Skip to content

RDKEMW-15205 : vipa workflow try with pli#94

Open
narenr94 wants to merge 1 commit intomainfrom
feature/RDKEMW-15205
Open

RDKEMW-15205 : vipa workflow try with pli#94
narenr94 wants to merge 1 commit intomainfrom
feature/RDKEMW-15205

Conversation

@narenr94
Copy link
Copy Markdown
Contributor

@narenr94 narenr94 commented Mar 10, 2026

Reason for change : bring vipa workflow via pli to avoid viper-player dependency
Test steps : trigger workflow
Signed-off by : R.Naren naren_ramesh@comcast.com

@narenr94 narenr94 requested a review from a team as a code owner March 10, 2026 06:33
Copilot AI review requested due to automatic review settings March 10, 2026 06:33
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 10, 2026
View reviewed changes
.github/workflows/vipa_workflow.yml
Comment on lines +17 to +59
runs-on: comcast-ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup SSH and Vault Login
env:
VAULT_ROLE_ID: ${{ secrets.VAULT_ROLE_ID }}
VAULT_SECRET_ID: ${{ secrets.VAULT_SECRET_ID }}
ATB_SVC_PPQA_PUBLIC_KEY: ${{ secrets.ATB_SVC_PPQA_PUBLIC_KEY }}
ATB_SVC_PPQA_PRIVATE_KEY: ${{ secrets.ATB_SVC_PPQA_PRIVATE_KEY }}
CATS_PRIVATE_KEY: ${{ secrets.CATS_PRIVATE_KEY }}
run: |
bash .github/scripts/setup-ssh.sh

- name: Install VIPA Widget on STB
env:
SSH_OPTS: '-i $HOME/.ssh/aamp-ssh.pem -o ConnectTimeout=10 -o ServerAliveInterval=10 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o "ProxyCommand ssh -x -i $HOME/.ssh/id_ed25519-atb-svc -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CertificateFile=$HOME/.ssh/id_ed25519-atb-svc-cert.pub svcAutobahn@jump.autobahn.comcast.com -W %h:%p"'
run: |
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
/mnt/cats_assets/cats-recorder/cats-api/env/bin/python vipa_handler.py --stbmac ${{ inputs.stb_mac }} --widget_location ${{ inputs.widget_location }}
EOF

- name: Installation Summary
if: always()
run: |
echo "### VIPA Widget Installation Summary" >> $GITHUB_STEP_SUMMARY
echo "- **STB MAC**: ${{ inputs.stb_mac }}" >> $GITHUB_STEP_SUMMARY
echo "- **Widget Location**: ${{ inputs.widget_location }}" >> $GITHUB_STEP_SUMMARY
echo "- **Status**: Check logs above for detailed status" >> $GITHUB_STEP_SUMMARY No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

In general, the fix is to explicitly declare a permissions block for the workflow or for the affected job so that the GITHUB_TOKEN has only the minimal access required. Since this workflow only needs to check out the repository and write a job summary, it does not require write access to repository contents, issues, or pull requests. The minimal safe default recommended by CodeQL is contents: read, which is enough for actions/checkout to function while preventing writes to the repo. No other scopes appear needed.

The best fix without changing existing functionality is to add a root-level permissions block (so it applies to all jobs in this workflow) immediately after the name declaration and before the on: key. This block should explicitly set contents: read. No changes are required inside steps or to any environment variables. Concretely, in .github/workflows/vipa_workflow.yml, insert:

permissions:
  contents: read

after line 1 (name: VIPA Widget Installation). This keeps the workflow behavior identical while constraining the implicit GITHUB_TOKEN to read-only repository contents.

Suggested changeset 1
.github/workflows/vipa_workflow.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/vipa_workflow.yml b/.github/workflows/vipa_workflow.yml
--- a/.github/workflows/vipa_workflow.yml
+++ b/.github/workflows/vipa_workflow.yml
@@ -1,5 +1,8 @@
 name: VIPA Widget Installation
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,5 +1,8 @@
name: VIPA Widget Installation

permissions:
contents: read

on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new GitHub Actions workflow (vipa_workflow.yml) for installing a VIPA widget on a set-top box (STB) via a workflow_dispatch trigger. The goal is to bring the VIPA workflow into this repository (middleware-player-interface, "pli") to avoid a dependency on a separate viper-player repository.

Changes:

  • Adds a new manually-triggered workflow that accepts an STB MAC address and widget location URL, SSHes into a remote host through a jump server, and runs a Python script (vipa_handler.py) to install the widget.
  • Includes a summary step that writes installation details to $GITHUB_STEP_SUMMARY.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/vipa_workflow.yml
Comment on lines +38 to +50
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
/mnt/cats_assets/cats-recorder/cats-api/env/bin/python vipa_handler.py --stbmac ${{ inputs.stb_mac }} --widget_location ${{ inputs.widget_location }}
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sudo su - inside a heredoc piped over SSH will change the user context to root, but the subsequent commands in the heredoc may not execute under root depending on the SSH server and shell behavior with heredocs. The sudo su - command starts a new login shell which typically doesn't inherit the rest of the heredoc. Consider using sudo bash -c '...' or sudo -i bash << 'INNEREOF' ... INNEREOF to ensure the commands actually run as root.

Suggested change
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
/mnt/cats_assets/cats-recorder/cats-api/env/bin/python vipa_handler.py --stbmac ${{ inputs.stb_mac }} --widget_location ${{ inputs.widget_location }}
sudo -i bash << 'INNEREOF'
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
/mnt/cats_assets/cats-recorder/cats-api/env/bin/python vipa_handler.py --stbmac ${{ inputs.stb_mac }} --widget_location ${{ inputs.widget_location }}
INNEREOF

Copilot uses AI. Check for mistakes.
.github/workflows/vipa_workflow.yml
ATB_SVC_PPQA_PRIVATE_KEY: ${{ secrets.ATB_SVC_PPQA_PRIVATE_KEY }}
CATS_PRIVATE_KEY: ${{ secrets.CATS_PRIVATE_KEY }}
run: |
bash .github/scripts/setup-ssh.sh
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script .github/scripts/setup-ssh.sh does not exist in this repository (nor does the .github/scripts/ directory). This step will always fail. Either the script needs to be added as part of this PR, or the path needs to be corrected to reference the actual location of this script.

Suggested change
bash .github/scripts/setup-ssh.sh
set -e
mkdir -p "$HOME/.ssh"
chmod 700 "$HOME/.ssh"
# Write CATS private key used for direct STB access
if [ -n "${CATS_PRIVATE_KEY}" ]; then
echo "${CATS_PRIVATE_KEY}" > "$HOME/.ssh/aamp-ssh.pem"
chmod 600 "$HOME/.ssh/aamp-ssh.pem"
fi
# Write Autobahn service private key for proxy jump host
if [ -n "${ATB_SVC_PPQA_PRIVATE_KEY}" ]; then
echo "${ATB_SVC_PPQA_PRIVATE_KEY}" > "$HOME/.ssh/id_ed25519-atb-svc"
chmod 600 "$HOME/.ssh/id_ed25519-atb-svc"
fi
# Write associated public/certificate key used by SSH CertificateFile option
if [ -n "${ATB_SVC_PPQA_PUBLIC_KEY}" ]; then
echo "${ATB_SVC_PPQA_PUBLIC_KEY}" > "$HOME/.ssh/id_ed25519-atb-svc-cert.pub"
chmod 600 "$HOME/.ssh/id_ed25519-atb-svc-cert.pub"
fi
# Placeholder for potential Vault login using VAULT_ROLE_ID / VAULT_SECRET_ID
# (No-op here; kept for compatibility with existing environment variables.)

Copilot uses AI. Check for mistakes.
.github/workflows/vipa_workflow.yml
Comment on lines +37 to +50
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
/mnt/cats_assets/cats-recorder/cats-api/env/bin/python vipa_handler.py --stbmac ${{ inputs.stb_mac }} --widget_location ${{ inputs.widget_location }}
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Script injection via unsanitized inputs. The ${{ inputs.stb_mac }} and ${{ inputs.widget_location }} expressions are interpolated directly into the shell command on line 50, and also into $GITHUB_STEP_SUMMARY on lines 57-58. Since these are workflow_dispatch string inputs, a malicious user with write access could provide values containing shell metacharacters (e.g., backticks, $(...), semicolons) which would be executed on the remote host or the runner.

To fix this, pass the inputs as environment variables rather than inline interpolation. For example, declare them under env: (e.g., STB_MAC: ${{ inputs.stb_mac }}) and reference them as $STB_MAC in the shell script. This prevents the GitHub Actions expression engine from injecting untrusted content directly into the shell command.

Copilot uses AI. Check for mistakes.
.github/workflows/vipa_workflow.yml
Comment on lines +36 to +49
run: |
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Secrets exposed in shell heredoc sent to remote host. Multiple secrets (AWS_SVC_ACCESS_KEY_ID, AWS_SVC_SECRET_ACCESS_KEY, CATS_AUTH_TOKEN, POSTGRES_PASSWORD, ARISTA_PASSWORD, SAT_CLIENT_SECRET) are interpolated via ${{ secrets.* }} directly into the heredoc that is piped over SSH. This means:

  1. The secrets are expanded by the GitHub Actions expression engine before the shell runs, so they appear in plaintext in the process arguments visible to other processes on the runner.
  2. If the SSH connection fails or the heredoc is logged, secrets could be leaked.

Consider passing secrets as environment variables to the SSH session using ssh -o SendEnv=... or by writing them to a temporary file that is securely transferred, rather than embedding them in the command text.

Suggested change
run: |
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
export AUTH_TOKEN=${{ secrets.CATS_AUTH_TOKEN }}
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=${{ secrets.ARISTA_PASSWORD }}
export SAT_CLIENT_SECRET=${{ secrets.SAT_CLIENT_SECRET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_SVC_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SVC_SECRET_ACCESS_KEY }}
AUTH_TOKEN: ${{ secrets.CATS_AUTH_TOKEN }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
ARISTA_PASSWORD: ${{ secrets.ARISTA_PASSWORD }}
SAT_CLIENT_SECRET: ${{ secrets.SAT_CLIENT_SECRET }}
run: |
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
sudo su -
cd /mnt/cats_assets/cats-recorder/cats-api
export ROOT_DIR=/mnt/cats_assets/cats-recorder
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
export AUTH_TOKEN=$AUTH_TOKEN
export POSTGRES_HOST=player-tools.player.xcal.tv
export POSTGRES_PORT=8101
export POSTGRES_PASSWORD=$POSTGRES_PASSWORD
export POSTGRES_USER=catscorder
export ARISTA_PASSWORD=$ARISTA_PASSWORD
export SAT_CLIENT_SECRET=$SAT_CLIENT_SECRET

Copilot uses AI. Check for mistakes.
.github/workflows/vipa_workflow.yml
Comment on lines +55 to +58
run: |
echo "### VIPA Widget Installation Summary" >> $GITHUB_STEP_SUMMARY
echo "- **STB MAC**: ${{ inputs.stb_mac }}" >> $GITHUB_STEP_SUMMARY
echo "- **Widget Location**: ${{ inputs.widget_location }}" >> $GITHUB_STEP_SUMMARY
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Same script injection vulnerability applies to the summary step. The ${{ inputs.stb_mac }} and ${{ inputs.widget_location }} expressions are interpolated directly into the echo commands. A crafted input could inject arbitrary markdown or HTML into the GitHub step summary. Pass these through environment variables instead (e.g., env.STB_MAC) and reference them as $STB_MAC in the shell.

Copilot uses AI. Check for mistakes.
.github/workflows/vipa_workflow.yml
env:
SSH_OPTS: '-i $HOME/.ssh/aamp-ssh.pem -o ConnectTimeout=10 -o ServerAliveInterval=10 -o ServerAliveCountMax=3 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o "ProxyCommand ssh -x -i $HOME/.ssh/id_ed25519-atb-svc -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CertificateFile=$HOME/.ssh/id_ed25519-atb-svc-cert.pub svcAutobahn@jump.autobahn.comcast.com -W %h:%p"'
run: |
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The IP address 10.140.198.145 is hardcoded here. This makes the workflow fragile and ties it to a specific infrastructure host. Consider extracting this to a repository variable or secret (e.g., ${{ vars.CATS_HOST }} or ${{ secrets.CATS_HOST }}) so it can be updated without modifying the workflow file.

Suggested change
ssh ${{ env.SSH_OPTS }} ec2-user@10.140.198.145 << EOF
ssh ${{ env.SSH_OPTS }} ec2-user@${{ vars.CATS_HOST }} << EOF

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@narenr94 @github-advanced-security