Skip to content

Commit a3795eb

Browse files
Sbozzolohughcars
authored andcommitted
Harden CI against script injection in GitHub Actions
Bind untrusted github.* and inputs.* context values to env variables and reference them as shell variables in run: blocks, instead of interpolating them directly into the script text. Prevents the script-injection class flagged by AppSec (Talos). Follows GitHub's security-hardening guidance and the approach of awslabs#787.
1 parent bfda910 commit a3795eb

2 files changed

Lines changed: 15 additions & 7 deletions

File tree

.github/workflows/docs.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,11 @@ jobs:
5353
- '.github/workflows/docs.yml'
5454
- name: Decide whether to build
5555
id: decide
56+
env:
57+
GITHUB_REF: ${{ github.ref }}
58+
EVENT_NAME: ${{ github.event_name }}
5659
run: |
57-
if [[ "${{ github.ref }}" == refs/tags/* ]] || [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
60+
if [[ "${GITHUB_REF}" == refs/tags/* ]] || [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
5861
echo "should_build=true" >> "$GITHUB_OUTPUT"
5962
else
6063
echo "should_build=${{ steps.filter.outputs.test }}" >> "$GITHUB_OUTPUT"
@@ -198,15 +201,16 @@ jobs:
198201
- name: Build and deploy
199202
if: needs.filter.outputs.should_build == 'true'
200203
env:
204+
DEPLOY_TAG: ${{ inputs.deploy_tag }}
201205
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
202206
run: |
203207
# For workflow_dispatch with deploy_tag, override the runner's immutable
204208
# GITHUB_* env vars so Documenter.jl sees a tag push.
205-
if [[ -n "${{ inputs.deploy_tag }}" ]]; then
209+
if [[ -n "${DEPLOY_TAG}" ]]; then
206210
export GITHUB_EVENT_NAME=push
207-
export GITHUB_REF=refs/tags/${{ inputs.deploy_tag }}
211+
export GITHUB_REF=refs/tags/"${DEPLOY_TAG}"
208212
export GITHUB_REF_TYPE=tag
209-
export GITHUB_REF_NAME=${{ inputs.deploy_tag }}
213+
export GITHUB_REF_NAME="${DEPLOY_TAG}"
210214
fi
211215
eval $(spack -e . load --sh palace)
212216
julia --project=docs -e 'using Pkg; Pkg.instantiate()'
@@ -216,8 +220,10 @@ jobs:
216220
if: >-
217221
needs.filter.outputs.should_build == 'true' &&
218222
(startsWith(github.ref, 'refs/tags/') || inputs.deploy_tag != '')
223+
env:
224+
TAG_REF: ${{ inputs.deploy_tag || github.ref_name }}
219225
run: |
220-
TAG="${{ inputs.deploy_tag || github.ref_name }}"
226+
TAG="${TAG_REF}"
221227
VERSION="${TAG#v}"
222228
git fetch origin gh-pages --depth=1
223229
STABLE=$(git show origin/gh-pages:stable)

.github/workflows/ghcr-cleanup.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,10 +62,11 @@ jobs:
6262
- name: Print buildcache version count before cleanup
6363
continue-on-error: true
6464
env:
65+
REPO_OWNER: ${{ github.repository_owner }}
6566
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6667
shell: bash
6768
run: |
68-
gh api /orgs/${{ github.repository_owner }}/packages/container/palace-develop-testing \
69+
gh api /orgs/"${REPO_OWNER}"/packages/container/palace-develop-testing \
6970
--jq '"palace-develop-testing versions before cleanup: \(.version_count)"'
7071
7172
# Each Spack spec is a tagged version in the container package. We keep
@@ -91,8 +92,9 @@ jobs:
9192
if: always()
9293
continue-on-error: true
9394
env:
95+
REPO_OWNER: ${{ github.repository_owner }}
9496
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
9597
shell: bash
9698
run: |
97-
gh api /orgs/${{ github.repository_owner }}/packages/container/palace-develop-testing \
99+
gh api /orgs/"${REPO_OWNER}"/packages/container/palace-develop-testing \
98100
--jq '"palace-develop-testing versions after cleanup: \(.version_count)"'

0 commit comments

Comments
 (0)