You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds a shell-based validation step to the npm GitHub Actions workflow to verify downloaded artifacts before staging and publishing, mitigating artifact poisoning risks without altering core pipeline behavior.
Sequence diagram for artifact validation in npm publish workflow
sequenceDiagram
participant runner as GitHubActionsRunner
participant download_step as DownloadReleaseAssets
participant validate_step as ValidateDownloadedArtifacts
participant stage_step as StageBinaryIntoPackage
runner->>download_step: Download release artifacts
download_step-->>runner: outputs artifact_dir
runner->>validate_step: Validate ARTIFACT_DIR
alt Artifact directory missing or empty
validate_step-->>runner: Fail job (exit 1)
runner--xstage_step: Stage step not executed
else Suspicious path detected
validate_step-->>runner: Fail job (exit 1)
runner--xstage_step: Stage step not executed
else Validation successful
validate_step-->>runner: Success
runner->>stage_step: Stage binaries from validated artifacts
end
Loading
Flow diagram for Validate Downloaded Artifacts step
flowchart TD
start["Start artifact validation"]
dir_exists{"Is ARTIFACT_DIR a directory?"}
non_empty{"Is ARTIFACT_DIR non-empty?"}
list_files["Iterate over files with find"]
check_path{"Path is relative and without .. ?"}
next_file{"More files to check?"}
fail_missing["Fail: artifact directory does not exist"]
fail_empty["Fail: artifact directory is empty"]
fail_suspicious["Fail: suspicious artifact path detected"]
success["Artifact validation completed successfully"]
start --> dir_exists
dir_exists -->|no| fail_missing
dir_exists -->|yes| non_empty
non_empty -->|no| fail_empty
non_empty -->|yes| list_files
list_files --> check_path
check_path -->|no| fail_suspicious
check_path -->|yes| next_file
next_file -->|yes| list_files
next_file -->|no| success
Loading
File-Level Changes
Change
Details
Files
Introduce an artifact validation step in the npm publish GitHub Actions workflow to guard against artifact poisoning before staging binaries.
Add a Validate Downloaded Artifacts job step that runs immediately after downloading release assets and before staging binaries.
Configure the step to read ARTIFACT_DIR from steps.paths.outputs.artifact_dir via environment variables.
Validate that the artifact directory exists and is non-empty, failing the job with clear error messages otherwise.
Iterate over all files under the artifact directory and reject any whose relative paths are absolute or contain .., treating them as suspicious and failing the job.
Enable strict shell execution flags (set -euo pipefail) and emit progress messages for validation.
.github/workflows/npm.yml
Tips and commands
Interacting with Sourcery
Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment @sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment @sourcery-ai review to trigger a new review!
Reviewer's Guide
Adds a shell-based validation step to the npm GitHub Actions workflow to verify downloaded artifacts before staging and publishing, mitigating artifact poisoning risks without altering core pipeline behavior.
Sequence diagram for artifact validation in npm publish workflow
sequenceDiagram participant runner as GitHubActionsRunner participant download_step as DownloadReleaseAssets participant validate_step as ValidateDownloadedArtifacts participant stage_step as StageBinaryIntoPackage runner->>download_step: Download release artifacts download_step-->>runner: outputs artifact_dir runner->>validate_step: Validate ARTIFACT_DIR alt Artifact directory missing or empty validate_step-->>runner: Fail job (exit 1) runner--xstage_step: Stage step not executed else Suspicious path detected validate_step-->>runner: Fail job (exit 1) runner--xstage_step: Stage step not executed else Validation successful validate_step-->>runner: Success runner->>stage_step: Stage binaries from validated artifacts endFlow diagram for Validate Downloaded Artifacts step
flowchart TD start["Start artifact validation"] dir_exists{"Is ARTIFACT_DIR a directory?"} non_empty{"Is ARTIFACT_DIR non-empty?"} list_files["Iterate over files with find"] check_path{"Path is relative and without .. ?"} next_file{"More files to check?"} fail_missing["Fail: artifact directory does not exist"] fail_empty["Fail: artifact directory is empty"] fail_suspicious["Fail: suspicious artifact path detected"] success["Artifact validation completed successfully"] start --> dir_exists dir_exists -->|no| fail_missing dir_exists -->|yes| non_empty non_empty -->|no| fail_empty non_empty -->|yes| list_files list_files --> check_path check_path -->|no| fail_suspicious check_path -->|yes| next_file next_file -->|yes| list_files next_file -->|no| successFile-Level Changes
Validate Downloaded Artifactsjob step that runs immediately after downloading release assets and before staging binaries.ARTIFACT_DIRfromsteps.paths.outputs.artifact_dirvia environment variables..., treating them as suspicious and failing the job.set -euo pipefail) and emit progress messages for validation..github/workflows/npm.ymlTips and commands
Interacting with Sourcery
@sourcery-ai reviewon the pull request.issue from a review comment by replying to it. You can also reply to a
review comment with
@sourcery-ai issueto create an issue from it.@sourcery-aianywhere in the pullrequest title to generate a title at any time. You can also comment
@sourcery-ai titleon the pull request to (re-)generate the title at any time.@sourcery-ai summaryanywhere inthe pull request body to generate a PR summary at any time exactly where you
want it. You can also comment
@sourcery-ai summaryon the pull request to(re-)generate the summary at any time.
@sourcery-ai guideon the pullrequest to (re-)generate the reviewer's guide at any time.
@sourcery-ai resolveon thepull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
@sourcery-ai dismisson the pullrequest to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai reviewto trigger a new review!Customizing Your Experience
Access your dashboard to:
summary, the reviewer's guide, and others.
Getting Help
Originally posted by @sourcery-ai[bot] in #354 (comment)