ci: pin Vector 0.54.0 and remove repeat() compatibility guard#191
Closed
TerrifiedBug wants to merge 1 commit intomainfrom
Closed
ci: pin Vector 0.54.0 and remove repeat() compatibility guard#191TerrifiedBug wants to merge 1 commit intomainfrom
TerrifiedBug wants to merge 1 commit intomainfrom
Conversation
Installs Vector 0.54.0 from GitHub releases in the CI check job so the DLP VRL integration tests always run against a known-good binary. Removes the vectorSupportsRepeat() capability probe, the REQUIRES_REPEAT set, and the conditional describe.skipIf wrapper — dlp-credit-card-masking now runs unconditionally alongside all other DLP templates.
Contributor
Greptile SummaryThis PR pins the CI Confidence Score: 4/5Safe to merge; only finding is a P2 recommendation to verify the Vector tarball checksum in CI. All findings are P2 (style/hardening). No logic bugs or security vulnerabilities are introduced in the changed code. .github/workflows/ci.yml — missing SHA-256 verification on the Vector tarball download. Important Files Changed
Sequence DiagramsequenceDiagram
participant CI as GitHub Actions (check job)
participant GH as GitHub Releases
participant Runner as ubuntu-latest runner
CI->>GH: curl -fsSL vector-0.54.0-x86_64-unknown-linux-musl.tar.gz
GH-->>Runner: tarball stream
Runner->>Runner: sudo tar -xz → /usr/local/bin/vector
Runner->>Runner: vector --version (smoke check)
Runner->>Runner: pnpm test
Runner->>Runner: dlp-vrl-integration tests (incl. dlp-credit-card-masking, no skip)
Prompt To Fix All With AIThis is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 65-68
Comment:
**No checksum verification on downloaded binary**
The tarball is piped directly into `sudo tar` without verifying its SHA-256 digest against the published checksum. Vector publishes `vector-0.54.0-SHA256SUMS` alongside every release; if the GitHub CDN or a transparent proxy were to serve a corrupted artifact, the malformed binary would be silently installed and then executed as `sudo`. Consider verifying the digest before extraction.
```suggestion
- name: Install Vector 0.54.0
run: |
curl -fsSL "https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-x86_64-unknown-linux-musl.tar.gz" \
-o /tmp/vector.tar.gz
echo "$(curl -fsSL https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-SHA256SUMS | grep vector-0.54.0-x86_64-unknown-linux-musl.tar.gz | awk '{print $1}') /tmp/vector.tar.gz" | sha256sum -c -
sudo tar -xz -C /usr/local/bin --strip-components=2 -f /tmp/vector.tar.gz "vector-x86_64-unknown-linux-musl/bin/vector"
vector --version
```
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "ci: pin Vector 0.54.0 in CI and remove r..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
+65
to
+68
| run: | | ||
| curl -fsSL "https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-x86_64-unknown-linux-musl.tar.gz" \ | ||
| | sudo tar -xz -C /usr/local/bin --strip-components=2 "vector-x86_64-unknown-linux-musl/bin/vector" | ||
| vector --version |
Contributor
There was a problem hiding this comment.
The tarball is piped directly into sudo tar without verifying its SHA-256 digest against the published checksum. Vector publishes vector-0.54.0-SHA256SUMS alongside every release; if the GitHub CDN or a transparent proxy were to serve a corrupted artifact, the malformed binary would be silently installed and then executed as sudo. Consider verifying the digest before extraction.
Suggested change
| run: | | |
| curl -fsSL "https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-x86_64-unknown-linux-musl.tar.gz" \ | |
| | sudo tar -xz -C /usr/local/bin --strip-components=2 "vector-x86_64-unknown-linux-musl/bin/vector" | |
| vector --version | |
| - name: Install Vector 0.54.0 | |
| run: | | |
| curl -fsSL "https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-x86_64-unknown-linux-musl.tar.gz" \ | |
| -o /tmp/vector.tar.gz | |
| echo "$(curl -fsSL https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-SHA256SUMS | grep vector-0.54.0-x86_64-unknown-linux-musl.tar.gz | awk '{print $1}') /tmp/vector.tar.gz" | sha256sum -c - | |
| sudo tar -xz -C /usr/local/bin --strip-components=2 -f /tmp/vector.tar.gz "vector-x86_64-unknown-linux-musl/bin/vector" | |
| vector --version |
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 65-68
Comment:
**No checksum verification on downloaded binary**
The tarball is piped directly into `sudo tar` without verifying its SHA-256 digest against the published checksum. Vector publishes `vector-0.54.0-SHA256SUMS` alongside every release; if the GitHub CDN or a transparent proxy were to serve a corrupted artifact, the malformed binary would be silently installed and then executed as `sudo`. Consider verifying the digest before extraction.
```suggestion
- name: Install Vector 0.54.0
run: |
curl -fsSL "https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-x86_64-unknown-linux-musl.tar.gz" \
-o /tmp/vector.tar.gz
echo "$(curl -fsSL https://github.com/vectordotdev/vector/releases/download/v0.54.0/vector-0.54.0-SHA256SUMS | grep vector-0.54.0-x86_64-unknown-linux-musl.tar.gz | awk '{print $1}') /tmp/vector.tar.gz" | sha256sum -c -
sudo tar -xz -C /usr/local/bin --strip-components=2 -f /tmp/vector.tar.gz "vector-x86_64-unknown-linux-musl/bin/vector"
vector --version
```
How can I resolve this? If you propose a fix, please make it concise.
Owner
Author
|
Closing — lint failing and not verified. The DLP credit-card test currently skips when Vector isn't installed, so adding a CI install step needs more justification. Will redo as focused PR if/when DLP fixtures need to run on every PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Install Vector 0.54.0step to the CIcheckjob — downloads the musl tarball from GitHub releases and verifies withvector --versionvectorSupportsRepeat()capability probe,REQUIRES_REPEATset, and thedescribe.skipIfwrapper fromdlp-vrl-integration.test.tsdlp-credit-card-maskingnow runs unconditionally alongside all other DLP templatesTest plan
checkjob installs Vector 0.54.0 and runspnpm test— DLP VRL integration tests pass including credit card masking fixturesvectorSupportsRepeatreferences remain in the test file