Commit 8836370
authored
fix(ci): resolve new zizmor findings (#217)
zizmor v1.25.0 (bumped by Dependabot) now flags `${{ inputs.* }}`
expressions used directly in `run:` blocks of composite actions as
template-injection risks (attacker-controllable code expansion).
**Fix**: Move all `${{ inputs.* }}` references in `action.yml` to `env:`
blocks and reference them as shell variables (`${VAR}`) in the `run:`
scripts. This is the standard mitigation — environment variables are not
subject to expression-context injection.
Affected lines: 46, 52, 55-59, 61-64, 73-74, 80 (17 findings total, all
resolved).1 file changed
Lines changed: 26 additions & 14 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | | - | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
47 | 49 | | |
48 | 50 | | |
49 | 51 | | |
50 | 52 | | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
51 | 59 | | |
52 | | - | |
| 60 | + | |
53 | 61 | | |
54 | 62 | | |
55 | | - | |
56 | | - | |
57 | | - | |
58 | | - | |
59 | | - | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
60 | 68 | | |
61 | | - | |
62 | | - | |
63 | | - | |
64 | | - | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
65 | 73 | | |
66 | 74 | | |
67 | 75 | | |
68 | 76 | | |
69 | 77 | | |
70 | 78 | | |
71 | 79 | | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
72 | 84 | | |
73 | | - | |
74 | | - | |
| 85 | + | |
| 86 | + | |
75 | 87 | | |
76 | 88 | | |
77 | 89 | | |
78 | 90 | | |
79 | 91 | | |
80 | | - | |
| 92 | + | |
81 | 93 | | |
82 | 94 | | |
83 | 95 | | |
| |||
0 commit comments