From f22b7768e9a8433d08093aa9811f24e415814be7 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Mon, 20 Apr 2026 08:44:41 -0700
Subject: [PATCH] fix(github): address PR review feedback

- Update X-GitHub-Api-Version to 2026-03-10 for /credentials/revoke
  endpoint (the endpoint is only documented under this API version).
- Clarify sha256_b32 filter description: note that the optional `len`
  parameter may produce output that is not valid RFC 4648 Base32.
- Move base32 to [workspace.dependencies] and reference it via
  .workspace = true from both the root crate and kingfisher-rules
  to avoid version skew.
---
 Cargo.toml                                    |  3 ++-
 crates/kingfisher-rules/Cargo.toml            |  2 +-
 crates/kingfisher-rules/data/rules/github.yml | 10 +++++-----
 crates/kingfisher-rules/src/liquid_filters.rs | 13 +++++++------
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index a9cbb83..d453de6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -36,6 +36,7 @@ include_dir = "0.7"
 sha1 = "0.10"
 sha2 = "0.10"
 hmac = "0.12"
+base32 = "0.5.1"
 base64 = "0.22"
 percent-encoding = "2.3"
 time = "0.3"
@@ -150,7 +151,7 @@ liquid = "0.26.11"
 liquid-core = "0.26.11"
 flate2 = "1.1"
 thousands = "0.2.0"
-base32 = "0.5.1"
+base32.workspace = true
 crossbeam-skiplist = "0.1.3"
 tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"] }
 mongodb = { version = "3.4", default-features = false, features = ["rustls-tls", "aws-auth", "compat-3-0-0", "dns-resolver"] }
diff --git a/crates/kingfisher-rules/Cargo.toml b/crates/kingfisher-rules/Cargo.toml
index 4e4772a..6330988 100644
--- a/crates/kingfisher-rules/Cargo.toml
+++ b/crates/kingfisher-rules/Cargo.toml
@@ -36,7 +36,7 @@ liquid = "0.26"
 liquid-core = "0.26"
 
 # Crypto for liquid filters
-base32 = "0.5"
+base32.workspace = true
 base64.workspace = true
 crc32fast = "1.5"
 hmac.workspace = true
diff --git a/crates/kingfisher-rules/data/rules/github.yml b/crates/kingfisher-rules/data/rules/github.yml
index fa2e3cd..9d48d6b 100644
--- a/crates/kingfisher-rules/data/rules/github.yml
+++ b/crates/kingfisher-rules/data/rules/github.yml
@@ -47,7 +47,7 @@ rules:
           url: https://api.github.com/credentials/revoke
           headers:
             Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
             Content-Type: application/json
           body: '{"credentials":["{{ TOKEN }}"]}'
           response_matcher:
@@ -103,7 +103,7 @@ rules:
           url: https://api.github.com/credentials/revoke
           headers:
             Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
             Content-Type: application/json
           body: '{"credentials":["{{ TOKEN }}"]}'
           response_matcher:
@@ -156,7 +156,7 @@ rules:
           url: https://api.github.com/credentials/revoke
           headers:
             Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
             Content-Type: application/json
           body: '{"credentials":["{{ TOKEN }}"]}'
           response_matcher:
@@ -208,7 +208,7 @@ rules:
           url: https://api.github.com/credentials/revoke
           headers:
             Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
             Content-Type: application/json
           body: '{"credentials":["{{ TOKEN }}"]}'
           response_matcher:
@@ -300,7 +300,7 @@ rules:
           url: https://api.github.com/credentials/revoke
           headers:
             Accept: application/vnd.github+json
-            X-GitHub-Api-Version: 2022-11-28
+            X-GitHub-Api-Version: 2026-03-10
             Content-Type: application/json
           body: '{"credentials":["{{ TOKEN }}"]}'
           response_matcher:
diff --git a/crates/kingfisher-rules/src/liquid_filters.rs b/crates/kingfisher-rules/src/liquid_filters.rs
index 19322cd..5594435 100644
--- a/crates/kingfisher-rules/src/liquid_filters.rs
+++ b/crates/kingfisher-rules/src/liquid_filters.rs
@@ -543,14 +543,17 @@ static_filter!(
 // {{ value | sha256_b32 }} -- base32-encoded SHA-256 digest, optional length
 #[derive(Debug, FilterParameters)]
 struct Sha256B32Args {
-    #[parameter(description = "Exact output length: truncates if longer, pads with '=' if shorter", arg_type = "integer")]
+    #[parameter(
+        description = "Exact output length: truncates the Base32 text if longer, pads with '=' if shorter (output may not be valid RFC 4648 Base32)",
+        arg_type = "integer"
+    )]
     len: Option<Expression>,
 }
 
 #[derive(Clone, ParseFilter, FilterReflection, Default)]
 #[filter(
     name = "sha256_b32",
-    description = "SHA-256 digest encoded as Base32 (RFC 4648), optionally truncating or padding with '=' to an exact length.",
+    description = "SHA-256 digest encoded as RFC 4648 Base32 by default; with `len`, returns a Base32-alphabet checksum substring of the requested length (truncated or '='-padded), which may not be valid RFC 4648 Base32.",
     parameters(Sha256B32Args),
     parsed(Sha256B32)
 )]
@@ -568,10 +571,8 @@ impl Filter for Sha256B32 {
         let args = self.args.evaluate(runtime)?;
         let mut h = Sha256::new();
         h.update(input.to_kstr().as_bytes());
-        let mut encoded = base32::encode(
-            base32::Alphabet::Rfc4648 { padding: true },
-            &h.finalize()[..],
-        );
+        let mut encoded =
+            base32::encode(base32::Alphabet::Rfc4648 { padding: true }, &h.finalize()[..]);
         if let Some(len) = args.len.and_then(|value| {
             let scalar = Value::scalar(value);
             value_to_usize(&scalar)