Skip to content

Commit e0b3c80

Browse files
tangrufustangrufus
committed
Do not add binary to PATH
Fix `PATH` environment variable built from user-controlled sources. Fix https://github.com/typisttech/php-matrix-action/security/code-scanning/2
1 parent 362cc33 commit e0b3c80

1 file changed

Lines changed: 15 additions & 14 deletions

File tree

action.yml

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,18 @@ outputs:
4949
runs:
5050
using: "composite"
5151
steps:
52+
- name: Setup Environment
53+
run: |
54+
mkdir -p "${RUNNER_TEMP}/php-matrix"
55+
echo PHP_MATRIX_DIR="${RUNNER_TEMP}/php-matrix" >> "$GITHUB_ENV"
56+
echo PHP_MATRIX="${RUNNER_TEMP}/php-matrix/bin/php-matrix" >> "$GITHUB_ENV"
57+
shell: bash
58+
5259
- name: Download PHP Matrix (Linux arm64)
5360
if: ${{ runner.os == 'Linux' && runner.arch == 'ARM64' }}
5461
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
5562
shell: bash
56-
working-directory: ${{ github.action_path }}
63+
working-directory: ${{ env.PHP_MATRIX_DIR }}
5764
env:
5865
PATTERN: php-matrix_Linux_arm64.tar.gz
5966
TAG: ${{ inputs.version }}
@@ -63,7 +70,7 @@ runs:
6370
if: ${{ runner.os == 'Linux' && runner.arch == 'x64' }}
6471
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
6572
shell: bash
66-
working-directory: ${{ github.action_path }}
73+
working-directory: ${{ env.PHP_MATRIX_DIR }}
6774
env:
6875
PATTERN: php-matrix_Linux_x86_64.tar.gz
6976
TAG: ${{ inputs.version }}
@@ -73,7 +80,7 @@ runs:
7380
if: ${{ runner.os == 'macOS' && runner.arch == 'ARM64' }}
7481
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
7582
shell: bash
76-
working-directory: ${{ github.action_path }}
83+
working-directory: ${{ env.PHP_MATRIX_DIR }}
7784
env:
7885
PATTERN: php-matrix_Darwin_arm64.tar.gz
7986
TAG: ${{ inputs.version }}
@@ -83,7 +90,7 @@ runs:
8390
if: ${{ runner.os == 'macOS' && runner.arch == 'x64' }}
8491
run: gh release download --repo typisttech/php-matrix --output php-matrix.tar.gz --pattern "${PATTERN}" "${TAG}"
8592
shell: bash
86-
working-directory: ${{ github.action_path }}
93+
working-directory: ${{ env.PHP_MATRIX_DIR }}
8794
env:
8895
PATTERN: php-matrix_Darwin_x86_64.tar.gz
8996
TAG: ${{ inputs.version }}
@@ -93,7 +100,7 @@ runs:
93100
if: ${{ inputs.verify-attestation == 'true' }}
94101
run: gh attestation verify --repo typisttech/php-matrix php-matrix.tar.gz
95102
shell: bash
96-
working-directory: ${{ github.action_path }}
103+
working-directory: ${{ env.PHP_MATRIX_DIR }}
97104
env:
98105
GH_TOKEN: ${{ inputs.github-token }}
99106

@@ -102,18 +109,12 @@ runs:
102109
mkdir bin
103110
tar -xvf php-matrix.tar.gz -C ./bin php-matrix
104111
shell: bash
105-
working-directory: ${{ github.action_path }}
106-
107-
- name: Add the binary into PATH
108-
run: echo "${ACTION_PATH}/bin" >> "$GITHUB_PATH"
109-
shell: bash
110-
env:
111-
ACTION_PATH: ${{ github.action_path }}
112+
working-directory: ${{ env.PHP_MATRIX_DIR }}
112113

113114
- name: Generate Matrix
114115
id: generate-matrix
115116
run: |
116-
php-matrix composer --mode="${INPUT_MODE}" --source="${INPUT_SOURCE}" "${INPUT_COMPOSER_JSON}" > matrix 2>&1
117+
"${PHP_MATRIX}" composer --mode="${INPUT_MODE}" --source="${INPUT_SOURCE}" "${INPUT_COMPOSER_JSON}" > matrix 2>&1
117118
retVal=$?
118119
119120
if [ $retVal -ne 0 ]; then
@@ -138,7 +139,7 @@ runs:
138139
echo "==> Setup PHP Matrix"
139140
echo -e "\033[32;m✓\033[0m \033[34;mphp-matrix\033[0m https://github.com/typisttech/php-matrix"
140141
echo "::group::$ php-matrix --version"
141-
php-matrix --version
142+
"${PHP_MATRIX}" --version
142143
echo "::endgroup::"
143144
144145
echo ""

0 commit comments

Comments
 (0)