Skip to content

Commit

Permalink
fix: github workflow vulnerable to script injection (#3232)
Browse files Browse the repository at this point in the history
* fix: github workflow vulnerable to script injection

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

* inline repo's full_name as env var

---------

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Co-authored-by: Diego Marquez <[email protected]>
  • Loading branch information
diogoteles08 and diegomarquezp authored Aug 22, 2024
1 parent 4219cf8 commit 599255c
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions .github/workflows/hermetic_library_generation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,14 @@ name: Hermetic library generation upon generation config change through pull req
on:
pull_request:

env:
HEAD_REF: ${{ github.head_ref }}
REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}

jobs:
library_generation:
# skip pull requests coming from a forked repository
if: github.event.pull_request.head.repo.full_name == github.repository
if: github.env.REPO_FULL_NAME == github.repository
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -30,11 +34,11 @@ jobs:
- name: Generate changed libraries
shell: bash
run: |
set -x
set -ex
[ -z "$(git config user.email)" ] && git config --global user.email "[email protected]"
[ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
bash .github/scripts/hermetic_library_generation.sh \
--target_branch ${{ github.base_ref }} \
--current_branch ${{ github.head_ref }}
--current_branch $HEAD_REF
env:
GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }}

0 comments on commit 599255c

Please sign in to comment.