@@ -37,21 +37,20 @@ jobs:
3737 steps :
3838 - name : Check OSV scan results
3939 shell : bash
40+ env :
41+ # Passed through the environment rather than interpolated into the
42+ # script body. The runner injects these out-of-band, so the scanner
43+ # JSON can never break out of the surrounding shell context no matter
44+ # what it contains or how large it is.
45+ NEW_RESULTS : ${{ needs.osv-scanner-pr.outputs.new-results }}
46+ OLD_RESULTS : ${{ needs.osv-scanner-pr.outputs.old-results }}
4047 run : |
4148 set -euo pipefail
4249 IFS=$'\n\t'
43- # The scan results JSON can be very large (potentially exceeding the
44- # command-line / ARG_MAX length limit if passed as an argument or as
45- # an env var expanded on the command line), so the workflow-level
46- # expansion is written straight to a file via a quoted heredoc.
47- # The quoted delimiter prevents any runtime shell expansion of
48- # the JSON contents.
49- cat > "${RUNNER_TEMP}/new_results.json" <<'__OSV_NEW_RESULTS_EOF__'
50- ${{ needs.osv-scanner-pr.outputs.new-results }}
51- __OSV_NEW_RESULTS_EOF__
52- cat > "${RUNNER_TEMP}/old_results.json" <<'__OSV_OLD_RESULTS_EOF__'
53- ${{ needs.osv-scanner-pr.outputs.old-results }}
54- __OSV_OLD_RESULTS_EOF__
50+ # printf is a bash builtin, so the (potentially very large) values are
51+ # written to disk without hitting the ARG_MAX command-line limit.
52+ printf '%s' "${NEW_RESULTS}" > "${RUNNER_TEMP}/new_results.json"
53+ printf '%s' "${OLD_RESULTS}" > "${RUNNER_TEMP}/old_results.json"
5554 # Fail if any vulnerability present in the new results is absent from
5655 # the old results, i.e. the PR introduces it. Read via process
5756 # substitution rather than a pipe so the rc assignment is not lost in
0 commit comments