ivuorinen/gh-action-readme
1
0
Fork 0
mirror of https://github.com/ivuorinen/gh-action-readme.git synced 2026-03-13 14:00:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: upgrade Go/deps/workflows to latest and fix gosec regressions (#193)

Browse Source
This commit is contained in:
Copilot
2026-03-12 19:59:12 +02:00
committed by GitHub
parent c9b1654b96
commit db3496d802
14 changed files with 63 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
internal/dependencies/analyzer.go
View File

@@ -6,6 +6,7 @@ import (
"errors"
"fmt"
"os"
"path/filepath"
"regexp"
"strings"
"time"
@@ -591,15 +592,26 @@ func (a *Analyzer) determineUpdateType(currentParts, latestParts []string) strin
// updateActionFile applies updates to a single action file.
func (a *Analyzer) updateActionFile(filePath string, updates []PinnedUpdate) error {
// filepath.Clean normalises the path (removes redundant separators, ".", "..").
// It does NOT validate containment within a root directory; the actual security
// justification for the #nosec annotations below is that filePath originates
// from the tool's own filesystem discovery (DiscoverActionFilesWithValidation),
// not from direct, uncontrolled user input.
cleanPath := filepath.Clean(filePath)
// Read the file
content, err := os.ReadFile(filePath) // #nosec G304 -- file path from function parameter
content, err := os.ReadFile(cleanPath) // #nosec G304 -- path from tool-internal filesystem scan
if err != nil {
return fmt.Errorf("failed to read file: %w", err)
}
// Create backup
backupPath := filePath + appconstants.BackupExtension
if err := os.WriteFile(backupPath, content, appconstants.FilePermDefault); err != nil { // #nosec G306
backupPath := cleanPath + appconstants.BackupExtension
if err := os.WriteFile( // #nosec G306 G703 -- path from tool-internal filesystem scan
backupPath,
content,
appconstants.FilePermDefault,
); err != nil {
return fmt.Errorf("failed to create backup: %w", err)
}
@@ -609,12 +621,16 @@ func (a *Analyzer) updateActionFile(filePath string, updates []PinnedUpdate) err
// Write updated content
updatedContent := strings.Join(lines, "\n")
if err := os.WriteFile(filePath, []byte(updatedContent), appconstants.FilePermDefault); err != nil { // #nosec G306
if err := os.WriteFile( // #nosec G306 G703 -- path from tool-internal filesystem scan
cleanPath,
[]byte(updatedContent),
appconstants.FilePermDefault,
); err != nil {
return fmt.Errorf("failed to write updated file: %w", err)
}
// Validate and rollback on failure
if err := a.validateAndRollbackOnFailure(filePath, backupPath); err != nil {
if err := a.validateAndRollbackOnFailure(cleanPath, backupPath); err != nil {
return err
}