Skip to content

feat(action): command-mode inputs + built-in matrix names#70

Merged
ErenAri merged 1 commit into
mainfrom
feat/action-command-mode
Jul 1, 2026
Merged

feat(action): command-mode inputs + built-in matrix names#70
ErenAri merged 1 commit into
mainfrom
feat/action-command-mode

Conversation

@ErenAri

@ErenAri ErenAri commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Wires the command/binary validation mode into the composite GitHub Action, so a project can gate CI on its own loader in one step — the capability Falco's and vimto's maintainers both asked for, now first-class in the Action:

- uses: Kernel-Guard/bpfcompat@v0.2.0
  with:
    command: $BPFCOMPAT_BIN --self-test
    command-binary: build/myloader
    matrix: quirk-library       # built-in name -> matrices/ shipped with the action
    out: reports/bpfcompat.json

Changes

  • New inputs command, command-binary, command-expect-exit; artifact becomes optional when command is set (mirrors the CLI contract).
  • Injection-safe: free-text inputs are passed through the step environment, never inline ${{ }} interpolation, so a hostile command string cannot inject host-side shell syntax.
  • Built-in matrix names: a bare matrix value that doesn't exist in the caller repo resolves to the matching matrices/<name>.yaml shipped with the action — quirk-library works with no file to copy.
  • README: command-mode Action example; fixed the stale marketplace step that still claimed a self-hosted KVM runner is required (hosted ubuntu-latest exposes /dev/kvm).
  • docs/command-validation.md: GitHub Action section.

Verification

Extracted the composite run script and exercised every branch against a fake binary:

  • command mode + built-in quirk-library → resolves to the action's matrices/, forwards --command/--command-binary, omits --artifact
  • plain artifact mode → unchanged ✅
  • command-binary without command::error
  • hostile command string ("; touch PWNED; echo ") → stays one argv, file never created ✅
  • command-expect-exit: 2 → forwarded ✅

🤖 Generated with Claude Code

…Hub Action

Wire the command/binary validation mode (PR #65) into the composite
action so a project can gate CI on its own loader in one step:

- new inputs `command`, `command-binary`, `command-expect-exit`;
  `artifact` becomes optional when `command` is set (mirrors the CLI).
- free-text inputs flow through the step environment, never inline
  `${{ }}` interpolation, so they cannot inject host-side shell syntax.
- built-in matrix convenience: a bare `matrix` name that does not exist
  in the caller repo resolves to the matching matrices/<name>.yaml
  shipped with the action — `matrix: quirk-library` gives the library
  of known-tricky vendor kernels with no file to copy.
- README: command-mode Action example + drop the stale "self-hosted
  runner" marketplace step (hosted ubuntu-latest exposes /dev/kvm).
- docs/command-validation.md: GitHub Action section.

Verified by extracting the run script and exercising all branches with
a fake binary: command mode + builtin matrix, artifact regression,
command-binary-without-command error, hostile command string (single
argv, no host execution), expect-exit forwarding.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 1, 2026 23:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@ErenAri ErenAri merged commit 00e2017 into main Jul 1, 2026
8 of 9 checks passed
@ErenAri ErenAri deleted the feat/action-command-mode branch July 1, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants