From 96df29d72cf5582549f1ebd02301bda6377bbbd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Danny=20M=C3=B6sch?= Date: Sat, 30 Aug 2025 13:36:30 +0200 Subject: [PATCH] Remedy risk of template code injection --- .github/actions/bazel-linux-build/action.yml | 4 +++- .github/actions/run-make/action.yml | 4 +++- .github/workflows/actor-credentials.yml | 4 +++- .github/workflows/docker.yml | 5 +++-- .github/workflows/post-release.yml | 8 +++++--- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/.github/actions/bazel-linux-build/action.yml b/.github/actions/bazel-linux-build/action.yml index d56396141..6bedaa787 100644 --- a/.github/actions/bazel-linux-build/action.yml +++ b/.github/actions/bazel-linux-build/action.yml @@ -24,4 +24,6 @@ runs: echo "CC=clang" >> $GITHUB_ENV - name: Build SwiftLint with Bazel shell: bash - run: bazel build --config release ${{ inputs.target }} + run: bazel build --config release ${INPUTS_TARGET} + env: + INPUTS_TARGET: ${{ inputs.target }} diff --git a/.github/actions/run-make/action.yml b/.github/actions/run-make/action.yml index 0ff574904..fc5c9cdba 100644 --- a/.github/actions/run-make/action.yml +++ b/.github/actions/run-make/action.yml @@ -10,10 +10,12 @@ runs: steps: - run: | awk ' - $0 ~ "${{ inputs.rule }}:" { in_rule = 1; next } + $0 ~ "${INPUTS_RULE}:" { in_rule = 1; next } in_rule && /^\t/ { print $0 } in_rule && !/^\t/ { in_rule = 0 } ' Makefile | while IFS= read -r command; do eval "$command" done shell: bash + env: + INPUTS_RULE: ${{ inputs.rule }} diff --git a/.github/workflows/actor-credentials.yml b/.github/workflows/actor-credentials.yml index 886bc0dbf..891d8dd8a 100644 --- a/.github/workflows/actor-credentials.yml +++ b/.github/workflows/actor-credentials.yml @@ -31,8 +31,10 @@ jobs: - name: Retrieve author in uppercase id: retrieve_author run: | - AUTHOR=$(echo ${{ inputs.actor }} | tr '[:lower:]' '[:upper:]') + AUTHOR=$(echo "${INPUTS_ACTOR}" | tr '[:lower:]' '[:upper:]') echo "name=${AUTHOR}" >> "$GITHUB_OUTPUT" + env: + INPUTS_ACTOR: ${{ inputs.actor }} - name: Configure Git author id: configure_git_author uses: Homebrew/actions/git-user-config@master diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3c039c469..60293e9f9 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -40,13 +40,14 @@ jobs: } >> "$GITHUB_OUTPUT" else { - echo "checkout-ref=${{ inputs.tag }}" - echo "docker-tag=${{ inputs.tag }}" + echo "checkout-ref=${INPUTS_TAG}" + echo "docker-tag=${INPUTS_TAG}" } >> "$GITHUB_OUTPUT" fi echo "repository-lc=${REPOSITORY,,}" >> "$GITHUB_OUTPUT" env: REPOSITORY: ${{ github.repository }} + INPUTS_TAG: ${{ inputs.tag }} build-amd64: name: Build AMD64 Image diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index 66c56083b..d43293de8 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -31,10 +31,12 @@ jobs: token: ${{ secrets[format('PERSONAL_GITHUB_TOKEN_{0}', needs.setup-credentials.outputs.author_uppercase)] }} - name: Merge release branch run: | - git fetch origin release/${{ github.event.release.tag_name }} - git merge --ff-only origin/release/${{ github.event.release.tag_name }} + git fetch origin "release/${TAG_NAME}" + git merge --ff-only "origin/release/${TAG_NAME}" git push origin main - git push origin --delete release/${{ github.event.release.tag_name }} + git push origin --delete "release/${TAG_NAME}" + env: + TAG_NAME: ${{ github.event.release.tag_name }} publish-pod: name: Publish Pod