fix(docker): safer argument parsing for GitHub Actions #788
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
kanadgupta
changed the title
| @@ -14,3 +14,6 @@ outputs: | |||
| runs: | |||
| using: docker | |||
| image: docker://ghcr.io/readmeio/rdme:8.6.0 | |||
| args: | |||
| - docker-gha | |||
There was a problem hiding this comment.
This is a new internal argument we send to indicate to the rdme Docker image that the command is going to be a single string as opposed to an array of strings.
There was a problem hiding this comment.
This is a pretty neat/sufficient solution. Annoying that it's necessary, but it's not too bad.
| * This logic checks for that `docker-gha` argument and parses the second string | ||
| * into the arguments array that `command-line-args` is expecting. | ||
| */ | ||
| if (rawProcessArgv.length === 2 && rawProcessArgv[0] === 'docker-gha') { |
There was a problem hiding this comment.
We now check for that docker-gha argument before parsing out the second string and converting it to something that command-line-args can process.
There was a problem hiding this comment.
Hopefully this is something we can remove down the line! But nice fix for now.
There was a problem hiding this comment.
Yeah sadly I think this will be here to stay so long as we aim to maintain Actions/CLI feature parity and stick with this Docker approach to Actions 🫠
But who knows, maybe GitHub will ship changes on this front that will allow us to simplify this 🤞🏽
| @@ -8,4 +8,4 @@ FROM alpine:3.14 | |||
|
|
|||
| COPY --from=builder /rdme/exe /exe | |||
|
|
|||
| ENTRYPOINT ["sh", "-c", "/exe/rdme $INPUT_RDME"] | |||
| ENTRYPOINT ["/exe/rdme"] | |||
There was a problem hiding this comment.
Not only this this a lot cleaner, but we can now use good ol' docker run arguments AND GitHub recommends1 accessing inputs via arguments and not environmental variables in their own docs:
Footnotes
-
They technically imply that it's impossible to access the
INPUT_environmental variables from the Docker container action, but that's definitely wrong —[email protected]wouldn't be working at all in that case lol. The takeaway here is that we should be passing inputs via arguments and not environmental variables. ↩
kanadgupta
added
bug
kanadgupta
requested review from
erunion,
RyanGWU82,
domharrington,
rafegoldberg and
gratcliff
... also rename a test
| - name: Run `openapi:validate` with filename in quotes | ||
| uses: ./rdme-repo/ | ||
| with: | ||
| rdme: openapi:validate "oas-examples-repo/3.1/json/petstore.json" |
There was a problem hiding this comment.
Is this the previously broken case? Do you have a test for that?
There was a problem hiding this comment.
Correct, both tests added to this file check for the breakage in the most recent release!
| @@ -8,4 +8,4 @@ FROM alpine:3.14 | |||
|
|
|||
| COPY --from=builder /rdme/exe /exe | |||
|
|
|||
| ENTRYPOINT ["sh", "-c", "/exe/rdme $INPUT_RDME"] | |||
| ENTRYPOINT ["/exe/rdme"] | |||
| @@ -14,3 +14,6 @@ outputs: | |||
| runs: | |||
| using: docker | |||
| image: docker://ghcr.io/readmeio/rdme:8.6.0 | |||
| args: | |||
| - docker-gha | |||
There was a problem hiding this comment.
This is a pretty neat/sufficient solution. Annoying that it's necessary, but it's not too bad.
| * This logic checks for that `docker-gha` argument and parses the second string | ||
| * into the arguments array that `command-line-args` is expecting. | ||
| */ | ||
| if (rawProcessArgv.length === 2 && rawProcessArgv[0] === 'docker-gha') { |
There was a problem hiding this comment.
Hopefully this is something we can remove down the line! But nice fix for now.
## [8.6.1-next.1](v8.6.0...v8.6.1-next.1) (2023-04-05) ### Bug Fixes * **docker:** safer argument parsing for GitHub Actions ([#788](#788)) ([8328388](8328388)) [skip ci]
## [8.6.1](v8.6.0...v8.6.1) (2023-04-05) ### Bug Fixes * **docker:** safer argument parsing for GitHub Actions ([#788](#788)) ([8328388](8328388)) [skip ci]
🧰 Changes
The Problem 😵💫
Someone wrote in in #787 about an issue where their workflows started breaking due to them wrapping their file names in quotation marks. Normally our args parser (
command-line-args) would handle quotation marks just fine, but because of our new Docker setup and how we have the user pass in all theirrdmearguments into a single GitHub Actions input, quotation marks are escaped by the timerdmereceives it 😬To put it a different way, this was the equivalent of running something like this:
The Solution 💭
This was a pain to debug and fix (thanks @RyanGWU82 and @domharrington for pairing on this 😮💨), but I got something going that I'm happy with! Now, when we invoke the
rdmeDocker image via the GitHub Action runner, it's basically running this:rdme docker-gha "openapi:validate \"https://github.com/readmeio/oas-examples/blob/main/3.0/json/petstore-simple.json\""The
docker-ghaargument isn't documented nor exposed to users, but is basically an internal escape hatch so we can properly consumerdmearguments that are sent to us via a single string.As part of this, I did the following:
Dockerfileand ouraction.ymlfiles so we're now usingrdmeas the executable and passing in therdmecommand via good ol' fashioneddocker runarguments.rdmeindex.ts file to check for this newdocker-ghacommand and if it exists, parse out the arguments usingstring-argv.🧬 QA & Testing
If tests pass we should be good to go! If you can think of any edge cases with quotation marks and string serialization I might be missing, please let me know 🥺
To get a sense of what is going on here, feel free to run this locally: