fix(ci): update curl pin to pqc-enabled tag so PQC keys are generated#3579
fix(ci): update curl pin to pqc-enabled tag so PQC keys are generated#3579dmihalcik-virtru wants to merge 2 commits into
Conversation
The watch-sh-fix tag predates PQC support in init-temp-keys.sh, so kas-xwing-private.pem and related files were never generated. The pqc-enabled tag points to main HEAD which already runs `go run ./service/cmd/keygen` to produce the PQC key pairs needed by start-additional-kas when pqc-enabled is true. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request updates the CI pipeline to use a more recent version of key infrastructure scripts. By switching to the 'pqc-enabled' tag, the build process now correctly generates the necessary PQC key pairs required for testing additional KAS configurations. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The scripts were old and lacking grace, / PQC keys had no place. / A tag was swapped, the path is clear, / Now tests run right, without a fear. Footnotes
|
|
Lost in the diff? Review this PR in Change Stack to follow the change map from intent to exact ranges. Warning Review limit reached
More reviews will be available in 35 minutes and 6 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe PR updates a GitHub Actions composite action to fetch three deployment scripts from the ChangesDeployment Script Tag Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub Actions workflow to download setup scripts and docker-compose files using the pqc-enabled tag instead of watch-sh-fix. The review feedback recommends adding the -sSfL flags to the curl commands to ensure the step fails immediately if an HTTP error occurs, preventing downstream failures from corrupted or missing files.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh | ||
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml | ||
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh |
There was a problem hiding this comment.
The curl commands do not use the -f / --fail flag. By default, curl does not return a non-zero exit code when encountering HTTP errors (such as 404 Not Found or 500 Internal Server Error). Instead, it will write the error response body to the destination files, which will cause confusing failures in subsequent steps when the runner attempts to execute the invalid shell scripts or parse the invalid YAML.
Using -sSfL ensures that curl fails the step immediately on HTTP errors, runs silently unless there is an error, and correctly follows any redirects.
curl -sSfL https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
curl -sSfL https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
curl -sSfL https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/start-up-with-containers/action.yaml`:
- Around line 129-131: The three curl downloads (the URLs that write to
otdf-test-platform/.github/scripts/init-temp-keys.sh,
otdf-test-platform/docker-compose.yaml, and
otdf-test-platform/.github/scripts/watch.sh) must include integrity checks:
either pin the URLs to an immutable commit SHA instead of the "pqc-enabled" tag,
or (if tag use is required) fetch a trusted checksum/signature for each file and
verify it before saving/executing; implement a post-download verification step
that computes sha256 (or verifies a GPG signature) and fails the workflow if the
checksum/signature does not match, and ensure the verified files are only
executed later at the existing execution points (the script invocations around
lines where these files are run) after successful verification.
- Around line 129-131: The scripts are being fetched from the hardcoded tag
"pqc-enabled" which can mismatch the checked-out platform ref
(inputs.platform-ref); update the curl download URLs in action.yaml so the three
fetched files (init-temp-keys.sh, docker-compose.yaml, watch.sh) use the same
ref as the platform checkout (inputs.platform-ref) instead of the fixed tag,
ensuring downloads are parameterized to reference inputs.platform-ref so scripts
and platform code remain in sync.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: a4fccfd3-1d3b-4c95-909d-2f2301950b1c
📒 Files selected for processing (1)
test/start-up-with-containers/action.yaml
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh | ||
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml | ||
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh |
There was a problem hiding this comment.
Security: Downloaded scripts lack integrity verification.
The three scripts are fetched via curl from a remote GitHub URL without any checksum, signature, or hash verification. This creates a supply chain security risk:
- If the
pqc-enabledtag is mutable (can be moved to point to different commits), an attacker who compromises the repository could inject malicious code. - Even with an immutable tag, a compromised GitHub account or man-in-the-middle attack could serve malicious scripts.
- The scripts are executed with shell privileges (lines 183, 295) and can modify the test environment.
The PR description states the tag "points to main HEAD," which is ambiguous—if the tag is intended to track main, this introduces non-deterministic builds and increases the attack surface.
🛡️ Recommended fix to add integrity verification
Option 1: Use commit SHAs instead of tags for immutability
- curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
- curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
- curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
+ # Replace COMMIT_SHA with the actual commit SHA of the pqc-enabled tag
+ COMMIT_SHA="<commit-sha-of-pqc-enabled-tag>"
+ curl https://raw.githubusercontent.com/opentdf/platform/${COMMIT_SHA}/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
+ curl https://raw.githubusercontent.com/opentdf/platform/${COMMIT_SHA}/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
+ curl https://raw.githubusercontent.com/opentdf/platform/${COMMIT_SHA}/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.shOption 2: Add checksum verification after download
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
+ echo "<expected-sha256-checksum> otdf-test-platform/.github/scripts/init-temp-keys.sh" | sha256sum --check
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
+ echo "<expected-sha256-checksum> otdf-test-platform/docker-compose.yaml" | sha256sum --check
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
+ echo "<expected-sha256-checksum> otdf-test-platform/.github/scripts/watch.sh" | sha256sum --check🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/start-up-with-containers/action.yaml` around lines 129 - 131, The three
curl downloads (the URLs that write to
otdf-test-platform/.github/scripts/init-temp-keys.sh,
otdf-test-platform/docker-compose.yaml, and
otdf-test-platform/.github/scripts/watch.sh) must include integrity checks:
either pin the URLs to an immutable commit SHA instead of the "pqc-enabled" tag,
or (if tag use is required) fetch a trusted checksum/signature for each file and
verify it before saving/executing; implement a post-download verification step
that computes sha256 (or verifies a GPG signature) and fails the workflow if the
checksum/signature does not match, and ensure the verified files are only
executed later at the existing execution points (the script invocations around
lines where these files are run) after successful verification.
Version mismatch risk between downloaded scripts and platform code.
The scripts are downloaded from the fixed pqc-enabled tag, while the platform repository is checked out at inputs.platform-ref (line 124, default: main). This creates a version skew where the scripts and platform code may be from different commits, potentially causing compatibility issues.
When inputs.platform-ref points to a commit that has diverged from the pqc-enabled tag, there is a risk that:
init-temp-keys.shmay not match the key generation logic expected by the checked-out platform versiondocker-compose.yamlmay reference images, volumes, or services incompatible with the platform versionwatch.shmay use flags or behaviors not supported by the built binary
Consider using the same ref for both the platform checkout and the script downloads to ensure version consistency.
🔧 Proposed fix to align script downloads with platform checkout
- curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
- curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
- curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
+ PLATFORM_REF="${{ inputs.platform-ref }}"
+ curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
+ curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
+ curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.shThis ensures the scripts are from the same ref as the platform code being tested.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh | |
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml | |
| curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh | |
| PLATFORM_REF="${{ inputs.platform-ref }}" | |
| curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh | |
| curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/docker-compose.yaml > otdf-test-platform/docker-compose.yaml | |
| curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/start-up-with-containers/action.yaml` around lines 129 - 131, The
scripts are being fetched from the hardcoded tag "pqc-enabled" which can
mismatch the checked-out platform ref (inputs.platform-ref); update the curl
download URLs in action.yaml so the three fetched files (init-temp-keys.sh,
docker-compose.yaml, watch.sh) use the same ref as the platform checkout
(inputs.platform-ref) instead of the fixed tag, ensuring downloads are
parameterized to reference inputs.platform-ref so scripts and platform code
remain in sync.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
yq does not support if/elif/else expressions; use the idiomatic with(select(...); ...) pattern instead to conditionally append PQC keyring and cryptoProvider entries when pqc-enabled is true. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
1 participant
Summary
curlpin intest/start-up-with-containers/action.yamlfromwatch-sh-fixtopqc-enabledtagwatch-sh-fixtag predates PQC support ininit-temp-keys.sh, sokas-xwing-private.pemand related files were never generatedpqc-enabledtag points to main HEAD which runsgo run ./service/cmd/keygento produce the PQC key pairs needed bystart-additional-kaswhenpqc-enabledis trueTest plan
start-additional-kasworks whenpqc-enabled: true🤖 Generated with Claude Code
Summary by CodeRabbit