Skip to content

Commit cd24a2a

Browse files
doringemandoringeman
authored
Merge pull request #656 from doringeman/gh-workflows
fix: prevent shell injection in workflow inputs (CWE-78)
2 parents 930ce8e + 4cef629 commit cd24a2a

File tree

3 files changed

+50
-31
lines changed

3 files changed

+50
-31
lines changed

.github/workflows/dmr-daily-check.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -58,10 +58,11 @@ jobs:
5858
fi
5959
6060
- name: Test model pull and run
61+
env:
62+
MODEL: ${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}
6163
run: |
62-
MODEL="${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}"
6364
echo "Testing with model: $MODEL"
64-
65+
6566
# Test model pull
6667
echo "Pulling model..."
6768
sudo docker model pull "$MODEL"
@@ -86,10 +87,11 @@ jobs:
8687
}
8788
8889
- name: Test API endpoint
90+
env:
91+
MODEL: ${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}
8992
run: |
90-
MODEL="${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}"
9193
echo "Testing API endpoint with model: $MODEL"
92-
94+
9395
# Test API call with curl
9496
echo "Testing API call..."
9597
RESPONSE=$(curl -s http://localhost:12434/engines/llama.cpp/v1/chat/completions \
@@ -124,9 +126,9 @@ jobs:
124126
fi
125127
126128
- name: Test model cleanup
129+
env:
130+
MODEL: ${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}
127131
run: |
128-
MODEL="${{ github.event.inputs.test_model || 'ai/smollm2:360M-Q4_K_M' }}"
129-
130132
echo "Cleaning up test model..."
131133
sudo docker model rm "$MODEL" || echo "Model removal failed or model not found"
132134

.github/workflows/promote-to-latest.yml

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -28,46 +28,60 @@ jobs:
2828
run: crane auth login index.docker.io -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_TOKEN"
2929

3030
- name: Promote CPU images
31+
env:
32+
VERSION: ${{ inputs.version }}
3133
run: |
3234
echo "Promoting CPU images"
33-
crane tag "docker/model-runner:${{ inputs.version }}" "latest"
35+
crane tag "docker/model-runner:$VERSION" "latest"
3436
3537
- name: Promote CUDA images
38+
env:
39+
VERSION: ${{ inputs.version }}
3640
run: |
3741
echo "Promoting CUDA images"
38-
crane tag "docker/model-runner:${{ inputs.version }}-cuda" "latest-cuda"
42+
crane tag "docker/model-runner:$VERSION-cuda" "latest-cuda"
3943
4044
- name: Promote vLLM CUDA images
45+
env:
46+
VERSION: ${{ inputs.version }}
4147
run: |
4248
echo "Promoting vLLM CUDA images"
43-
crane tag "docker/model-runner:${{ inputs.version }}-vllm-cuda" "latest-vllm-cuda"
49+
crane tag "docker/model-runner:$VERSION-vllm-cuda" "latest-vllm-cuda"
4450
4551
- name: Promote SGLang CUDA images
52+
env:
53+
VERSION: ${{ inputs.version }}
4654
run: |
4755
echo "Promoting SGLang CUDA images"
48-
crane tag "docker/model-runner:${{ inputs.version }}-sglang-cuda" "latest-sglang-cuda"
56+
crane tag "docker/model-runner:$VERSION-sglang-cuda" "latest-sglang-cuda"
4957
5058
- name: Promote ROCm images
59+
env:
60+
VERSION: ${{ inputs.version }}
5161
run: |
5262
echo "Promoting ROCm images"
53-
crane tag "docker/model-runner:${{ inputs.version }}-rocm" "latest-rocm"
63+
crane tag "docker/model-runner:$VERSION-rocm" "latest-rocm"
5464
5565
- name: Promote MUSA images
66+
env:
67+
VERSION: ${{ inputs.version }}
5668
run: |
5769
echo "Checking if MUSA image exists"
58-
if crane manifest "docker/model-runner:${{ inputs.version }}-musa" > /dev/null 2>&1; then
70+
if crane manifest "docker/model-runner:$VERSION-musa" > /dev/null 2>&1; then
5971
echo "Promoting MUSA images"
60-
crane tag "docker/model-runner:${{ inputs.version }}-musa" "latest-musa"
72+
crane tag "docker/model-runner:$VERSION-musa" "latest-musa"
6173
else
6274
echo "MUSA image does not exist, skipping"
6375
fi
6476
6577
- name: Promote CANN images
78+
env:
79+
VERSION: ${{ inputs.version }}
6680
run: |
6781
echo "Checking if CANN image exists"
68-
if crane manifest "docker/model-runner:${{ inputs.version }}-cann" > /dev/null 2>&1; then
82+
if crane manifest "docker/model-runner:$VERSION-cann" > /dev/null 2>&1; then
6983
echo "Promoting CANN images"
70-
crane tag "docker/model-runner:${{ inputs.version }}-cann" "latest-cann"
84+
crane tag "docker/model-runner:$VERSION-cann" "latest-cann"
7185
else
7286
echo "CANN image does not exist, skipping"
7387
fi

.github/workflows/release.yml

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -62,52 +62,55 @@ jobs:
6262
- name: Format tags
6363
id: tags
6464
shell: bash
65+
env:
66+
RELEASE_TAG: ${{ inputs.releaseTag }}
67+
PUSH_LATEST: ${{ inputs.pushLatest }}
6568
run: |
6669
echo "cpu<<EOF" >> "$GITHUB_OUTPUT"
67-
echo "docker/model-runner:${{ inputs.releaseTag }}" >> "$GITHUB_OUTPUT"
68-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
70+
echo "docker/model-runner:$RELEASE_TAG" >> "$GITHUB_OUTPUT"
71+
if [ "$PUSH_LATEST" == "true" ]; then
6972
echo "docker/model-runner:latest" >> "$GITHUB_OUTPUT"
7073
fi
7174
echo 'EOF' >> "$GITHUB_OUTPUT"
7275
echo "cuda<<EOF" >> "$GITHUB_OUTPUT"
73-
echo "docker/model-runner:${{ inputs.releaseTag }}-cuda" >> "$GITHUB_OUTPUT"
74-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
76+
echo "docker/model-runner:$RELEASE_TAG-cuda" >> "$GITHUB_OUTPUT"
77+
if [ "$PUSH_LATEST" == "true" ]; then
7578
echo "docker/model-runner:latest-cuda" >> "$GITHUB_OUTPUT"
7679
fi
7780
echo 'EOF' >> "$GITHUB_OUTPUT"
7881
echo "vllm-cuda<<EOF" >> "$GITHUB_OUTPUT"
79-
echo "docker/model-runner:${{ inputs.releaseTag }}-vllm-cuda" >> "$GITHUB_OUTPUT"
80-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
82+
echo "docker/model-runner:$RELEASE_TAG-vllm-cuda" >> "$GITHUB_OUTPUT"
83+
if [ "$PUSH_LATEST" == "true" ]; then
8184
echo "docker/model-runner:latest-vllm-cuda" >> "$GITHUB_OUTPUT"
8285
fi
8386
echo 'EOF' >> "$GITHUB_OUTPUT"
8487
echo "sglang-cuda<<EOF" >> "$GITHUB_OUTPUT"
85-
echo "docker/model-runner:${{ inputs.releaseTag }}-sglang-cuda" >> "$GITHUB_OUTPUT"
86-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
88+
echo "docker/model-runner:$RELEASE_TAG-sglang-cuda" >> "$GITHUB_OUTPUT"
89+
if [ "$PUSH_LATEST" == "true" ]; then
8790
echo "docker/model-runner:latest-sglang-cuda" >> "$GITHUB_OUTPUT"
8891
fi
8992
echo 'EOF' >> "$GITHUB_OUTPUT"
9093
echo "diffusers<<EOF" >> "$GITHUB_OUTPUT"
91-
echo "docker/model-runner:${{ inputs.releaseTag }}-diffusers" >> "$GITHUB_OUTPUT"
92-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
94+
echo "docker/model-runner:$RELEASE_TAG-diffusers" >> "$GITHUB_OUTPUT"
95+
if [ "$PUSH_LATEST" == "true" ]; then
9396
echo "docker/model-runner:latest-diffusers" >> "$GITHUB_OUTPUT"
9497
fi
9598
echo 'EOF' >> "$GITHUB_OUTPUT"
9699
echo "rocm<<EOF" >> "$GITHUB_OUTPUT"
97-
echo "docker/model-runner:${{ inputs.releaseTag }}-rocm" >> "$GITHUB_OUTPUT"
98-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
100+
echo "docker/model-runner:$RELEASE_TAG-rocm" >> "$GITHUB_OUTPUT"
101+
if [ "$PUSH_LATEST" == "true" ]; then
99102
echo "docker/model-runner:latest-rocm" >> "$GITHUB_OUTPUT"
100103
fi
101104
echo 'EOF' >> "$GITHUB_OUTPUT"
102105
echo "musa<<EOF" >> "$GITHUB_OUTPUT"
103-
echo "docker/model-runner:${{ inputs.releaseTag }}-musa" >> "$GITHUB_OUTPUT"
104-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
106+
echo "docker/model-runner:$RELEASE_TAG-musa" >> "$GITHUB_OUTPUT"
107+
if [ "$PUSH_LATEST" == "true" ]; then
105108
echo "docker/model-runner:latest-musa" >> "$GITHUB_OUTPUT"
106109
fi
107110
echo 'EOF' >> "$GITHUB_OUTPUT"
108111
echo "cann<<EOF" >> "$GITHUB_OUTPUT"
109-
echo "docker/model-runner:${{ inputs.releaseTag }}-cann" >> "$GITHUB_OUTPUT"
110-
if [ "${{ inputs.pushLatest }}" == "true" ]; then
112+
echo "docker/model-runner:$RELEASE_TAG-cann" >> "$GITHUB_OUTPUT"
113+
if [ "$PUSH_LATEST" == "true" ]; then
111114
echo "docker/model-runner:latest-cann" >> "$GITHUB_OUTPUT"
112115
fi
113116
echo 'EOF' >> "$GITHUB_OUTPUT"

0 commit comments

Comments
 (0)