Skip to content

Fix glob expansion for local dependencies#20

Merged
llucax merged 2 commits intofrequenz-floss:v1.x.xfrom
llucax:fix-glob-dependencies
Mar 26, 2026
Merged

Fix glob expansion for local dependencies#20
llucax merged 2 commits intofrequenz-floss:v1.x.xfrom
llucax:fix-glob-dependencies

Conversation

@llucax
Copy link
Copy Markdown
Contributor

@llucax llucax commented Mar 25, 2026

Using xargs to safely parse the DEPENDENCIES environment variable prevented the shell from expanding globs (e.g., dist/*.whl). This broke workflows that relied on wildcard patterns for passing locally built wheel files to pip.

This commit delegates the installation step to a companion script scripts/install-dependencies.sh. This script safely splits the arguments, explicitly handles glob expansions for paths (restoring the *.whl support), and proactively blocks unsafe dependencies (like editable installs or requirement files) to ensure arbitrary code execution from the checked-out PR context remains prevented.

@llucax
Fix glob expansion for local dependencies
ef7146b 
Using `xargs` to safely parse the `DEPENDENCIES` environment variable
prevented the shell from expanding globs (e.g., `dist/*.whl`). This
broke workflows that relied on wildcard patterns for passing locally
built wheel files to `pip`.

This commit delegates the installation step to a companion script
`scripts/install-dependencies.sh`. This script safely splits the
arguments, explicitly handles glob expansions for paths (restoring the
`*.whl` support), and proactively blocks unsafe dependencies (like
editable installs or requirement files) to ensure arbitrary code
execution from the checked-out PR context remains prevented.

Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
@llucax llucax requested a review from a team as a code owner March 25, 2026 12:33
@llucax llucax requested review from tiyash-basu-frequenz and removed request for a team March 25, 2026 12:33
@github-actions github-actions Bot added part:docs Affects the documentation part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) part:action Affects the action itself labels Mar 25, 2026
@llucax
Use pinned dependencies in the README
77a4e81 
Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
@llucax llucax added the type:regression Something isn't working, but it was working before label Mar 25, 2026
@llucax llucax added this to the v1.0.4 milestone Mar 25, 2026
@llucax llucax enabled auto-merge March 25, 2026 12:35
@llucax llucax added this pull request to the merge queue Mar 26, 2026
Merged via the queue into frequenz-floss:v1.x.x with commit b5707ff Mar 26, 2026
2 checks passed
@llucax llucax deleted the fix-glob-dependencies branch March 26, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiyash-basu-frequenz tiyash-basu-frequenz tiyash-basu-frequenz approved these changes

Assignees

No one assigned

Labels

part:action Affects the action itself part:docs Affects the documentation part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) type:regression Something isn't working, but it was working before

Projects

None yet

Milestone

v1.0.4

Development

Successfully merging this pull request may close these issues.

2 participants

@llucax @tiyash-basu-frequenz