Skip to content

Commit d55d204

Browse files
tangrufustangrufus
committed
Do not add binary to PATH
Fix `PATH` environment variable built from user-controlled sources. Fix https://github.com/typisttech/php-matrix-action/security/code-scanning/2
1 parent 362cc33 commit d55d204

1 file changed

Lines changed: 8 additions & 14 deletions

File tree

action.yml

Lines changed: 8 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ runs:
5353
if: ${{ runner.os == 'Linux' && runner.arch == 'ARM64' }}
5454
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
5555
shell: bash
56-
working-directory: ${{ github.action_path }}
56+
working-directory: ${{ runner.temp }}/php-matrix
5757
env:
5858
PATTERN: php-matrix_Linux_arm64.tar.gz
5959
TAG: ${{ inputs.version }}
@@ -63,7 +63,7 @@ runs:
6363
if: ${{ runner.os == 'Linux' && runner.arch == 'x64' }}
6464
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
6565
shell: bash
66-
working-directory: ${{ github.action_path }}
66+
working-directory: ${{ runner.temp }}/php-matrix
6767
env:
6868
PATTERN: php-matrix_Linux_x86_64.tar.gz
6969
TAG: ${{ inputs.version }}
@@ -73,7 +73,7 @@ runs:
7373
if: ${{ runner.os == 'macOS' && runner.arch == 'ARM64' }}
7474
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
7575
shell: bash
76-
working-directory: ${{ github.action_path }}
76+
working-directory: ${{ runner.temp }}/php-matrix
7777
env:
7878
PATTERN: php-matrix_Darwin_arm64.tar.gz
7979
TAG: ${{ inputs.version }}
@@ -83,7 +83,7 @@ runs:
8383
if: ${{ runner.os == 'macOS' && runner.arch == 'x64' }}
8484
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
8585
shell: bash
86-
working-directory: ${{ github.action_path }}
86+
working-directory: ${{ runner.temp }}/php-matrix
8787
env:
8888
PATTERN: php-matrix_Darwin_x86_64.tar.gz
8989
TAG: ${{ inputs.version }}
@@ -93,7 +93,7 @@ runs:
9393
if: ${{ inputs.verify-attestation == 'true' }}
9494
run: gh attestation verify --repo typisttech/php-matrix php-matrix.tar.gz
9595
shell: bash
96-
working-directory: ${{ github.action_path }}
96+
working-directory: ${{ runner.temp }}/php-matrix
9797
env:
9898
GH_TOKEN: ${{ inputs.github-token }}
9999

@@ -102,18 +102,12 @@ runs:
102102
mkdir bin
103103
tar -xvf php-matrix.tar.gz -C ./bin php-matrix
104104
shell: bash
105-
working-directory: ${{ github.action_path }}
106-
107-
- name: Add the binary into PATH
108-
run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
109-
shell: bash
110-
env:
111-
ACTION_PATH: ${{ github.action_path }}
105+
working-directory: ${{ runner.temp }}/php-matrix
112106

113107
- name: Generate Matrix
114108
id: generate-matrix
115109
run: |
116-
php-matrix composer --mode="${INPUT_MODE}" --source="${INPUT_SOURCE}" "${INPUT_COMPOSER_JSON}" > matrix 2>&1
110+
${RUNNER_TEMP}/php-matrix/bin/php-matrix composer --mode="${INPUT_MODE}" --source="${INPUT_SOURCE}" "${INPUT_COMPOSER_JSON}" > matrix 2>&1
117111
retVal=$?
118112
119113
if [ $retVal -ne 0 ]; then
@@ -138,7 +132,7 @@ runs:
138132
echo "==> Setup PHP Matrix"
139133
echo -e "\033[32;m✓\033[0m \033[34;mphp-matrix\033[0m https://github.com/typisttech/php-matrix"
140134
echo "::group::$ php-matrix --version"
141-
php-matrix --version
135+
${RUNNER_TEMP}/php-matrix/bin/php-matrix --version
142136
echo "::endgroup::"
143137
144138
echo ""

0 commit comments

Comments
 (0)