
2eaf9b2 
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner.  Instead, we should use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script.
@k0walik
Small tweaks to create_release_branch.yml
261dd8c
@k0walik
Update continuous_integration.yml
f90e130 
Bump `actions/upload-artifact` to version v4
@k0walik
Update continuous_integration.yml
a0b1890 
Bump version of `download-artifact` to v4
@k0walik
Update run_psi4_test.yml
2354f44 
Bump `download-artifact` and `upload-artifact` actions to v4.
@k0walik
Copy link
Author

k0walik commented Dec 19, 2025

@ValentinS4t1qbit, you may want to have a look why psi4 tests are failing. Quick look shows the computed and expected values are not the same.

alexfleury-sb
alexfleury-sb approved these changes Dec 19, 2025
View reviewed changes
Copy link
Collaborator

@alexfleury-sb alexfleury-sb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @k0walik, thanks for overlooking the security aspect of the repo.

The tests that are failing are related to H4, which we had problems in the past because of symmetry reasons (similar orbitals get ordered differently sometimes, which caused different energy output).

The fact that the python 3.9 test is passing, and the other ones don't tells me that maybe there were updates in the psi4 repo that changes the stochastic behaviour of the orbital ordering, and this update might not be available for older pythons. Since we haven't maintained this repo actively, I can't tell for sure if this is the problem.

The best course of actions for now would be to ignore these tests, as it requires some work to point the root cause.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexfleury-sb alexfleury-sb alexfleury-sb approved these changes

@ValentinS4t1qbit ValentinS4t1qbit Awaiting requested review from ValentinS4t1qbit ValentinS4t1qbit is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k0walik @alexfleury-sb