Skip to content

refactor(ci): replace shell=True and awk pipes with native Python #2671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RinZ27 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

refactor(ci): replace shell=True and awk pipes with native Python #2671

RinZ27 wants to merge 3 commits into from

Conversation

@RinZ27
Copy link
Contributor

@RinZ27 RinZ27 commented Jan 2, 2026

Eliminates potential command injection risks and system dependency issues in the Evergreen spec resync script.

Modifications:

  1. Refactored apply_patches: Switched from shell=True to list-based subprocess.run. Implemented Python's glob for file expansion instead of relying on the shell's wildcard expansion.
  2. Ported write_summary logic: Replaced the fragile git diff | awk | sort | uniq shell pipeline with native Python string manipulation and sets. This removes the implicit dependency on awk and improves cross-platform reliability.

The script now executes git commands directly without spawning intermediate shells.

@RinZ27
security: harden CI scripts by removing shell=True
64aed02 
This commit replaces dangerous shell=True calls in resync-all-specs.py with safer list-based subprocess executions. It also replaces complex shell pipes with native Python logic to improve security and cross-platform reliability.
@RinZ27 RinZ27 requested a review from a team as a code owner January 2, 2026 07:19
@RinZ27 RinZ27 requested a review from sleepyStick January 2, 2026 07:19
@codeowners-service-app
Copy link

codeowners-service-app bot commented Jan 2, 2026

Assigned caseyclements for team dbx-python because sleepyStick is out of office.

RinZ27 added 2 commits January 2, 2026 14:36
@RinZ27
style: fix linting and formatting in resync-all-specs.py
c8cc677 
Applied black formatting and fixed ruff issues (noqa placements, type hints, and pathlib migration) to pass CI/CD.
@RinZ27
style: fix ruff and formatting in resync-all-specs.py
8958682 
Adjusted noqa placements to satisfy Ruff 0.1.3 and applied consistent formatting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sleepyStick sleepyStick Awaiting requested review from sleepyStick sleepyStick is a code owner automatically assigned from mongodb/dbx-python

@caseyclements caseyclements Awaiting requested review from caseyclements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RinZ27