Skip to content

ci: prevent script injection in commit lint#536

Merged
zhongkechen merged 1 commit into
v1.5from
codex/fix-actions-script-injection-v1.5
Jul 14, 2026
Merged

ci: prevent script injection in commit lint#536
zhongkechen merged 1 commit into
v1.5from
codex/fix-actions-script-injection-v1.5

Conversation

@zhongkechen

Copy link
Copy Markdown
Contributor

Summary

  • move pull request values out of the generated shell script and into step environment variables
  • use immutable base and head commit SHAs for the lint range
  • quote both environment variables when constructing the range argument

This backports the GitHub Actions script injection remediation to the v1.5 maintenance branch.

Validation

  • git diff --check
  • parsed .github/workflows/ci.yml with Ruby YAML
  • confirmed no github.event expression remains directly embedded in a run: command

@zhongkechen zhongkechen merged commit 5fc3707 into v1.5 Jul 14, 2026
6 checks passed
@zhongkechen zhongkechen deleted the codex/fix-actions-script-injection-v1.5 branch July 14, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants