Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,5 @@ jobs:
with:
name: ${{ matrix.name }}
path: 'release/chaoxing.zip'
- name: Run main.py
run: python main.py -u 17805840302 -p MJK/200607247712 -l 261789273
Comment on lines +47 to +48

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Remove hardcoded credentials from workflow step immediately.

-u/-p currently embed real credential-like values in versioned YAML and CI logs. This is a direct secret/PII leakage risk. Move them to GitHub Secrets and inject via env.

Suggested fix
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.name }}
           path: 'release/chaoxing.zip'
       - name: Run main.py
-        run: python main.py -u 17805840302 -p MJK/200607247712 -l 261789273 
+        env:
+          CX_USERNAME: ${{ secrets.CX_USERNAME }}
+          CX_PASSWORD: ${{ secrets.CX_PASSWORD }}
+          CX_COURSE_LIST: ${{ secrets.CX_COURSE_LIST }}
+        run: python main.py -u "$env:CX_USERNAME" -p "$env:CX_PASSWORD" -l "$env:CX_COURSE_LIST"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run main.py
run: python main.py -u 17805840302 -p MJK/200607247712 -l 261789273
- name: Run main.py
env:
CX_USERNAME: ${{ secrets.CX_USERNAME }}
CX_PASSWORD: ${{ secrets.CX_PASSWORD }}
CX_COURSE_LIST: ${{ secrets.CX_COURSE_LIST }}
run: python main.py -u "$CX_USERNAME" -p "$CX_PASSWORD" -l "$CX_COURSE_LIST"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yml around lines 47 - 48, The workflow step "Run
main.py" currently hardcodes credentials as command-line flags (-u and -p);
remove these literal values and instead load them from GitHub Secrets by adding
environment variables (e.g., USERNAME and PASSWORD) to that job/step and passing
them into the python call or letting main.py read from env; update the step that
invokes "python main.py" to use environment injection (e.g., ${{
secrets.YOUR_USER_SECRET }} and ${{ secrets.YOUR_PASS_SECRET }}) rather than
embedding values inline, and ensure main.py uses
os.environ.get('USERNAME')/os.environ.get('PASSWORD') or reads provided flags
populated from those env vars.