Skip to content

Commit 959e45a

Browse files
ferfergaferferga
authored
chore: fix potential script injection in GitHub Actions [security]
Signed-off-by: GitHub <[email protected]>
1 parent 16e20f3 commit 959e45a

File tree

1 file changed

+13
-7
lines changed

1 file changed

+13
-7
lines changed

.github/workflows/__package.yml

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,8 @@ jobs:
108108
tags: ${{ env.tags }}
109109
platforms: ${{ env.platforms }}
110110
caches: ${{ env.caches }}
111+
env:
112+
REQUESTED_ARCHITECTURES: ${{ inputs.architectures }}
111113

112114
# EOF is needed for multiline environment variables in a GitHub Actions context
113115
steps:
@@ -118,8 +120,10 @@ jobs:
118120
- name: Parse commit hash ⚙️
119121
if: ${{ inputs.commit != '' }}
120122
id: sha
123+
env:
124+
COMMIT: ${{ inputs.commit }}
121125
run: |
122-
PARSEABLE_SHA='${{ inputs.commit }}'
126+
PARSEABLE_SHA='${{ env.COMMIT }}'
123127
echo "sha=${PARSEABLE_SHA::7}" >> $GITHUB_OUTPUT
124128
125129
## How tags are assigned:
@@ -129,18 +133,20 @@ jobs:
129133
#
130134
## Before setting as output, we remove the blank lines
131135
- name: Generate tags 🏷️
136+
env:
137+
TAG_NAME: ${{ inputs.tag_name }}
132138
run: |
133139
TG='${{ inputs.commit == '' && !inputs.is_prerelease && format('{0}:{1}', env.REGISTRY_IMAGE, 'latest') || '' }}\n'
134140
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && format('{0}:{1}', env.REGISTRY_IMAGE, env.RELEASE_TAG) || '' }}\n'
135-
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && inputs.tag_name && format('{0}:{1}.{2}', env.REGISTRY_IMAGE, env.RELEASE_TAG, inputs.tag_name) || '' }}\n'
141+
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && inputs.tag_name && format('{0}:{1}.{2}', env.REGISTRY_IMAGE, env.RELEASE_TAG, env.TAG_NAME) || '' }}\n'
136142
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && format('ghcr.io/{0}:{1}', env.REGISTRY_IMAGE, 'latest') || '' }}\n'
137143
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && format('ghcr.io/{0}:{1}', env.REGISTRY_IMAGE, env.RELEASE_TAG) || '' }}\n'
138-
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && inputs.tag_name && format('ghcr.io/{0}:{1}.{2}', env.REGISTRY_IMAGE, env.RELEASE_TAG, inputs.tag_name) || '' }}\n'
144+
TG+='${{ inputs.commit == '' && !inputs.is_prerelease && inputs.tag_name && format('ghcr.io/{0}:{1}.{2}', env.REGISTRY_IMAGE, env.RELEASE_TAG, env.TAG_NAME) || '' }}\n'
139145
140146
TG+='${{ inputs.commit == '' && inputs.is_prerelease && format('{0}:{1}', env.REGISTRY_IMAGE, env.PRERELEASE_TAG) || '' }}\n'
141-
TG+='${{ inputs.commit == '' && inputs.is_prerelease && inputs.tag_name && format('{0}:{1}.{2}', env.REGISTRY_IMAGE, env.PRERELEASE_TAG, inputs.tag_name) || '' }}\n'
147+
TG+='${{ inputs.commit == '' && inputs.is_prerelease && inputs.tag_name && format('{0}:{1}.{2}', env.REGISTRY_IMAGE, env.PRERELEASE_TAG, env.TAG_NAME) || '' }}\n'
142148
TG+='${{ inputs.commit == '' && inputs.is_prerelease && format('ghcr.io/{0}:{1}', env.REGISTRY_IMAGE, env.PRERELEASE_TAG) || '' }}\n'
143-
TG+='${{ inputs.commit == '' && inputs.is_prerelease && inputs.tag_name && format('ghcr.io/{0}:{1}.{2}', env.REGISTRY_IMAGE, env.PRERELEASE_TAG, inputs.tag_name) || '' }}\n'
149+
TG+='${{ inputs.commit == '' && inputs.is_prerelease && inputs.tag_name && format('ghcr.io/{0}:{1}.{2}', env.REGISTRY_IMAGE, env.PRERELEASE_TAG, env.TAG_NAME) || '' }}\n'
144150
145151
TG+='${{ inputs.commit != '' && format('{0}:{1}', env.REGISTRY_IMAGE, env.COMMIT_TAG) || '' }}\n'
146152
TG+='${{ inputs.commit != '' && format('{0}:{1}.{2}.{3}', env.REGISTRY_IMAGE, env.COMMIT_TAG, steps.date.outputs.date, steps.sha.outputs.sha) || '' }}\n'
@@ -152,14 +158,14 @@ jobs:
152158
153159
- name: Generate platform array 🖥️📝
154160
run: |
155-
PARSED_ARRAY=$(echo '${{ inputs.architectures }}' | jq '. | map("linux/" + .) | .[]' | tr -d '"')
161+
PARSED_ARRAY=$(echo '${{ env.REQUESTED_ARCHITECTURES }}' | jq '. | map("linux/" + .) | .[]' | tr -d '"')
156162
echo "platforms<<EOF" >> $GITHUB_ENV
157163
echo "$PARSED_ARRAY" >> $GITHUB_ENV
158164
echo "EOF" >> $GITHUB_ENV
159165
160166
- name: Generate cache array 💾📝
161167
run: |
162-
PARSED_ARRAY=$(echo '${{ inputs.architectures }}' | jq '. | map("type=local,mode=min,src=/tmp/${{ env.REGISTRY_IMAGE }}/cache/buildx-" + .) | .[]' | tr -d '"')
168+
PARSED_ARRAY=$(echo '${{ env.REQUESTED_ARCHITECTURES }}' | jq '. | map("type=local,mode=min,src=/tmp/${{ env.REGISTRY_IMAGE }}/cache/buildx-" + .) | .[]' | tr -d '"')
163169
echo "caches<<EOF" >> $GITHUB_ENV
164170
echo "$PARSED_ARRAY" >> $GITHUB_ENV
165171
echo "EOF" >> $GITHUB_ENV

0 commit comments

Comments
 (0)