Skip to content

Commit b1d64c2

Browse files
mnenciasxd
mnencia
and
sxd
authored
fix(security): harden GitHub Actions workflows against expression injection (#823)
Move ${{ }} expressions from run: blocks into step-level env: blocks, then reference them as properly-quoted shell variables. Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Signed-off-by: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com> Co-authored-by: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>
1 parent 15f4fee commit b1d64c2

3 files changed

Lines changed: 9 additions & 4 deletions

File tree

.github/workflows/release-pr.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,12 @@ jobs:
2222
id: create-pr
2323
env:
2424
GH_TOKEN: ${{ secrets.REPO_GHA_PAT }}
25+
ACTOR: ${{ github.actor }}
2526
run: |
2627
TAG="${GITHUB_REF##*/}"
2728
TITLE="Release ${TAG}"
2829
BODY="Automated PR. Will trigger the ${TAG} release when approved."
2930
LABEL=release
30-
ASSIGNEE=${{ github.actor }}
31+
ASSIGNEE="${ACTOR}"
3132
gh pr create --title "${TITLE}" --body "${BODY}" --label "${LABEL}" --assignee "${ASSIGNEE}" ||
3233
gh pr edit --title "${TITLE}" --body "${BODY}" --add-label "${LABEL}"

.github/workflows/tests-cluster-chainsaw.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,4 +70,6 @@ jobs:
7070
tenant minio-operator/tenant
7171
7272
- name: Run Kyverno/Chainsaw
73-
run: chainsaw test charts/cluster/test/${{matrix.test}}
73+
env:
74+
MATRIX_TEST: ${{ matrix.test }}
75+
run: chainsaw test "charts/cluster/test/${MATRIX_TEST}"

.github/workflows/tests-plugin-barman-cloud.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,9 @@ jobs:
2626
strategy:
2727
fail-fast: false
2828
matrix: ${{ fromJson(needs.test-list.outputs.tests) }}
29-
name: ${{matrix.test}}
29+
env:
30+
MATRIX_TEST: ${{ matrix.test }}
31+
name: ${{ env.MATRIX_TEST }}
3032
steps:
3133
- name: Checkout
3234
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -73,4 +75,4 @@ jobs:
7375
tenant minio-operator/tenant
7476
7577
- name: Run Kyverno/Chainsaw
76-
run: chainsaw test charts/plugin-barman-cloud/test/${{matrix.test}}
78+
run: chainsaw test "charts/plugin-barman-cloud/test/${MATRIX_TEST}"

0 commit comments

Comments
 (0)