diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b67ff38f56..14837501f95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,7 +70,7 @@ jobs: ecr_repo_secret: ECR_REALTIME steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -169,7 +169,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Login to GHCR uses: docker/login-action@v3 @@ -264,10 +264,10 @@ jobs: outputs: docs_changed: ${{ steps.filter.outputs.docs }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 2 # Need at least 2 commits to detect changes - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@v4 id: filter with: filters: | @@ -294,7 +294,7 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/docs-embeddings.yml b/.github/workflows/docs-embeddings.yml index 3a3d89c0713..3e4de08e19f 100644 --- a/.github/workflows/docs-embeddings.yml +++ b/.github/workflows/docs-embeddings.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/.github/workflows/i18n.yml b/.github/workflows/i18n.yml index de8c59c9da4..2eab817d009 100644 --- a/.github/workflows/i18n.yml +++ b/.github/workflows/i18n.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: staging token: ${{ secrets.GH_PAT }} @@ -115,7 +115,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: staging diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index 8028c433638..853ebc6881a 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -117,7 +117,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Login to GHCR uses: docker/login-action@v3 diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml index 8a3f543c172..db084926861 100644 --- a/.github/workflows/migrations.yml +++ b/.github/workflows/migrations.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml index 0a9bea31400..ceb124c8230 100644 --- a/.github/workflows/publish-cli.yml +++ b/.github/workflows/publish-cli.yml @@ -14,7 +14,7 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/.github/workflows/publish-python-sdk.yml b/.github/workflows/publish-python-sdk.yml index a44d5a34223..85d110b53dd 100644 --- a/.github/workflows/publish-python-sdk.yml +++ b/.github/workflows/publish-python-sdk.yml @@ -14,7 +14,7 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v5 diff --git a/.github/workflows/publish-ts-sdk.yml b/.github/workflows/publish-ts-sdk.yml index e826d4395fa..1032ce7442a 100644 --- a/.github/workflows/publish-ts-sdk.yml +++ b/.github/workflows/publish-ts-sdk.yml @@ -14,7 +14,7 @@ jobs: runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index b8fab8a77c4..eb55aced79d 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/apps/sim/tools/index.test.ts b/apps/sim/tools/index.test.ts index e3ecf97fae2..3fa4073ac3b 100644 --- a/apps/sim/tools/index.test.ts +++ b/apps/sim/tools/index.test.ts @@ -26,6 +26,8 @@ const { mockListCustomTools, mockGetCustomToolByIdOrTitle, mockGenerateInternalToken, + mockSecureFetchWithPinnedIP, + mockValidateUrlWithDNS, } = vi.hoisted(() => ({ mockIsHosted: { value: false }, mockEnv: { NEXT_PUBLIC_APP_URL: 'http://localhost:3000' } as Record, @@ -40,6 +42,8 @@ const { mockListCustomTools: vi.fn(), mockGetCustomToolByIdOrTitle: vi.fn(), mockGenerateInternalToken: vi.fn(), + mockSecureFetchWithPinnedIP: vi.fn(), + mockValidateUrlWithDNS: vi.fn(), })) // Mock feature flags @@ -73,6 +77,11 @@ vi.mock('@/lib/auth/internal', () => ({ vi.mock('@/lib/billing/core/usage-log', () => ({})) +vi.mock('@/lib/core/security/input-validation.server', () => ({ + secureFetchWithPinnedIP: (...args: unknown[]) => mockSecureFetchWithPinnedIP(...args), + validateUrlWithDNS: (...args: unknown[]) => mockValidateUrlWithDNS(...args), +})) + vi.mock('@/lib/core/rate-limiter/hosted-key', () => ({ getHostedKeyRateLimiter: () => mockRateLimiterFns, })) @@ -476,6 +485,14 @@ describe('Automatic Internal Route Detection', () => { beforeEach(() => { process.env.NEXT_PUBLIC_APP_URL = 'http://localhost:3000' cleanupEnvVars = setupEnvVars({ NEXT_PUBLIC_APP_URL: 'http://localhost:3000' }) + + mockValidateUrlWithDNS.mockResolvedValue({ isValid: true, resolvedIP: '93.184.216.34' }) + mockSecureFetchWithPinnedIP.mockResolvedValue( + new Response(JSON.stringify({}), { + status: 200, + headers: { 'content-type': 'application/json' }, + }) + ) }) afterEach(() => {