add new step for installing new packages. Validate package list.

lucas-zimerman · lucas-zimerman · commit 48e9c0a73f60 · 2025-10-10T12:34:34.000+01:00
diff --git a/danger/action.yml b/danger/action.yml
@@ -11,6 +11,10 @@ inputs:
     description: 'Path to additional dangerfile to run after the main checks'
     type: string
     required: false
+  extra-install-packages:
+    description: 'Additional apt packages to install in the DangerJS container (space-separated package names)'
+    type: string
+    required: false
 
 outputs:
   outcome:
@@ -32,20 +36,50 @@ runs:
       shell: pwsh
       run: Get-Content '${{ github.action_path }}/danger.properties' | Tee-Object $env:GITHUB_OUTPUT -Append
 
+    # Validate extra-install-packages to prevent code injection
+    - name: Validate package names
+      if: ${{ inputs.extra-install-packages }}
+      shell: bash
+      run: |
+        packages="${{ inputs.extra-install-packages }}"
+        # Only allow alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces
+        if ! echo "$packages" | grep -E '^[a-zA-Z0-9._+-]+( [a-zA-Z0-9._+-]+)*$' > /dev/null; then
+          echo "::error::Invalid package names in extra-install-packages. Only alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces are allowed."
+          exit 1
+        fi
+
     # Using a pre-built docker image in GitHub container registry instead of NPM to reduce possible attack vectors.
-    - name: Run DangerJS
-      id: danger
+    - name: Setup container
       shell: bash
       run: |
-        docker run \
+        # Start a detached container with all necessary volumes and environment variables
+        docker run -td --name danger \
           --volume ${{ github.workspace }}:/github/workspace \
           --volume ${{ github.action_path }}:${{ github.action_path }} \
           --volume ${{ github.event_path }}:${{ github.event_path }} \
           --workdir /github/workspace \
-          --user root \
+          --user $(id -u) \
           -e "INPUT_ARGS" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true \
           -e GITHUB_TOKEN="${{ inputs.api-token }}" \
           -e DANGER_DISABLE_TRANSPILATION="true" \
           -e EXTRA_DANGERFILE_INPUT="${{ inputs.extra-dangerfile }}" \
           ghcr.io/danger/danger-js:${{ steps.config.outputs.version }} \
-          --failOnErrors --dangerfile ${{ github.action_path }}/dangerfile.js
+          /bin/bash
+
+    - name: setup additoinal packages
+      if: ${{ inputs.extra-install-packages }}
+      shell: bash
+      run: |
+        echo "Installing additional packages: ${{ inputs.extra-install-packages }}"
+        docker exec --user root danger apt-get update -qq
+        docker exec --user root danger apt-get install -y ${{ inputs.extra-install-packages }}
+
+    - name: Run DangerJS
+      id: danger
+      shell: bash
+      run: |
+        # Ensure container cleanup on exit
+        trap "docker rm -f danger || true" EXIT
+        
+        # Run danger with appropriate user
+        docker exec --user $(id -u) danger danger --failOnErrors --dangerfile ${{ github.action_path }}/dangerfile.js
