From: David Galloway <david.galloway@ibm.com>
Date: Wed, 17 Dec 2025 22:47:06 +0000 (-0500)
Subject: Fix GHSA-p433-fp4g-pc2c
X-Git-Tag: testing/wip-pdonnell-testing-20260108.183402~37^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=15c829a37f5a4a4614ddf0a30c5d915feb1ed2fb;p=ceph-ci.git

Fix GHSA-p433-fp4g-pc2c

https://github.com/ceph/ceph/security/advisories/GHSA-p433-fp4g-pc2c

Signed-off-by: David Galloway <david.galloway@ibm.com>
---

diff --git a/.github/workflows/diff-ceph-config.yml b/.github/workflows/diff-ceph-config.yml
index cf3656a8c46..55f7cfaa88d 100644
--- a/.github/workflows/diff-ceph-config.yml
+++ b/.github/workflows/diff-ceph-config.yml
@@ -1,4 +1,5 @@
 name: Check ceph config changes
+
 on:
   pull_request_target:
     types:
@@ -7,18 +8,26 @@ on:
       - edited
       - reopened
 
-# The following permissions are needed to write a comment to repo
 permissions:
-    issues: write
-    contents: read
-    pull-requests: write
+  issues: write
+  contents: read
+  pull-requests: write
 
 jobs:
   pull_request:
     runs-on: ubuntu-latest
+
+    env:
+      PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_COMMITS: ${{ github.event.pull_request.commits }}
+      BASE_REPO_URL: ${{ github.event.pull_request.base.repo.clone_url }}
+      BASE_REF: ${{ github.event.pull_request.base.ref }}
+      HEAD_REPO_URL: ${{ github.event.pull_request.head.repo.clone_url }}
+
     steps:
-      - name: checkout ceph.git
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      - name: Checkout ceph.git
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           path: ceph
@@ -27,35 +36,43 @@ jobs:
             src/common/options
             .github/workflows
 
-      - name:  'Get common ancestor between PR and ceph upstream main branch'
+      - name: Get common ancestor between PR and ceph upstream main branch
         id: get_common_ancestor
-        env:
-          branch_pr: origin/${{ github.event.pull_request.head.ref }}
-          refspec_pr: +${{ github.event.pull_request.head.sha }}:remotes/origin/${{ github.event.pull_request.head.ref }}
         working-directory: ceph
+        env:
+          BRANCH_PR: origin/${{ github.event.pull_request.head.ref }}
         run: |
-          # Fetch enough history to find a common ancestor commit (aka merge-base):
-          git fetch origin "${{ env.refspec_pr }}" --depth=$(( ${{ github.event.pull_request.commits }} + 1 )) \
-            --no-tags --prune --no-recurse-submodules
-
-          # This should get the oldest commit in the local fetched history (the commit in ceph upstream from which PR branched from):
-          COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${{ env.branch_pr }}" )
-          COMMON_ANCESTOR_SHA=$( git log --format=%H "${COMMON_ANCESTOR}" )
+          set -euo pipefail
+          FETCH_DEPTH=$(( PR_COMMITS + 1 ))
+          REFSPEC="+${PR_HEAD_SHA}:remotes/origin/pr/${PR_NUMBER}/head"
+          
+          git fetch origin "$REFSPEC" \
+            --depth="$FETCH_DEPTH" \
+            --no-tags \
+            --prune \
+            --no-recurse-submodules
+        
+          COMMON_ANCESTOR_SHA=$(git rev-list \
+            --first-parent \
+            --max-parents=0 \
+            --max-count=1 \
+            "origin/pr/${PR_NUMBER}/head")
 
-          echo "COMMON_ANCESTOR_SHA=${COMMON_ANCESTOR_SHA}" >> $GITHUB_ENV
+          echo "COMMON_ANCESTOR_SHA=$COMMON_ANCESTOR_SHA" >> "$GITHUB_ENV"
 
       - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.13'
 
       - name: Install python packages
+        working-directory: ceph
         run: |
           pip3 install -r ./src/script/config-diff/requirements.txt
-        working-directory: ceph
 
-      - name: execute config diff tool
+      - name: Execute config diff tool
         id: diff_tool
+        working-directory: ceph
         env:
           REF_REPO: ${{ github.event.pull_request.base.repo.clone_url }}
           REF_BRANCH: ${{ github.event.pull_request.base.ref }}
@@ -63,16 +80,25 @@ jobs:
           REMOTE_REPO: ${{ github.event.pull_request.head.repo.clone_url }}
           REMOTE_BRANCH: ${{ github.event.pull_request.head.ref }}
           REMOTE_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
-        run:  |
+        run: |
+          set -euo pipefail
+
           {
             echo 'DIFF_JSON<<EOF'
-            python3 ./src/script/config-diff/config_diff.py diff-branch-remote-repo --ref-branch "$REF_BRANCH" --ref-commit-sha "$REF_COMMIT_SHA" --remote-repo "$REMOTE_REPO" --cmp-branch "$REMOTE_BRANCH" --cmp-commit-sha "$REMOTE_COMMIT_SHA" --format=posix-diff --skip-clone
+            python3 ./src/script/config-diff/config_diff.py \
+              diff-branch-remote-repo \
+              --ref-branch "$REF_BRANCH" \
+              --ref-commit-sha "$REF_COMMIT_SHA" \
+              --remote-repo "$REMOTE_REPO" \
+              --cmp-branch "$REMOTE_BRANCH" \
+              --cmp-commit-sha "$REMOTE_COMMIT_SHA" \
+              --format=posix-diff \
+              --skip-clone
             echo EOF
           } >> "$GITHUB_OUTPUT"
-        working-directory: ceph
 
       - name: Post output as a comment
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DIFF_JSON_OUTPUT: ${{ steps.diff_tool.outputs.DIFF_JSON }}