Skip to content

Commit 3d01f42

Browse files
committed
ci: mitigate template injection risk in workflow
Signed-off-by: Arpit Tripathi <arpittripathiayo@gmail.com>
1 parent 42d862b commit 3d01f42

1 file changed

Lines changed: 6 additions & 3 deletions

File tree

.github/workflows/build-push.yaml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -54,13 +54,16 @@ jobs:
5454
5555
- name: Read quay image expiry
5656
id: quay-expiry
57+
env:
58+
REF_NAME: ${{ github.ref_name }}
59+
REF_TYPE: ${{ github.ref_type }}
5760
run: |
58-
if [[ "${{ github.ref_name }}" == "main" || "${{ github.ref_type }}" == "tag" && "${{ github.ref_name }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.*)?$ ]]; then
61+
if [[ "$REF_NAME" == "main" || ( "$REF_TYPE" == "tag" && "$REF_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.*)?$ ) ]]; then
5962
echo "expiry=never" >> $GITHUB_OUTPUT
60-
echo "Setting expiry to 'never' for ref ${{ github.ref_name }}"
63+
echo "Setting expiry to 'never' for ref $REF_NAME"
6164
else
6265
echo "expiry=3w" >> $GITHUB_OUTPUT
63-
echo "Setting expiry to '3w' for ref ${{ github.ref_name }}"
66+
echo "Setting expiry to '3w' for ref $REF_NAME"
6467
fi
6568
6669
- name: Build and Push Image

0 commit comments

Comments
 (0)