The GitHub Actions job "tests" on airflow-steward.git/fix/printf-shell-expansion has succeeded. Run started by GitHub user andrew (triggered by potiuk).
Head commit for run: 072c344632b36834a577ee623dcc6c8a3898335d / Andrew Nesbitt <[email protected]> fix(security): close residual shell-expansion gap in #81's tempfile recipe The printf '%s' "<x>" recipe introduced in #81 still passes the attacker-controlled string through a double-quoted shell argument, so $(...), backticks and $VAR expand before printf runs. Replace with an instruction to use the Write tool to land the bytes on disk without shell tokenisation, then -F field=@file as before. Applied at all six recipe sites and the write-skill checklist (Patterns 1 and 3) so future skills inherit the corrected form. Also adds gh auth token / gh auth refresh to permissions.deny (prints the token to stdout with no prompt), gh workflow run to permissions.ask, and flag-first variants of gh api --method / --input so argument ordering can't sidestep the existing pattern. Report URL: https://github.com/apache/airflow-steward/actions/runs/25494967597 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
