Comments (7)
@TheYoBots I understand the action didn't complete due to there being no edits to the wiki. The actions can still run despite the command line errors.
However, even if the backticks don't cause a problem with running the actions, it's still trying to execute arbitrary code. For an extreme example, a commit message could contain Fix documentation (`git branch --delete master`)
, which would be rather catastrophic. Or maybe something like Sneaky commit to reveal secrets (`echo ${{ github.secrets }} > mail.eml; send_email mail.eml` nothing to see here)
.
I think it's better not to include the commit message at all. Requiring inspection by people or complicated post-processing seems to unreliable. Wouldn't the commit before the Auto action contain all the necessary information in the commit message?
@AttackingOrDefending Any thoughts?
from lichess-bot.
I don't think that error had anything to do with using ``. This is in fact an expected bug with that commit. I spoke about it in the pull request itself:
#810 (comment)
The first workflow will give an error since there are no changes to the wiki dir as compared to the wiki page, but afterwards any changes made to the wiki dir will directly be reflected in the wiki.
If you don't want this error on first run then either I can make a change to the wiki dir now or I can add the tag --allow-empty-commit before commiting changes like this: git commit --allow-empty-commit "Update wiki".
This occurs because when the wiki/
dir was created, as per github the files in the wiki/
path were updated and this means that it should run the sync-wiki
workflow. Now when the workflow runs it sees that there is a change to the wiki/Home.md
file, when in fact there was no change the file was just created. So it copies the contents in the Home.md
file to the README.md
. But, there is no difference, so when the workflow comes to the stage where it needs to commit it tried to commit, but github says there isn't any change so you cannot make a commit and send an error.
I tried to explain it as best as I could. Sorry if I just made it more confusing.
from lichess-bot.
But the wiki does also run the commit messages which have ``. But that has nothing to do with the error:
On branch master
Your branch is up to date with 'origin/master'.
Untracked files:
(use "git add <file>..." to include in what will be committed)
lichess-bot.wiki/
nothing added to commit but untracked files present (use "git add" to track)
Error: Process completed with exit code 1.
from lichess-bot.
Here's a test run in my repository with the same commit message and the files were edited: https://github.com/TheYoBots/lichess-bot/actions/runs/5950420455/job/16138179065
While this is persistant:
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: bullet_requires_increment: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: py: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: wiki/Home.md: Permission denied
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: README.md: command not found
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: wiki/Home.md: Permission denied
/home/runner/work/_temp/b0aa0f7f-0a32-485a-848e-4fef14763ef7.sh: line 3: README.md: command not found
This is how the commit message looks: TheYoBots@b702be1
from lichess-bot.
I think a fix would be that the owners of the repository can edit the message before squash and merging into the repository. Instead of all commits add a short description on what the PR does and the merge. And sometimes even edit the pull request name (commit message) if it has nothing to do with the pull request. This way even others who check a commit will get a gist of what the commit does.
from lichess-bot.
I agree that removing the commit message is probably the best and simplest solution. The reason that I suggested including the commit message is so that when someone looks at the wiki history they don't just see Auto update wiki
which doesn't provide any meaningful information but I didn't think about arbitrary code execution.
We should also probably create branch protection rules to avoid such senarios.
from lichess-bot.
Fixed by #817
from lichess-bot.
Related Issues (20)
- Matchmaking overrides not working properly HOT 1
- Contributing to lichess-bot HOT 1
- There are some errors after scanning the encoding with pylint HOT 2
- max_depth for online_moves
- incorrect Syzygy move selection allows draw in won position HOT 4
- Make matchmaking time delay shorter HOT 8
- recent regression with uci engine HOT 6
- "301 Moved Permanently" when trying to upgrade to bot HOT 7
- Liches Variants HOT 7
- Backing off HOT 2
- EngineTerminatedError : Engine event loop dead HOT 2
- Illegal move handling - never ending game HOT 6
- Error when trying to start match: AttributeError: module 'chess.engine' has no attribute 'Opponent' HOT 2
- Error during correspondence games HOT 5
- Lichess Bot not working? HOT 7
- Bot doesn't play the move supplied by the engine through UCI HOT 7
- What is the meaning of chess.engine.EngineTerminatedError: engine event loop dead? HOT 7
- info message pv parsing promotions HOT 2
- Engine isn't closed properly on invalid options HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lichess-bot.