|
91 | 91 | runs-on: ubuntu-24.04 |
92 | 92 | outputs: |
93 | 93 | non_runtime_only: ${{ steps.detect.outputs.non_runtime_only }} |
94 | | - run_core_benchmarks: ${{ steps.benchmark-outputs.outputs.run_core_benchmarks }} |
95 | | - run_pro_benchmarks: ${{ steps.benchmark-outputs.outputs.run_pro_benchmarks }} |
96 | | - run_pro_node_renderer_benchmarks: ${{ steps.benchmark-outputs.outputs.run_pro_node_renderer_benchmarks }} |
97 | 94 | run_benchmark_suites: ${{ steps.benchmark-matrices.outputs.run_benchmark_suites }} |
98 | 95 | benchmark_matrix: ${{ steps.benchmark-matrices.outputs.benchmark_matrix }} |
99 | 96 | steps: |
@@ -437,16 +434,23 @@ jobs: |
437 | 434 |
|
438 | 435 | - name: Execute benchmark suite |
439 | 436 | timeout-minutes: ${{ matrix.benchmark_timeout_minutes }} |
| 437 | + # Route matrix values through env so the shell treats them as data, not code |
| 438 | + # (GitHub Actions injection hardening), even though they come from our own |
| 439 | + # generate_matrix.rb. |
| 440 | + env: |
| 441 | + SUITE_NAME: ${{ matrix.suite_name }} |
| 442 | + PRO_ENV: ${{ matrix.pro_env }} |
| 443 | + BENCHMARK_SCRIPT: ${{ matrix.benchmark_script }} |
440 | 444 | run: | |
441 | 445 | set -e |
442 | | - echo "🏃 Running ${{ matrix.suite_name }} benchmark suite..." |
| 446 | + echo "🏃 Running $SUITE_NAME benchmark suite..." |
443 | 447 |
|
444 | | - if [ "${{ matrix.pro_env }}" = "true" ]; then |
445 | | - if ! PRO=true $BENCH_CMD "${{ matrix.benchmark_script }}"; then |
| 448 | + if [ "$PRO_ENV" = "true" ]; then |
| 449 | + if ! PRO=true $BENCH_CMD "$BENCHMARK_SCRIPT"; then |
446 | 450 | echo "❌ ERROR: Benchmark execution failed" |
447 | 451 | exit 1 |
448 | 452 | fi |
449 | | - elif ! $BENCH_CMD "${{ matrix.benchmark_script }}"; then |
| 453 | + elif ! $BENCH_CMD "$BENCHMARK_SCRIPT"; then |
450 | 454 | echo "❌ ERROR: Benchmark execution failed" |
451 | 455 | exit 1 |
452 | 456 | fi |
@@ -501,12 +505,21 @@ jobs: |
501 | 505 |
|
502 | 506 | - name: Benchmark workflow summary |
503 | 507 | if: always() |
| 508 | + # Route context/matrix values through env so the shell treats them as data, |
| 509 | + # not code (GitHub Actions injection hardening; ref_name can be attacker-set). |
| 510 | + env: |
| 511 | + SUITE_NAME: ${{ matrix.suite_name }} |
| 512 | + SHARD_LABEL: ${{ matrix.shard_label }} |
| 513 | + JOB_STATUS: ${{ job.status }} |
| 514 | + RUN_NUMBER: ${{ github.run_number }} |
| 515 | + ACTOR: ${{ github.actor }} |
| 516 | + REF_NAME: ${{ github.ref_name }} |
504 | 517 | run: | |
505 | 518 | echo "📋 Benchmark Workflow Summary" |
506 | 519 | echo "====================================" |
507 | | - echo "Suite: ${{ matrix.suite_name }}" |
508 | | - echo "Shard: ${{ matrix.shard_label }}" |
509 | | - echo "Status: ${{ job.status }}" |
510 | | - echo "Run number: ${{ github.run_number }}" |
511 | | - echo "Triggered by: ${{ github.actor }}" |
512 | | - echo "Branch: ${{ github.ref_name }}" |
| 520 | + echo "Suite: $SUITE_NAME" |
| 521 | + echo "Shard: $SHARD_LABEL" |
| 522 | + echo "Status: $JOB_STATUS" |
| 523 | + echo "Run number: $RUN_NUMBER" |
| 524 | + echo "Triggered by: $ACTOR" |
| 525 | + echo "Branch: $REF_NAME" |
0 commit comments