KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: extract 12 unsafe expression(s) to env vars

Browse Source 
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Signed-off-by: Chris Nyhuis <cnyhuis@vigilantnow.com>
This commit is contained in:
dagecko
2026-05-21 09:32:43 -04:00
committed by GitHub
parent 7a76787e3e
commit 0e54bf11e4
4 changed files with 33 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/aurora-delete.yml
+5 -2
View File
@@ -24,10 +24,13 @@ jobs:
- name: Initialize AWS client
run: |
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }}
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
aws configure set region ${{ inputs.region }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- id: delete
shell: bash
run: ./aurora_delete.sh
.github/workflows/ci.yml
+20 -7
View File
@@ -65,29 +65,36 @@ jobs:
id: auroradb-tests
run: |
RUN_AURORADB_TESTS=false
if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ]]; then
if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${AWS_SECRET_ACCESS_KEY}" ]]; then
RUN_AURORADB_TESTS=true
fi
echo "run-aurora-tests=$RUN_AURORADB_TESTS" >> $GITHUB_OUTPUT
env:
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Azure conditional check
id: azure-tests
run: |
RUN_AZURE_TESTS=false
if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${{ secrets.AZURE_CREDENTIALS }}" ]]; then
if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${AZURE_CREDENTIALS}" ]]; then
RUN_AZURE_TESTS=true
fi
echo "run-azure-tests=$RUN_AZURE_TESTS" >> $GITHUB_OUTPUT
env:
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
- name: Additional DBs conditional check
id: additional-dbs-tests
run: |
RUN_ADDITIONAL_DBS_TESTS=false
if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${{ secrets.PRIVATE_DBS_QUAY_USERNAME }}" && -n "${{ secrets.PRIVATE_DBS_QUAY_TOKEN }}" ]]; then
if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${PRIVATE_DBS_QUAY_USERNAME}" && -n "${PRIVATE_DBS_QUAY_TOKEN}" ]]; then
RUN_ADDITIONAL_DBS_TESTS=true
fi
echo "run-additional-dbs-tests=$RUN_ADDITIONAL_DBS_TESTS" >> $GITHUB_OUTPUT
env:
PRIVATE_DBS_QUAY_USERNAME: ${{ secrets.PRIVATE_DBS_QUAY_USERNAME }}
PRIVATE_DBS_QUAY_TOKEN: ${{ secrets.PRIVATE_DBS_QUAY_TOKEN }}
testsuite-deprecation-check:
name: Testsuite Deprecation Check
runs-on: ubuntu-latest
@@ -481,8 +488,8 @@ jobs:
AWS_REGION=us-east-1
echo "AWS Region: ${AWS_REGION}"
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }}
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
aws configure set region ${AWS_REGION}
AURORA_CLUSTER_NAME="gh-action-$(git rev-parse --short HEAD)-${{ github.run_id }}-${{ github.run_attempt }}"
@@ -497,6 +504,9 @@ jobs:
JDBC_PARAMS='?ssl=true&sslmode=verify-ca&sslrootcert=/opt/keycloak/aws.pem'
echo "jdbc_params=${JDBC_PARAMS}" >> $GITHUB_OUTPUT
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- id: aurora-create
name: Create Aurora DB
uses: ./.github/actions/aurora-create-database
@@ -653,9 +663,10 @@ jobs:
-f name=${{ steps.aurora-init.outputs.aurora-cluster-name }} \
-f region=${{ steps.aurora-init.outputs.region }} \
--repo ${{ github.repository }} \
--ref ${{ github.ref_name }}
--ref "${REF_NAME}"
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
azure-integration-tests:
name: AzureDB IT
@@ -694,7 +705,7 @@ jobs:
id: parse-creds
shell: bash
run: |
SUBSCRIPTION=$(echo '${{ secrets.AZURE_CREDENTIALS }}' | jq -r '.subscriptionId')
SUBSCRIPTION=$(echo "${AZURE_CREDENTIALS}" | jq -r '.subscriptionId')
if [[ -z "$SUBSCRIPTION" || "$SUBSCRIPTION" == "null" ]]; then
echo "ERROR: Failed to parse subscriptionId from AZURE_CREDENTIALS"
exit 1
@@ -703,6 +714,8 @@ jobs:
echo "::add-mask::$SUBSCRIPTION"
echo "subscription=$SUBSCRIPTION" >> $GITHUB_OUTPUT
env:
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
- name: Login to Azure
uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
.github/workflows/version-compatibility-matrix.yml
+2 -1
View File
@@ -27,11 +27,12 @@ jobs:
id: version-compatibility
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
BRANCH="${{ github.base_ref }}"
else
BRANCH="${{ github.ref_name }}"
BRANCH="${REF_NAME}"
fi
MATRIX_JSON=$(./.github/scripts/version-compatibility.sh "${BRANCH}")
echo "${MATRIX_JSON}"
.github/workflows/weblate.yml
+6 -3
View File
@@ -33,7 +33,10 @@ jobs:
steps:
# language=bash
- run: |
if [ '${{ secrets.WEBLATE_TOKEN }}' != '' ]; then
curl --fail-with-body -d operation=pull -H "Authorization: Token ${{ secrets.WEBLATE_TOKEN }}" https://hosted.weblate.org/api/projects/keycloak/repository/
curl --fail-with-body -d operation=push -H "Authorization: Token ${{ secrets.WEBLATE_TOKEN }}" https://hosted.weblate.org/api/projects/keycloak/repository/
if [ "${WEBLATE_TOKEN}" != "" ]; then
curl --fail-with-body -d operation=pull -H "Authorization: Token ${WEBLATE_TOKEN}" https://hosted.weblate.org/api/projects/keycloak/repository/
curl --fail-with-body -d operation=push -H "Authorization: Token ${WEBLATE_TOKEN}" https://hosted.weblate.org/api/projects/keycloak/repository/
fi
env:
WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}