Skip to content

ci: prevent script injection in commit lint#535

Merged
zhongkechen merged 1 commit into
mainfrom
codex/fix-actions-script-injection-main
Jul 14, 2026
Merged

ci: prevent script injection in commit lint#535
zhongkechen merged 1 commit into
mainfrom
codex/fix-actions-script-injection-main

Conversation

@zhongkechen

Copy link
Copy Markdown
Contributor

Summary

  • move pull request values out of the generated shell script and into step environment variables
  • use immutable base and head commit SHAs for the lint range
  • quote both environment variables when constructing the range argument

This remediates the reported GitHub Actions script injection finding in .github/workflows/ci.yml.

Validation

  • git diff --check
  • parsed .github/workflows/ci.yml with Ruby YAML
  • confirmed no github.event expression remains directly embedded in a run: command

@zhongkechen zhongkechen merged commit a22c596 into main Jul 14, 2026
13 checks passed
@zhongkechen zhongkechen deleted the codex/fix-actions-script-injection-main branch July 14, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants