Skip to content

Commit e1b513d

Browse files
committed
fix: harden workflow scripts against injection and null bodies
- Move event fields (head_branch, head_sha) to env mappings to prevent script injection via crafted branch names - Guard against null comment bodies with optional chaining - Use hidden HTML marker for reliable bot comment upsert Made-with: Cursor
1 parent 719305c commit e1b513d

2 files changed

Lines changed: 12 additions & 12 deletions

File tree

.github/workflows/dependabot-auto-merge.yml

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,9 @@ jobs:
2525
id: pr
2626
env:
2727
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
28+
HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
29+
REPO: ${{ github.repository }}
2830
run: |
29-
HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
30-
3131
if [[ ! "$HEAD_BRANCH" =~ ^dependabot/ ]]; then
3232
echo "Not a Dependabot branch, skipping"
3333
exit 0
@@ -36,7 +36,7 @@ jobs:
3636
PR_NUMBER=$(gh pr list \
3737
--head "$HEAD_BRANCH" \
3838
--json number,author --jq '.[] | select(.author.login == "dependabot[bot]") | .number' \
39-
--repo "${{ github.repository }}" | head -1)
39+
--repo "$REPO" | head -1)
4040
4141
if [ -z "$PR_NUMBER" ]; then
4242
echo "No Dependabot PR found for branch $HEAD_BRANCH"
@@ -49,12 +49,12 @@ jobs:
4949
if: steps.pr.outputs.number
5050
env:
5151
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
52+
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
53+
REPO: ${{ github.repository }}
5254
run: |
53-
HEAD_SHA="${{ github.event.workflow_run.head_sha }}"
54-
5555
# The combined status API merges both check runs (GitHub Actions)
5656
# and commit statuses (Prow) into a single verdict.
57-
COMBINED=$(gh api "repos/${{ github.repository }}/commits/${HEAD_SHA}/status" \
57+
COMBINED=$(gh api "repos/${REPO}/commits/${HEAD_SHA}/status" \
5858
--jq '.state')
5959
6060
echo "Combined commit status: $COMBINED"
@@ -81,9 +81,8 @@ jobs:
8181
if: steps.checks.outputs.ready == 'true' && steps.metadata.outputs.update-type == 'version-update:semver-patch'
8282
env:
8383
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
84+
PR_NUMBER: ${{ steps.pr.outputs.number }}
85+
REPO: ${{ github.repository }}
8486
run: |
85-
PR_NUMBER="${{ steps.pr.outputs.number }}"
86-
REPO="${{ github.repository }}"
87-
8887
gh pr edit "$PR_NUMBER" --repo "$REPO" \
8988
--add-label "lgtm,approved"

.github/workflows/dependency-validation.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -235,12 +235,13 @@ jobs:
235235
}
236236
}
237237
238+
const marker = '<!-- dependency-validation -->';
238239
if (changes.length === 0) {
239-
fs.writeFileSync('dep-summary.md', 'No dependency version changes detected.\n');
240+
fs.writeFileSync('dep-summary.md', marker + '\nNo dependency version changes detected.\n');
240241
} else {
241242
const header = '## Dependency Changes\n\n| Package | Before | After | Status |\n|---------|--------|-------|--------|\n';
242243
const limited = changes.slice(0, 50);
243-
let body = header + limited.join('\n') + '\n';
244+
let body = marker + '\n' + header + limited.join('\n') + '\n';
244245
if (changes.length > 50) {
245246
body += '\n*...and ' + (changes.length - 50) + ' more changes.*\n';
246247
}
@@ -260,7 +261,7 @@ jobs:
260261
issue_number: context.issue.number,
261262
});
262263
const botComment = comments.find(c =>
263-
c.user.type === 'Bot' && c.body.includes('## Dependency Changes')
264+
c.user.type === 'Bot' && c.body?.includes('<!-- dependency-validation -->')
264265
);
265266
if (botComment) {
266267
await github.rest.issues.updateComment({

0 commit comments

Comments
 (0)