Skip to content

make test suite more secure #1698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SFJohnson24 merged 3 commits into from
Apr 22, 2026
Merged

make test suite more secure #1698

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
49a9af3
make test suite more secure
gerrycampion Apr 20, 2026
c290c07
read permissions
gerrycampion Apr 21, 2026
d3dd993
Merge branch 'main' into alert-fix-144
SFJohnson24 Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions .github/workflows/test-suite.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,47 +1,63 @@
name: CORE Test Suite Validation
on:
workflow_run:
workflows: ["Upload PR Artifact"]
types: [completed]
workflow_dispatch:
inputs:
pr_number:
description: "PR number to test (for forked repositories) (leave empty for current branch)"
required: false
type: string
pull_request_target:
push:
branches:
- main

env:
DATASET_SIZE_THRESHOLD: 1000000000

jobs:
validate:
runs-on: ubuntu-latest
# Only run if the workflow_run was successful or if manually triggered/pushed
if: |
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
github.event.workflow_run.conclusion == 'success'
steps:
- name: Get Engine Changes
- name: Download PR engine artifact
if: github.event_name == 'workflow_run'
uses: actions/download-artifact@v8
with:
name: pr-engine-${{ github.event.workflow_run.pull_requests[0].number }}

- name: Checkout current branch (for push/manual)
if: github.event_name != 'workflow_run'
uses: actions/checkout@v6
with:
ref: ${{ (inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number)) || github.event.pull_request.head.sha || github.ref }}
ref: ${{ (inputs.pr_number && format('refs/pull/{0}/head', inputs.pr_number)) || github.ref }}

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
Comment on lines +35 to +38

- name: Get Test Suite Repository
uses: actions/checkout@v6
with:
repository: cdisc-org/CORE_Test_Suite
path: CORE_Test_Suite
token: ${{ secrets.ACCESS_TOKEN }}

- name: Set up Python
uses: actions/setup-python@v6

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
with:
python-version: "3.12"
- name: Install dependencies
run: |
pip install -r requirements.txt
- name: Update rules cache
env:
CDISC_LIBRARY_API_KEY: ${{ secrets.CDISC_LIBRARY_API_KEY }}
run: |
python core.py update-cache

#############################

Check failure

Code scanning / CodeQL

Code injection Critical test

Potential code injection in
${ env.RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_run
Loading
).
Potential code injection in
${ env.RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_dispatch
Loading
).
# CORE TEST SUITE VALIDATION
#############################

Expand All @@ -55,34 +71,34 @@
id: pandas_run
env:
CDISC_LIBRARY_API_KEY: ${{ secrets.CDISC_LIBRARY_API_KEY }}
continue-on-error: true

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
run: |
python core.py validate -s sdtmig -v 3-3 ${{ env.RULE_LIST }} -d CORE_Test_Suite/data -dxp CORE_Test_Suite/data/Define.xml -of json -o CORE_Test_Suite/pandas-results -l info || true

if [ -f "CORE_Test_Suite/pandas-results.json" ]; then
echo "pandas_success=true" >> $GITHUB_OUTPUT
echo "## Pandas Validation" >> $GITHUB_STEP_SUMMARY
echo "✅ **Success**: Validation completed successfully" >> $GITHUB_STEP_SUMMARY
python CORE_Test_Suite/scripts/validation_summary.py CORE_Test_Suite/pandas-results.json >> $GITHUB_STEP_SUMMARY
else
echo "Failed to generate pandas-results.json"
echo "pandas_success=false" >> $GITHUB_OUTPUT
echo "## Pandas Validation" >> $GITHUB_STEP_SUMMARY
echo "❌ **Failed**: No results file was generated" >> $GITHUB_STEP_SUMMARY
fi

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
- name: Pandas CORE comparison with template
if: steps.pandas_run.outputs.pandas_success == 'true'
continue-on-error: true
run: |
python CORE_Test_Suite/scripts/comparison.py CORE_Test_Suite/pandas-results.json CORE_Test_Suite/CORE-Report.json CORE_Test_Suite/pandas_comparison.xlsx --mode test --json-output CORE_Test_Suite/pandas_comparison.json

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
echo "pandas_diff=$?" >> $GITHUB_ENV

PANDAS_EXIT_CODE=$?
echo "pandas_diff=$PANDAS_EXIT_CODE" >> $GITHUB_ENV
if [ $PANDAS_EXIT_CODE -eq 0 ]; then
echo "Pandas comparison completed successfully (no differences)"
else

Check failure

Code scanning / CodeQL

Code injection Critical test

Potential code injection in
${ env.RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_run
Loading
).
Potential code injection in
${ env.RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_dispatch
Loading
).
echo "Pandas comparison found differences"
fi

Expand All @@ -95,39 +111,39 @@
id: dask_run
continue-on-error: true
env:
DATASET_SIZE_THRESHOLD: 0

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
CDISC_LIBRARY_API_KEY: ${{ secrets.CDISC_LIBRARY_API_KEY }}
run: |
python core.py validate -s sdtmig -v 3-3 ${{ env.RULE_LIST }} -d CORE_Test_Suite/data -dxp CORE_Test_Suite/data/Define.xml -of json -o CORE_Test_Suite/dask-results -l info || true

if [ -f "CORE_Test_Suite/dask-results.json" ]; then
echo "dask_success=true" >> $GITHUB_OUTPUT
echo "## Dask Validation" >> $GITHUB_STEP_SUMMARY
echo "✅ **Success**: Validation completed successfully" >> $GITHUB_STEP_SUMMARY
python CORE_Test_Suite/scripts/validation_summary.py dask-results.json >> $GITHUB_STEP_SUMMARY
else
echo "Failed to generate dask-results.json"
echo "dask_success=false" >> $GITHUB_OUTPUT

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
echo "## Dask Validation" >> $GITHUB_STEP_SUMMARY
echo "❌ **Failed**: No results file was generated" >> $GITHUB_STEP_SUMMARY
fi
- name: Dask comparison script
continue-on-error: true
if: steps.dask_run.outputs.dask_success == 'true'
run: |
python CORE_Test_Suite/scripts/comparison.py CORE_Test_Suite/dask-results.json CORE_Test_Suite/CORE-Report.json CORE_Test_Suite/dask_comparison.xlsx --mode test --json-output CORE_Test_Suite/dask_comparison.json
DASK_EXIT_CODE=$?
echo "dask_diff=$DASK_EXIT_CODE" >> $GITHUB_ENV

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
if [ $DASK_EXIT_CODE -eq 0 ]; then
echo "Dask comparison completed successfully (no differences)"
else
echo "Dask comparison found differences"

- name: Generate dask comparison summary
if: steps.dask_run.outputs.dask_success == 'true'
continue-on-error: true
run: |
python CORE_Test_Suite/scripts/compare_implementations.py CORE_Test_Suite/dask-results.json CORE_Test_Suite/CORE-Report.json CORE_Test_Suite/dask_comparison.json --github-step-summary $GITHUB_STEP_SUMMARY --mode test

Check failure

Code scanning / CodeQL

Code injection Critical test

Potential code injection in
${ env.USDM_RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_run
Loading
).
Potential code injection in
${ env.USDM_RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_dispatch
Loading
).

#################################
# USDM TEST SUITE VALIDATION
Expand All @@ -139,30 +155,30 @@
echo "USDM_RULE_LIST=$usdm_rules" >> $GITHUB_ENV
echo "USDM rules: $usdm_rules"

- name: Run USDM validation (Negative)

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
id: usdm_neg
continue-on-error: true
run: |
python core.py validate -s usdm -v 3-0 ${{ env.USDM_RULE_LIST }} -dp CORE_Test_Suite/usdm_data/USDM_Test_Suite_negative.json -of json -o CORE_Test_Suite/usdm_negative_report -l error || true

if [ -f "CORE_Test_Suite/usdm_negative_report.json" ]; then
echo "usdm_neg_success=true" >> $GITHUB_OUTPUT
echo "## USDM Negative" >> $GITHUB_STEP_SUMMARY
echo "**Success**: Negative test passed" >> $GITHUB_STEP_SUMMARY
python CORE_Test_Suite/scripts/validation_summary.py CORE_Test_Suite/usdm_negative_report.json >> $GITHUB_STEP_SUMMARY
else
echo "usdm_neg_success=false" >> $GITHUB_OUTPUT
echo "**Failed**: No results for negative test" >> $GITHUB_STEP_SUMMARY

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
fi

- name: Compare USDM negative result
if: steps.usdm_neg.outputs.usdm_neg_success == 'true'
continue-on-error: true
run: |

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
python CORE_Test_Suite/scripts/comparison.py CORE_Test_Suite/usdm_negative_report.json CORE_Test_Suite/USDM_Negative_Result.json CORE_Test_Suite/usdm_negative_comparison.xlsx --mode test --json-output CORE_Test_Suite/usdm_negative_comparison.json
USDM_NEG_EXIT_CODE=$?
echo "usdm_neg_diff=$USDM_NEG_EXIT_CODE" >> $GITHUB_ENV
if [ $USDM_NEG_EXIT_CODE -eq 0 ]; then

Check failure

Code scanning / CodeQL

Code injection Critical test

Potential code injection in
${ env.USDM_RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_run
Loading
).
Potential code injection in
${ env.USDM_RULE_LIST }
Loading
, which may be controlled by an external user (
workflow_dispatch
Loading
).
echo "USDM negative comparison completed successfully (no differences)"
else
echo "USDM negative comparison found differences"
Expand All @@ -174,29 +190,29 @@
run: |
python CORE_Test_Suite/scripts/compare_implementations.py CORE_Test_Suite/usdm_negative_report.json CORE_Test_Suite/USDM_Negative_Result.json CORE_Test_Suite/usdm_negative_comparison.json --github-step-summary $GITHUB_STEP_SUMMARY --mode test

- name: Run USDM validation (Positive)

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
id: usdm_pos
continue-on-error: true
run: |
python core.py validate -s usdm -v 3-0 ${{ env.USDM_RULE_LIST }} -dp CORE_Test_Suite/usdm_data/USDM_Test_Suite_positive.json -of json -o CORE_Test_Suite/usdm_positive_report -l error || true

if [ -f "CORE_Test_Suite/usdm_positive_report.json" ]; then
echo "usdm_pos_success=true" >> $GITHUB_OUTPUT
echo "## USDM Positive" >> $GITHUB_STEP_SUMMARY
echo "**Success**: Positive test passed" >> $GITHUB_STEP_SUMMARY
python CORE_Test_Suite/scripts/validation_summary.py CORE_Test_Suite/usdm_positive_report.json >> $GITHUB_STEP_SUMMARY
else
echo "usdm_pos_success=false" >> $GITHUB_OUTPUT
echo "**Failed**: No results for positive test" >> $GITHUB_STEP_SUMMARY

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
fi

- name: Compare USDM positive result
if: steps.usdm_pos.outputs.usdm_pos_success == 'true'
continue-on-error: true
run: |
python CORE_Test_Suite/scripts/comparison.py CORE_Test_Suite/usdm_positive_report.json CORE_Test_Suite/USDM_Positive_Result.json CORE_Test_Suite/usdm_positive_comparison.xlsx --mode test --json-output CORE_Test_Suite/usdm_positive_comparison.json
USDM_POS_EXIT_CODE=$?
echo "usdm_pos_diff=$USDM_POS_EXIT_CODE" >> $GITHUB_ENV

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical test

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
if [ $USDM_POS_EXIT_CODE -eq 0 ]; then
echo "USDM positive comparison completed successfully (no differences)"
else
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/upload-pr-artifact.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Upload PR Artifact
on:
pull_request:
branches:
- main

permissions:
contents: read

jobs:
build-engine:
runs-on: ubuntu-latest
steps:
- name: Checkout PR code
uses: actions/checkout@v6

- name: Upload engine artifact
uses: actions/upload-artifact@v7
with:
name: pr-engine-${{ github.event.pull_request.number }}
path: .
retention-days: 1
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Loading