From 7d5d7c0c495da29e6baa73dd6cca57513cfe79f5 Mon Sep 17 00:00:00 2001
From: Chris Byrohl <9221545+cbyrohl@users.noreply.github.com>
Date: Wed, 13 May 2026 03:50:04 +0200
Subject: [PATCH 1/2] Add regression test data workflow

---
 .github/workflows/regression-tests.yml | 105 +++++++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 .github/workflows/regression-tests.yml

diff --git a/.github/workflows/regression-tests.yml b/.github/workflows/regression-tests.yml
new file mode 100644
index 0000000..a58becc
--- /dev/null
+++ b/.github/workflows/regression-tests.yml
@@ -0,0 +1,105 @@
+name: Regression tests
+
+on:
+  schedule:
+    # Run once a week on the self-hosted runner that has regression data mounted.
+    - cron: "23 3 * * 0"
+  workflow_dispatch:
+    inputs:
+      python_version:
+        description: "Python version to use"
+        required: false
+        default: "3.11"
+      testdata_path:
+        description: "Path to mounted regression test data"
+        required: false
+        default: "/mnt/testdata-scida"
+      pytest_args:
+        description: "Arguments passed through to pytest via nox"
+        required: false
+        default: "tests/external -m external -rs"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: regression-tests-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  regression-tests:
+    name: Regression data tests
+    runs-on: [self-hosted, regressiondata]
+    timeout-minutes: 240
+    env:
+      FORCE_COLOR: "1"
+      PRE_COMMIT_COLOR: "always"
+      PYTHON_VERSION: ${{ github.event.inputs.python_version || '3.11' }}
+      SCIDA_TESTDATA_PATH: ${{ github.event.inputs.testdata_path || '/mnt/testdata-scida' }}
+      SCIDA_TESTDATA_SILENT_UNAVAILABLE: "FALSE"
+      PYTEST_ARGS: ${{ github.event.inputs.pytest_args || 'tests/external -m external -rs' }}
+
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python
+        run: uv python install "$PYTHON_VERSION"
+
+      - name: Install nox
+        run: uv tool install nox --with nox-uv
+
+      - name: Check mounted regression data
+        run: |
+          test -d "$SCIDA_TESTDATA_PATH"
+          echo "SCIDA_TESTDATA_PATH=$SCIDA_TESTDATA_PATH"
+          find "$SCIDA_TESTDATA_PATH" -maxdepth 2 -mindepth 1 | sort | head -100
+
+          uv run python - <<'PY'
+          import os
+          from pathlib import Path
+
+          import yaml
+
+          root = Path(os.environ["SCIDA_TESTDATA_PATH"]).expanduser()
+          with Path("tests/testdata.yaml").open() as handle:
+              entries = yaml.safe_load(handle)["testdata"]
+
+          missing = []
+          for name, config in entries.items():
+              path = root / config.get("fn", name)
+              if not path.exists():
+                  missing.append(str(path))
+
+          if missing:
+              print("Missing regression test data entries:")
+              print("\n".join(missing))
+              raise SystemExit(1)
+          PY
+
+      - name: Run regression tests
+        run: |
+          echo "python version: $PYTHON_VERSION"
+          echo "pytest args: $PYTEST_ARGS"
+          nox --session tests --python "$PYTHON_VERSION" -- $PYTEST_ARGS
+
+      - name: Upload test report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: regression-junit-report
+          path: report.xml
+
+      - name: Upload coverage data
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: regression-coverage-data
+          include-hidden-files: true
+          path: ".coverage*"

From 579f818aa239257c3d694e2ebc5b4285f6c588fd Mon Sep 17 00:00:00 2001
From: Chris Byrohl <9221545+cbyrohl@users.noreply.github.com>
Date: Wed, 13 May 2026 04:20:58 +0200
Subject: [PATCH 2/2] Avoid shell injection in regression-tests workflow

Tokenize the workflow_dispatch pytest_args input into a bash array and
pass it through quoted "${ARGS[@]}" so injection via the unquoted
expansion is not possible.

Address Copilot review feedback on #235.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/regression-tests.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/regression-tests.yml b/.github/workflows/regression-tests.yml
index a58becc..f3294e1 100644
--- a/.github/workflows/regression-tests.yml
+++ b/.github/workflows/regression-tests.yml
@@ -87,7 +87,9 @@ jobs:
         run: |
           echo "python version: $PYTHON_VERSION"
           echo "pytest args: $PYTEST_ARGS"
-          nox --session tests --python "$PYTHON_VERSION" -- $PYTEST_ARGS
+          # Tokenize the workflow_dispatch input into an array to avoid shell injection.
+          read -ra ARGS <<< "$PYTEST_ARGS"
+          nox --session tests --python "$PYTHON_VERSION" -- "${ARGS[@]}"
 
       - name: Upload test report
         if: always()