Skip to content

[SITE-5793] Fix script injection in build-tag-release workflow#373

Open
AnaisPantheor wants to merge 1 commit into
mainfrom
fix/script-injection
Open

[SITE-5793] Fix script injection in build-tag-release workflow#373
AnaisPantheor wants to merge 1 commit into
mainfrom
fix/script-injection

Conversation

@AnaisPantheor

Copy link
Copy Markdown
Contributor

Summary

  • Move ${{ steps.get-changed-files.outputs.all }} from run: block to env: block in build-tag-release.yml

Why

Using ${{ }} expressions directly inside run: blocks is a script injection vulnerability. The step output contains filenames that are interpolated directly into the shell, including inside a for loop. Filenames containing shell metacharacters could be interpreted as commands.

The secure pattern is to pass values through env: blocks, where they become shell variables instead of being interpolated into the script before shell parsing.

Test plan

  • Verify build-tag-release workflow still detects changed files and triggers releases correctly on push to release branch

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@AnaisPantheor AnaisPantheor marked this pull request as ready for review June 29, 2026 19:08
@AnaisPantheor AnaisPantheor requested a review from a team as a code owner June 29, 2026 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants