Adding the Integrations Tests #173
Conversation
RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 8e7e051 to c8c5d4d Compare ![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| run: | | ||
| AGENT_NAME="${{ steps.image-name.outputs.agent_name }}" | ||
| VERSION_TAG="${{ inputs.version_tag }}" | ||
| REPOSITORY_NAME="${{ github.repository }}/tutorial-agents/${AGENT_NAME}" | ||
| FULL_IMAGE="${REGISTRY}/${REPOSITORY_NAME}:${VERSION_TAG}" | ||
| agentex agents build \ | ||
| --manifest "${{ inputs.agent_path }}/manifest.yaml" \ | ||
| --registry "${REGISTRY}" \ | ||
| --tag "${VERSION_TAG}" \ | ||
| --platforms "linux/amd64" \ | ||
| --repository-name "${REPOSITORY_NAME}" \ | ||
| --push | ||
| echo "Successfully built and pushed: ${FULL_IMAGE}" | ||
| echo "### Build Complete" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Image**: \`${FULL_IMAGE}\`" >> $GITHUB_STEP_SUMMARY |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| # Remove examples/tutorials/ prefix and replace / with - | ||
| AGENT_NAME=$(echo "${{ inputs.agent_path }}" | sed 's|^examples/tutorials/||' | sed 's|/|-|g') | ||
| echo "AGENT_NAME=$AGENT_NAME" >> $GITHUB_ENV | ||
| echo "agent_name=$AGENT_NAME" >> $GITHUB_OUTPUT | ||
| echo "Agent name set to $AGENT_NAME" | ||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| if [ ! -f "${{ inputs.agent_path }}/manifest.yaml" ]; then | ||
| echo "❌ Error: manifest.yaml not found in '${{ inputs.agent_path }}'" | ||
| exit 1 | ||
| fi | ||
| echo "✅ manifest.yaml found" | ||
| echo "### Validation Summary" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Agent Path**: ${{ inputs.agent_path }}" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Version Tag**: ${{ inputs.version_tag }}" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Status**: ✅ Validation passed" >> $GITHUB_STEP_SUMMARY | ||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| if [ ! -d "${{ inputs.agent_path }}" ]; then | ||
| echo "❌ Error: Agent path '${{ inputs.agent_path }}' does not exist" | ||
| exit 1 | ||
| fi | ||
| echo "✅ Agent path verified: ${{ inputs.agent_path }}" | ||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 41fdfc5 to 75ac121 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch 5 times, most recently from 0f5077c to 020984e Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 020984e to 54996c2 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from ce263ca to 7023a18 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 7023a18 to e10ad36 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 6f4b382 to fcb8313 Compare 
| Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
RoxyFarhad force-pushed the RF/feat/integration-pipeline branch 2 times, most recently from 65181e4 to 7e9b901 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch 3 times, most recently from 22c90b5 to 5b8f23b Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 5b8f23b to b4d87d7 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 960c3c6 to 6c7de97 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 1d1f77c to 1feda9f Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 1feda9f to 5a13b31 Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from 6294dbb to 87f0fdf Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch 2 times, most recently from e4f3636 to 134d3ef Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch 5 times, most recently from 69eb4e4 to dc04e1a Compare RoxyFarhad force-pushed the RF/feat/integration-pipeline branch from dc04e1a to bfab5aa Compare 
No description provided.