Commit 1cd11c9
Harden CI against script injection in GitHub Actions
Bind untrusted github.* and inputs.* context values to env variables and
reference them as shell variables in run: blocks, instead of interpolating
them directly into the script text. Prevents the script-injection class
flagged by AppSec (Talos). Follows GitHub's security-hardening guidance and
the approach of awslabs#787.1 parent 79043ce commit 1cd11c9
2 files changed
Lines changed: 15 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
53 | 53 | | |
54 | 54 | | |
55 | 55 | | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
56 | 59 | | |
57 | | - | |
| 60 | + | |
58 | 61 | | |
59 | 62 | | |
60 | 63 | | |
| |||
198 | 201 | | |
199 | 202 | | |
200 | 203 | | |
| 204 | + | |
201 | 205 | | |
202 | 206 | | |
203 | 207 | | |
204 | 208 | | |
205 | | - | |
| 209 | + | |
206 | 210 | | |
207 | | - | |
| 211 | + | |
208 | 212 | | |
209 | | - | |
| 213 | + | |
210 | 214 | | |
211 | 215 | | |
212 | 216 | | |
| |||
216 | 220 | | |
217 | 221 | | |
218 | 222 | | |
| 223 | + | |
| 224 | + | |
219 | 225 | | |
220 | | - | |
| 226 | + | |
221 | 227 | | |
222 | 228 | | |
223 | 229 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
62 | 62 | | |
63 | 63 | | |
64 | 64 | | |
| 65 | + | |
65 | 66 | | |
66 | 67 | | |
67 | 68 | | |
68 | | - | |
| 69 | + | |
69 | 70 | | |
70 | 71 | | |
71 | 72 | | |
| |||
91 | 92 | | |
92 | 93 | | |
93 | 94 | | |
| 95 | + | |
94 | 96 | | |
95 | 97 | | |
96 | 98 | | |
97 | | - | |
| 99 | + | |
98 | 100 | | |
0 commit comments