fix(github): address PR review feedback

- Update X-GitHub-Api-Version to 2026-03-10 for /credentials/revoke endpoint (the endpoint is only documented under this API version). - Clarify sha256_b32 filter description: note that the optional `len` parameter may produce output that is not valid RFC 4648 Base32. - Move base32 to [workspace.dependencies] and reference it via .workspace = true from both the root crate and kingfisher-rules to avoid version skew.
2026-04-20 08:44:41 -07:00 · 2026-04-20 08:44:41 -07:00 · f22b7768e9
commit f22b7768e9
parent 6048462041
4 changed files with 15 additions and 13 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -36,6 +36,7 @@ include_dir = "0.7"
 sha1 = "0.10"
 sha2 = "0.10"
 hmac = "0.12"
+base32 = "0.5.1"
 base64 = "0.22"
 percent-encoding = "2.3"
 time = "0.3"
@ -150,7 +151,7 @@ liquid = "0.26.11"
 liquid-core = "0.26.11"
 flate2 = "1.1"
 thousands = "0.2.0"
-base32 = "0.5.1"
+base32.workspace = true
 crossbeam-skiplist = "0.1.3"
 tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"] }
 mongodb = { version = "3.4", default-features = false, features = ["rustls-tls", "aws-auth", "compat-3-0-0", "dns-resolver"] }
--- a/crates/kingfisher-rules/Cargo.toml
+++ b/crates/kingfisher-rules/Cargo.toml
@ -36,7 +36,7 @@ liquid = "0.26"
 liquid-core = "0.26"

 # Crypto for liquid filters
-base32 = "0.5"
+base32.workspace = true
 base64.workspace = true
 crc32fast = "1.5"
 hmac.workspace = true
--- a/crates/kingfisher-rules/data/rules/github.yml
+++ b/crates/kingfisher-rules/data/rules/github.yml
@ -47,7 +47,7 @@ rules:
          url: https://api.github.com/credentials/revoke
          headers:
            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
            Content-Type: application/json
          body: '{"credentials":["{{ TOKEN }}"]}'
          response_matcher:
@ -103,7 +103,7 @@ rules:
          url: https://api.github.com/credentials/revoke
          headers:
            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
            Content-Type: application/json
          body: '{"credentials":["{{ TOKEN }}"]}'
          response_matcher:
@ -156,7 +156,7 @@ rules:
          url: https://api.github.com/credentials/revoke
          headers:
            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
            Content-Type: application/json
          body: '{"credentials":["{{ TOKEN }}"]}'
          response_matcher:
@ -208,7 +208,7 @@ rules:
          url: https://api.github.com/credentials/revoke
          headers:
            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
            Content-Type: application/json
          body: '{"credentials":["{{ TOKEN }}"]}'
          response_matcher:
@ -300,7 +300,7 @@ rules:
          url: https://api.github.com/credentials/revoke
          headers:
            Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
            Content-Type: application/json
          body: '{"credentials":["{{ TOKEN }}"]}'
          response_matcher:
--- a/crates/kingfisher-rules/src/liquid_filters.rs
+++ b/crates/kingfisher-rules/src/liquid_filters.rs
@ -543,14 +543,17 @@ static_filter!(
 // {{ value | sha256_b32 }} -- base32-encoded SHA-256 digest, optional length
 #[derive(Debug, FilterParameters)]
 struct Sha256B32Args {
-    #[parameter(description = "Exact output length: truncates if longer, pads with '=' if shorter", arg_type = "integer")]
+    #[parameter(
+        description = "Exact output length: truncates the Base32 text if longer, pads with '=' if shorter (output may not be valid RFC 4648 Base32)",
+        arg_type = "integer"
+    )]
    len: Option<Expression>,
 }

 #[derive(Clone, ParseFilter, FilterReflection, Default)]
 #[filter(
    name = "sha256_b32",
-    description = "SHA-256 digest encoded as Base32 (RFC 4648), optionally truncating or padding with '=' to an exact length.",
+    description = "SHA-256 digest encoded as RFC 4648 Base32 by default; with `len`, returns a Base32-alphabet checksum substring of the requested length (truncated or '='-padded), which may not be valid RFC 4648 Base32.",
    parameters(Sha256B32Args),
    parsed(Sha256B32)
 )]
@ -568,10 +571,8 @@ impl Filter for Sha256B32 {
        let args = self.args.evaluate(runtime)?;
        let mut h = Sha256::new();
        h.update(input.to_kstr().as_bytes());
-        let mut encoded = base32::encode(
-            base32::Alphabet::Rfc4648 { padding: true },
-            &h.finalize()[..],
-        );
+        let mut encoded =
+            base32::encode(base32::Alphabet::Rfc4648 { padding: true }, &h.finalize()[..]);
        if let Some(len) = args.len.and_then(|value| {
            let scalar = Value::scalar(value);
            value_to_usize(&scalar)