🛡️ Sentinel: [CRITICAL] Fix arbitrary command execution via profile.bitcoin_cli #25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| pull_request: | |
| jobs: | |
| validate-local: | |
| if: ${{ github.event_name == 'pull_request' || !startsWith(github.ref, 'refs/tags/') }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| command: | |
| - cargo test --tests | |
| - cargo check --no-default-features | |
| - cargo check --features ui | |
| - cargo package --no-verify | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkout zinc-core sibling (path dependency) | |
| run: | | |
| git clone --depth 1 https://github.com/bitcoiner-dev/zinc-core.git "$GITHUB_WORKSPACE/../zinc-core-public" | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Run ${{ matrix.command }} | |
| run: ${{ matrix.command }} | |
| validate-release-deps: | |
| if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Validate exact zinc-core release pin | |
| run: | | |
| if ! grep -Eq '^[[:space:]]*zinc-core[[:space:]]*=[[:space:]]*\{[^}]*version[[:space:]]*=[[:space:]]*"=[0-9]+\.[0-9]+\.[0-9]+"[^}]*\}' Cargo.toml; then | |
| echo "Expected an exact zinc-core version pin in Cargo.toml (e.g. version = \"=0.1.2\")." | |
| echo "Current zinc-core dependency line:" | |
| grep -n '^[[:space:]]*zinc-core[[:space:]]*=' Cargo.toml || true | |
| exit 1 | |
| fi | |
| - name: Verify package against released zinc-core dependency | |
| run: cargo package |