ci: pin Run tests step to bash so $TEST_SCRIPT expands on Windows#11659
Conversation
Without an explicit shell, the step ran under PowerShell on windows-latest, where `$TEST_SCRIPT` is not a variable (PowerShell exposes env vars as `$env:TEST_SCRIPT`). `pn run ""` then exited 0 and just listed available scripts — the Windows test legs have been silently no-op'ing since the env-var move in #11608. The sibling `Verify Node version` and `Determine test scope` steps already pin `shell: bash`; this brings `Run tests` in line. --- Written by an agent (Claude Code, claude-opus-4-7).
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🔇 Additional comments (1)
📝 WalkthroughWalkthroughThe reusable test workflow in ChangesTest Workflow Configuration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
…short names (#11661) `os.tmpdir()` on GitHub's Windows runners returns the 8.3 short-name form of the user-profile directory (e.g. `C:\Users\RUNNER~1\AppData\Local\Temp`) because `runneradmin` is longer than 8 characters. The `~` then trips the `quoteShellArg` allowlist regex and every test that calls `sendLineScript` or `generateSendStdinScript` throws "Unsupported character in shell argument". The tilde is safe to allow: - cmd.exe performs no tilde expansion at all. - POSIX shells only expand `~` when it is unquoted at the start of a word; inside the double-quoted `"${arg}"` wrapper produced here it is literal. The matching CodeQL shell-injection sanitization argument is unchanged — the allowlist is still anchored and still rejects every metacharacter. The bug was masked until #11659 because the Windows test legs had been silently no-op'ing since #11608. --- Written by an agent (Claude Code, claude-opus-4-7).
…pm#11659) Without an explicit shell, the step ran under PowerShell on windows-latest, where `$TEST_SCRIPT` is not a variable (PowerShell exposes env vars as `$env:TEST_SCRIPT`). `pn run ""` then exited 0 and just listed available scripts — the Windows test legs have been silently no-op'ing since the env-var move in pnpm#11608. The sibling `Verify Node version` and `Determine test scope` steps already pin `shell: bash`; this brings `Run tests` in line. --- Written by an agent (Claude Code, claude-opus-4-7).
…short names (pnpm#11661) `os.tmpdir()` on GitHub's Windows runners returns the 8.3 short-name form of the user-profile directory (e.g. `C:\Users\RUNNER~1\AppData\Local\Temp`) because `runneradmin` is longer than 8 characters. The `~` then trips the `quoteShellArg` allowlist regex and every test that calls `sendLineScript` or `generateSendStdinScript` throws "Unsupported character in shell argument". The tilde is safe to allow: - cmd.exe performs no tilde expansion at all. - POSIX shells only expand `~` when it is unquoted at the start of a word; inside the double-quoted `"${arg}"` wrapper produced here it is literal. The matching CodeQL shell-injection sanitization argument is unchanged — the allowlist is still anchored and still rejects every metacharacter. The bug was masked until pnpm#11659 because the Windows test legs had been silently no-op'ing since pnpm#11608. --- Written by an agent (Claude Code, claude-opus-4-7).
Summary
Run testsstep in.github/workflows/test.ymlhad no explicitshell:, so on Windows it ran under PowerShell — where\$TEST_SCRIPTis not a variable (PowerShell exposes env vars as\$env:TEST_SCRIPT).pn run ""exited 0 and just printed the available scripts. The Windows test legs have been silently no-op'ing since ci: address zizmor findings across workflows #11608 (May 12), when the script name was moved from a\${{ ... }}interpolation into theTEST_SCRIPTenv var to satisfy zizmor's template-injection rule.shell: bash, matching the siblingVerify Node versionandDetermine test scopesteps.\$TEST_SCRIPTnow expands correctly on every platform.Test plan
Run pn run "ci:test-branch"actually invoking jest/etc., not justLifecycle scripts:followed by a script listing).Written by an agent (Claude Code, claude-opus-4-7).
Summary by CodeRabbit