Skip to content
CI

security: Use absolute paths for ALL external commands (v2.0.12) #52

Sign in to view logs

security: Use absolute paths for ALL external commands (v2.0.12)

security: Use absolute paths for ALL external commands (v2.0.12) #52

Workflow file for this run

.github/workflows/ci.yml at 72fd001
name: CI
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Check bash syntax
run: |
echo "Checking bash syntax..."
find . -name "*.sh" -type f -exec bash -n {} \; && echo "All bash scripts syntax valid"
- name: Validate security.conf
run: |
if [ -f "credentials/security.conf" ]; then
echo "security.conf exists"
grep -q "KEYCHAIN_SERVICE" credentials/security.conf
grep -q "KEYCHAIN_ACCOUNT" credentials/security.conf
grep -q "GLM_USE_MCP" credentials/security.conf
grep -q "GLM_INSTALL_DIR" credentials/security.conf
echo "All required config variables present"
else
echo "ERROR: security.conf not found"
exit 1
fi
- name: Validate VERSION
run: |
if [ -f "VERSION" ]; then
VERSION=$(cat VERSION)
echo "Current version: $VERSION"
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "ERROR: Invalid version format: $VERSION"
exit 1
fi
echo "VERSION format valid"
else
echo "ERROR: VERSION file not found"
exit 1
fi
- name: Security checks
run: |
echo "Running security checks..."
if grep -r "sk-[a-zA-Z0-9]\{48\}" . --include="*.sh" --include="*.md" 2>/dev/null; then
echo "ERROR: Possible hardcoded API key found"
exit 1
fi
echo "No hardcoded API keys found"
- name: ShellCheck linting
run: |
echo "Running ShellCheck..."
sudo apt-get update && sudo apt-get install -y shellcheck
# Run shellcheck on all shell scripts (exclude sourcing warnings)
find . -name "*.sh" -type f -exec shellcheck --shell=bash --exclude=SC1090,SC1091 {} + || exit 1
# Also check scripts without .sh extension
shellcheck --shell=bash --exclude=SC1090,SC1091 bin/claude-by-glm bin/glm-mcp-wrapper bin/install-key.sh bin/glm-update bin/glm-cleanup-sessions || exit 1
echo "ShellCheck passed"
verify-consistency:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Verify service name
run: |
SERVICE_NAME="z.ai-api-key"
if ! grep -q "$SERVICE_NAME" credentials/security.conf; then
echo "ERROR: Service name not found in security.conf"
exit 1
fi
if grep -r "glm-coding-plan" . --include="*.sh" --include="*.conf" 2>/dev/null; then
echo "ERROR: Old service name still exists"
exit 1
fi
echo "Service name is consistent: $SERVICE_NAME"
- name: Verify install directory
run: |
# Check for old .glm-mcp paths (should be .claude-glm-mcp)
echo "Checking for stale .glm-mcp/ paths..."
if grep -r "\.glm-mcp/" . --include="*.sh" --include="*.md" --include="*.conf" 2>/dev/null; then
echo "ERROR: Found old .glm-mcp/ paths (should be .claude-glm-mcp/)"
exit 1
fi
echo "Install directory is consistent: .claude-glm-mcp"
- name: Check for duplicate code blocks
run: |
echo "Checking for duplicate code blocks..."
# Check install.sh for duplicate OS-specific notes
if awk '/# OS-specific notes/{c++} c>1' scripts/install.sh | grep -q "OS-specific notes"; then
echo "ERROR: Found duplicate OS-specific notes block in install.sh"
exit 1
fi
echo "No duplicate code blocks found"
- name: Verify safe config parsing
run: |
echo "Verifying safe config parsing (no 'source' on config files)..."
# Check that mcp.conf is not sourced as code
if grep -n "source.*mcp\.conf" bin/claude-by-glm 2>/dev/null; then
echo "ERROR: Found 'source' on mcp.conf (should use safe parsing)"
exit 1
fi
# Check that security.conf parsing uses grep/sed, not source
if grep -A5 "load_security_config" credentials/common.sh | grep -q "source.*security\.conf"; then
echo "ERROR: Found 'source' in load_security_config (should use safe parsing)"
exit 1
fi
echo "Config files are safely parsed"