Skip to content

Commit a13522f

Browse files
brtnfldbrtnfld
committed
CI: fix template injection in workflow run: blocks
Move ${{ inputs.* }} and ${{ steps.*.outputs.* }} expressions from run: shell blocks into env: blocks on the same step, then reference them as plain shell/$env:PSVar variables. This eliminates the template-injection vector that zizmor flags: expressions in env: are expanded safely before the shell sees them, while expressions inlined directly in run: are expanded as literal text into the script and can be dangerous if the value contains shell metacharacters.
1 parent 64036c6 commit a13522f

6 files changed

Lines changed: 363 additions & 172 deletions

File tree

.github/actions/setup-jextract/action.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -162,13 +162,18 @@ runs:
162162
- name: Set environment variables
163163
id: setup-jextract
164164
shell: bash
165+
env:
166+
SETUP_JEXTRACT_WINDOWS_JEXTRACT_HOME: ${{ steps.setup-jextract-windows.outputs.jextract-home }}
167+
SETUP_JEXTRACT_WINDOWS_JEXTRACT_VERSION: ${{ steps.setup-jextract-windows.outputs.jextract-version }}
168+
SETUP_JEXTRACT_UNIX_JEXTRACT_HOME: ${{ steps.setup-jextract-unix.outputs.jextract-home }}
169+
SETUP_JEXTRACT_UNIX_JEXTRACT_VERSION: ${{ steps.setup-jextract-unix.outputs.jextract-version }}
165170
run: |
166171
if [[ "$RUNNER_OS" == "Windows" ]]; then
167-
JEXTRACT_HOME="${{ steps.setup-jextract-windows.outputs.jextract-home }}"
168-
JEXTRACT_VERSION="${{ steps.setup-jextract-windows.outputs.jextract-version }}"
172+
JEXTRACT_HOME="$SETUP_JEXTRACT_WINDOWS_JEXTRACT_HOME"
173+
JEXTRACT_VERSION="$SETUP_JEXTRACT_WINDOWS_JEXTRACT_VERSION"
169174
else
170-
JEXTRACT_HOME="${{ steps.setup-jextract-unix.outputs.jextract-home }}"
171-
JEXTRACT_VERSION="${{ steps.setup-jextract-unix.outputs.jextract-version }}"
175+
JEXTRACT_HOME="$SETUP_JEXTRACT_UNIX_JEXTRACT_HOME"
176+
JEXTRACT_VERSION="$SETUP_JEXTRACT_UNIX_JEXTRACT_VERSION"
172177
fi
173178
174179
echo "JEXTRACT_HOME=$JEXTRACT_HOME" >> $GITHUB_ENV

.github/actions/symlink-ctest-scripts/action.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,15 +11,19 @@ runs:
1111
- name: Create symlinks (Unix)
1212
if: runner.os != 'Windows'
1313
shell: bash
14+
env:
15+
SOURCE_BASE: ${{ inputs.source-base }}
1416
run: |
1517
mkdir -p ${{ runner.workspace }}/hdf5
16-
ln -sf ${{ github.workspace }}/${{ inputs.source-base }}/config/cmake/scripts/CTestScript.cmake ${{ runner.workspace }}/hdf5/CTestScript.cmake
17-
ln -sf ${{ github.workspace }}/${{ inputs.source-base }}/config/cmake/scripts/HDF5config.cmake ${{ runner.workspace }}/hdf5/HDF5config.cmake
18+
ln -sf ${{ github.workspace }}/$SOURCE_BASE/config/cmake/scripts/CTestScript.cmake ${{ runner.workspace }}/hdf5/CTestScript.cmake
19+
ln -sf ${{ github.workspace }}/$SOURCE_BASE/config/cmake/scripts/HDF5config.cmake ${{ runner.workspace }}/hdf5/HDF5config.cmake
1820
1921
- name: Create symlinks (Windows)
2022
if: runner.os == 'Windows'
2123
shell: pwsh
24+
env:
25+
SOURCE_BASE: ${{ inputs.source-base }}
2226
run: |
2327
New-Item -ItemType Directory -Path ${{ runner.workspace }}/hdf5 -Force | Out-Null
24-
New-Item -ItemType SymbolicLink -Path ${{ runner.workspace }}/hdf5/CTestScript.cmake -Target ${{ github.workspace }}/${{ inputs.source-base }}/config/cmake/scripts/CTestScript.cmake -Force
25-
New-Item -ItemType SymbolicLink -Path ${{ runner.workspace }}/hdf5/HDF5config.cmake -Target ${{ github.workspace }}/${{ inputs.source-base }}/config/cmake/scripts/HDF5config.cmake -Force
28+
New-Item -ItemType SymbolicLink -Path ${{ runner.workspace }}/hdf5/CTestScript.cmake -Target ${{ github.workspace }}/$env:SOURCE_BASE/config/cmake/scripts/CTestScript.cmake -Force
29+
New-Item -ItemType SymbolicLink -Path ${{ runner.workspace }}/hdf5/HDF5config.cmake -Target ${{ github.workspace }}/$env:SOURCE_BASE/config/cmake/scripts/HDF5config.cmake -Force

.github/workflows/abi-report.yml

Lines changed: 79 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,12 @@ jobs:
4040
4141
- name: Convert hdf5 reference name (Linux)
4242
id: convert-hdf5lib-refname
43+
env:
44+
FILE_REF: ${{ inputs.file_ref }}
4345
run: |
44-
FILE_DOTS=$(echo "${{ inputs.file_ref }}" | sed -r "s/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+).*/\1\.\2\.\3-\4/")
46+
FILE_DOTS=$(echo "$FILE_REF" | sed -r "s/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+).*/\1\.\2\.\3-\4/")
4547
echo "HDF5R_DOTS=$FILE_DOTS" >> $GITHUB_OUTPUT
46-
FILE_DOTSMAIN=$(echo "${{ inputs.file_ref }}" | sed -r "s/([0-9]+)\.([0-9]+)\.([0-9]+).*/\1\.\2\.\3/")
48+
FILE_DOTSMAIN=$(echo "$FILE_REF" | sed -r "s/([0-9]+)\.([0-9]+)\.([0-9]+).*/\1\.\2\.\3/")
4749
echo "HDF5R_DOTSMAIN=$FILE_DOTSMAIN" >> $GITHUB_OUTPUT
4850
4951
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -59,7 +61,9 @@ jobs:
5961
ls -l ${{ github.workspace }}
6062
6163
- name: Uncompress gh binary (Linux)
62-
run: tar -zxvf ${{ github.workspace }}/${{ inputs.file_base }}-ubuntu-2404_gcc.tar.gz
64+
env:
65+
FILE_BASE: ${{ inputs.file_base }}
66+
run: tar -zxvf ${{ github.workspace }}/$FILE_BASE-ubuntu-2404_gcc.tar.gz
6367

6468
- name: Uncompress hdf5 binary (Linux)
6569
run: |
@@ -81,20 +85,25 @@ jobs:
8185
echo "HDF5_VERS=$FILE_VERS" >> $GITHUB_OUTPUT
8286
8387
- name: Download reference version
88+
env:
89+
FILE_REF: ${{ inputs.file_ref }}
90+
CONVERT_HDF5LIB_REFNAME_HDF5R_DOTS: ${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTS }}
8491
run: |
8592
mkdir "${{ github.workspace }}/hdf5R"
8693
cd "${{ github.workspace }}/hdf5R"
87-
wget -q https://github.com/HDFGroup/hdf5/releases/download/${{ inputs.file_ref }}/hdf5-${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTS }}-ubuntu-2404_gcc.tar.gz
88-
tar zxf hdf5-${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTS }}-ubuntu-2404_gcc.tar.gz
94+
wget -q https://github.com/HDFGroup/hdf5/releases/download/$FILE_REF/hdf5-$CONVERT_HDF5LIB_REFNAME_HDF5R_DOTS-ubuntu-2404_gcc.tar.gz
95+
tar zxf hdf5-$CONVERT_HDF5LIB_REFNAME_HDF5R_DOTS-ubuntu-2404_gcc.tar.gz
8996
9097
- name: List files for the space (Linux)
9198
run: |
9299
ls -l ${{ github.workspace }}/hdf5R
93100
94101
- name: Uncompress hdf5 reference binary (Linux)
102+
env:
103+
FILE_REF: ${{ inputs.file_ref }}
95104
run: |
96105
cd "${{ github.workspace }}/hdf5R"
97-
tar -zxvf ${{ github.workspace }}/hdf5R/hdf5/HDF5-${{ inputs.file_ref }}-Linux.tar.gz --strip-components 1
106+
tar -zxvf ${{ github.workspace }}/hdf5R/hdf5/HDF5-$FILE_REF-Linux.tar.gz --strip-components 1
98107
99108
- name: List files for the HDFR space (Linux)
100109
run: |
@@ -110,54 +119,82 @@ jobs:
110119
echo "HDF5R_VERS=$FILE_NAME_HDF5R" >> $GITHUB_OUTPUT
111120
112121
- name: List files for the lib spaces (Linux)
122+
env:
123+
SET_HDF5LIB_NAME_HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
124+
SET_HDF5LIB_REFNAME_HDF5R_ROOT: ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}
113125
run: |
114-
ls -l ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/lib
115-
ls -l ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/lib
126+
ls -l $SET_HDF5LIB_NAME_HDF5_ROOT/lib
127+
ls -l $SET_HDF5LIB_REFNAME_HDF5R_ROOT/lib
116128
117129
- name: Run Java API report
130+
env:
131+
SET_HDF5LIB_REFNAME_HDF5R_ROOT: ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}
132+
CONVERT_HDF5LIB_REFNAME_HDF5R_DOTSMAIN: ${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTSMAIN }}
133+
SET_HDF5LIB_NAME_HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
134+
SET_HDF5LIB_NAME_HDF5_VERS: ${{ steps.set-hdf5lib-name.outputs.HDF5_VERS }}
118135
run: |
119-
japi-compliance-checker ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/lib/jarhdf5-${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTSMAIN }}.jar ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/lib/jarhdf5-${{ steps.set-hdf5lib-name.outputs.HDF5_VERS }}.jar
136+
japi-compliance-checker $SET_HDF5LIB_REFNAME_HDF5R_ROOT/lib/jarhdf5-$CONVERT_HDF5LIB_REFNAME_HDF5R_DOTSMAIN.jar $SET_HDF5LIB_NAME_HDF5_ROOT/lib/jarhdf5-$SET_HDF5LIB_NAME_HDF5_VERS.jar
120137
continue-on-error: true
121138

122139
- name: Run ABI report
123-
run: |
124-
abi-dumper ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/lib/libhdf5.so -o ABI-0.dump -public-headers ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/include
125-
abi-dumper ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/lib/libhdf5.so -o ABI-1.dump -public-headers ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/include
126-
abi-compliance-checker -l ${{ inputs.file_base }} -old ABI-0.dump -new ABI-1.dump
140+
env:
141+
SET_HDF5LIB_REFNAME_HDF5R_ROOT: ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}
142+
SET_HDF5LIB_NAME_HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
143+
FILE_BASE: ${{ inputs.file_base }}
144+
run: |
145+
abi-dumper $SET_HDF5LIB_REFNAME_HDF5R_ROOT/lib/libhdf5.so -o ABI-0.dump -public-headers $SET_HDF5LIB_REFNAME_HDF5R_ROOT/include
146+
abi-dumper $SET_HDF5LIB_NAME_HDF5_ROOT/lib/libhdf5.so -o ABI-1.dump -public-headers $SET_HDF5LIB_NAME_HDF5_ROOT/include
147+
abi-compliance-checker -l $FILE_BASE -old ABI-0.dump -new ABI-1.dump
127148
continue-on-error: true
128149

129150
- name: Run hl ABI report
130-
run: |
131-
abi-dumper ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/lib/libhdf5_hl.so -o ABI-2.dump -public-headers ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/include
132-
abi-dumper ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/lib/libhdf5_hl.so -o ABI-3.dump -public-headers ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/include
133-
abi-compliance-checker -l ${{ inputs.file_base }}_hl -old ABI-2.dump -new ABI-3.dump
151+
env:
152+
SET_HDF5LIB_REFNAME_HDF5R_ROOT: ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}
153+
SET_HDF5LIB_NAME_HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
154+
FILE_BASE: ${{ inputs.file_base }}
155+
run: |
156+
abi-dumper $SET_HDF5LIB_REFNAME_HDF5R_ROOT/lib/libhdf5_hl.so -o ABI-2.dump -public-headers $SET_HDF5LIB_REFNAME_HDF5R_ROOT/include
157+
abi-dumper $SET_HDF5LIB_NAME_HDF5_ROOT/lib/libhdf5_hl.so -o ABI-3.dump -public-headers $SET_HDF5LIB_NAME_HDF5_ROOT/include
158+
abi-compliance-checker -l ${FILE_BASE}_hl -old ABI-2.dump -new ABI-3.dump
134159
continue-on-error: true
135160

136161
- name: Run cpp ABI report
137-
run: |
138-
abi-dumper ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/lib/libhdf5_cpp.so -o ABI-4.dump -public-headers ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/include
139-
abi-dumper ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/lib/libhdf5_cpp.so -o ABI-5.dump -public-headers ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/include
140-
abi-compliance-checker -l ${{ inputs.file_base }}_cpp -old ABI-4.dump -new ABI-5.dump
162+
env:
163+
SET_HDF5LIB_REFNAME_HDF5R_ROOT: ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}
164+
SET_HDF5LIB_NAME_HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
165+
FILE_BASE: ${{ inputs.file_base }}
166+
run: |
167+
abi-dumper $SET_HDF5LIB_REFNAME_HDF5R_ROOT/lib/libhdf5_cpp.so -o ABI-4.dump -public-headers $SET_HDF5LIB_REFNAME_HDF5R_ROOT/include
168+
abi-dumper $SET_HDF5LIB_NAME_HDF5_ROOT/lib/libhdf5_cpp.so -o ABI-5.dump -public-headers $SET_HDF5LIB_NAME_HDF5_ROOT/include
169+
abi-compliance-checker -l ${FILE_BASE}_cpp -old ABI-4.dump -new ABI-5.dump
141170
continue-on-error: true
142171

143172
- name: Run hl_cpp ABI report
144-
run: |
145-
abi-dumper ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/lib/libhdf5_hl_cpp.so -o ABI-6.dump -public-headers ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}/include
146-
abi-dumper ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/lib/libhdf5_hl_cpp.so -o ABI-7.dump -public-headers ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}/include
147-
abi-compliance-checker -l ${{ inputs.file_base }}_hl_cpp -old ABI-6.dump -new ABI-7.dump
173+
env:
174+
SET_HDF5LIB_REFNAME_HDF5R_ROOT: ${{ steps.set-hdf5lib-refname.outputs.HDF5R_ROOT }}
175+
SET_HDF5LIB_NAME_HDF5_ROOT: ${{ steps.set-hdf5lib-name.outputs.HDF5_ROOT }}
176+
FILE_BASE: ${{ inputs.file_base }}
177+
run: |
178+
abi-dumper $SET_HDF5LIB_REFNAME_HDF5R_ROOT/lib/libhdf5_hl_cpp.so -o ABI-6.dump -public-headers $SET_HDF5LIB_REFNAME_HDF5R_ROOT/include
179+
abi-dumper $SET_HDF5LIB_NAME_HDF5_ROOT/lib/libhdf5_hl_cpp.so -o ABI-7.dump -public-headers $SET_HDF5LIB_NAME_HDF5_ROOT/include
180+
abi-compliance-checker -l ${FILE_BASE}_hl_cpp -old ABI-6.dump -new ABI-7.dump
148181
continue-on-error: true
149182

150183
- name: Copy ABI reports
151-
run: |
152-
cp compat_reports/jarhdf5-/${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTSMAIN }}_to_${{ steps.set-hdf5lib-name.outputs.HDF5_VERS }}/compat_report.html ${{ inputs.file_base }}-java_compat_report.html
153-
ls -l compat_reports/${{ inputs.file_base }}/X_to_Y
154-
cp compat_reports/${{ inputs.file_base }}/X_to_Y/compat_report.html ${{ inputs.file_base }}-hdf5_compat_report.html
155-
ls -l compat_reports/${{ inputs.file_base }}_hl/X_to_Y
156-
cp compat_reports/${{ inputs.file_base }}_hl/X_to_Y/compat_report.html ${{ inputs.file_base }}-hdf5_hl_compat_report.html
157-
ls -l compat_reports/${{ inputs.file_base }}_cpp/X_to_Y
158-
cp compat_reports/${{ inputs.file_base }}_cpp/X_to_Y/compat_report.html ${{ inputs.file_base }}-hdf5_cpp_compat_report.html
159-
ls -l compat_reports/${{ inputs.file_base }}_hl_cpp/X_to_Y
160-
cp compat_reports/${{ inputs.file_base }}_hl_cpp/X_to_Y/compat_report.html ${{ inputs.file_base }}-hdf5_hl_cpp_compat_report.html
184+
env:
185+
CONVERT_HDF5LIB_REFNAME_HDF5R_DOTSMAIN: ${{ steps.convert-hdf5lib-refname.outputs.HDF5R_DOTSMAIN }}
186+
SET_HDF5LIB_NAME_HDF5_VERS: ${{ steps.set-hdf5lib-name.outputs.HDF5_VERS }}
187+
FILE_BASE: ${{ inputs.file_base }}
188+
run: |
189+
cp compat_reports/jarhdf5-/${CONVERT_HDF5LIB_REFNAME_HDF5R_DOTSMAIN}_to_${SET_HDF5LIB_NAME_HDF5_VERS}/compat_report.html $FILE_BASE-java_compat_report.html
190+
ls -l compat_reports/$FILE_BASE/X_to_Y
191+
cp compat_reports/$FILE_BASE/X_to_Y/compat_report.html $FILE_BASE-hdf5_compat_report.html
192+
ls -l compat_reports/${FILE_BASE}_hl/X_to_Y
193+
cp compat_reports/${FILE_BASE}_hl/X_to_Y/compat_report.html $FILE_BASE-hdf5_hl_compat_report.html
194+
ls -l compat_reports/${FILE_BASE}_cpp/X_to_Y
195+
cp compat_reports/${FILE_BASE}_cpp/X_to_Y/compat_report.html $FILE_BASE-hdf5_cpp_compat_report.html
196+
ls -l compat_reports/${FILE_BASE}_hl_cpp/X_to_Y
197+
cp compat_reports/${FILE_BASE}_hl_cpp/X_to_Y/compat_report.html $FILE_BASE-hdf5_hl_cpp_compat_report.html
161198
continue-on-error: true
162199

163200
- name: List files for the report spaces (Linux)
@@ -167,15 +204,17 @@ jobs:
167204
168205
- name: Publish ABI reports
169206
id: publish-abi-reports
207+
env:
208+
FILE_BASE: ${{ inputs.file_base }}
170209
run: |
171210
mkdir "${{ runner.workspace }}/buildabi"
172211
mkdir "${{ runner.workspace }}/buildabi/hdf5"
173-
cp ${{ inputs.file_base }}-hdf5_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
174-
cp ${{ inputs.file_base }}-hdf5_hl_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
175-
cp ${{ inputs.file_base }}-hdf5_cpp_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
176-
cp ${{ inputs.file_base }}-java_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
212+
cp $FILE_BASE-hdf5_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
213+
cp $FILE_BASE-hdf5_hl_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
214+
cp $FILE_BASE-hdf5_cpp_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
215+
cp $FILE_BASE-java_compat_report.html ${{ runner.workspace }}/buildabi/hdf5
177216
cd "${{ runner.workspace }}/buildabi"
178-
tar -zcvf ${{ inputs.file_base }}.html.abi.reports.tar.gz hdf5
217+
tar -zcvf $FILE_BASE.html.abi.reports.tar.gz hdf5
179218
shell: bash
180219

181220
- name: Save output as artifact

0 commit comments

Comments
 (0)