ci: pin actions to commit SHAs to prevent RCE

Pin actions/checkout and actions/setup-go to their full commit SHAs instead of mutable tags, per review feedback. - actions/checkout@v4 → 34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/setup-go@v5 → 40f1582b2485089dde7abd97c1529aa768e1baff
ci: add Gitea Actions workflow for make check (fixes #96 )
2026-02-19 20:25:23 -08:00 · 2026-02-19 20:24:46 -08:00 · 2026-02-20 05:22:58 +01:00 · 2026-02-19 20:17:27 -08:00 · 2026-02-19 20:15:22 -08:00
3 changed files with 33 additions and 3 deletions
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,26 @@
+name: Check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+
+      - name: Run make check
+        run: make check
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -11,6 +11,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"

@@ -715,7 +716,7 @@ func (svc *Service) cleanupCancelledDeploy(
 	prefix := fmt.Sprintf("%d-", deployment.ID)

 	for _, entry := range entries {
-		if entry.IsDir() && len(entry.Name()) > len(prefix) && entry.Name()[:len(prefix)] == prefix {
+		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
 			dirPath := filepath.Join(buildDir, entry.Name())

 			removeErr := os.RemoveAll(dirPath)
--- a/internal/service/deploy/export_test.go
+++ b/internal/service/deploy/export_test.go
@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"strings"

 	"git.eeqj.de/sneak/upaas/internal/config"
 	"git.eeqj.de/sneak/upaas/internal/docker"
@@ -47,7 +48,9 @@ func NewTestServiceWithConfig(log *slog.Logger, cfg *config.Config, dockerClient
 	}
 }

-// CleanupCancelledDeploy exposes cleanupCancelledDeploy for testing.
+// CleanupCancelledDeploy exposes the build directory cleanup portion of
+// cleanupCancelledDeploy for testing. It removes build directories matching
+// the deployment ID prefix.
 func (svc *Service) CleanupCancelledDeploy(
 	ctx context.Context,
 	appName string,
@@ -66,7 +69,7 @@ func (svc *Service) CleanupCancelledDeploy(
 	prefix := fmt.Sprintf("%d-", deploymentID)

 	for _, entry := range entries {
-		if entry.IsDir() && len(entry.Name()) > len(prefix) && entry.Name()[:len(prefix)] == prefix {
+		if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
 			dirPath := filepath.Join(buildDir, entry.Name())
 			_ = os.RemoveAll(dirPath)
 		}
Author	SHA1	Message	Date
user	5d87d386c3	ci: pin actions to commit SHAs to prevent RCE Some checks failed Check / check (pull_request) Failing after 5m27s Details Pin actions/checkout and actions/setup-go to their full commit SHAs instead of mutable tags, per review feedback. - actions/checkout@v4 → 34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/setup-go@v5 → 40f1582b2485089dde7abd97c1529aa768e1baff	2026-02-19 20:25:23 -08:00
user	f65e3887b2	ci: add Gitea Actions workflow for make check (fixes #96 )	2026-02-19 20:24:46 -08:00
Jeffrey Paul	06e8e66443	Merge pull request 'fix: clean up orphan resources on deploy cancellation (closes #89 )' (#93 ) from fix/deploy-cancel-cleanup into main Reviewed-on: #93	2026-02-20 05:22:58 +01:00
clawbot	95a690e805	fix: use strings.HasPrefix instead of manual slice comparison - Replace entry.Name()[:len(prefix)] == prefix with strings.HasPrefix - Applied consistently in both deploy.go and export_test.go	2026-02-19 20:17:27 -08:00
clawbot	802518b917	fix: clean up orphan resources on deploy cancellation (closes #89 )	2026-02-19 20:15:22 -08:00