Skip to content

Commit 3ee3de5

Browse files
rostalancursoragent
andcommitted
fix(smoketest): avoid direct input interpolation in run step
Pass workflow inputs through step environment variables before use in shell to satisfy script-injection hardening checks. Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 268e23e commit 3ee3de5

1 file changed

Lines changed: 5 additions & 2 deletions

File tree

.github/workflows/run-workspace-smoke-tests.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,9 @@ jobs:
5353

5454
- name: Start RHDH with test plugins config
5555
id: start-rhdh
56+
env:
57+
INPUT_RHDH_TAG: ${{ inputs.rhdh-tag }}
58+
INPUT_TARGET_BRANCH: ${{ inputs.target-branch }}
5659
run: |
5760
set -euo pipefail
5861
ls -la ./artifacts/ || true
@@ -82,7 +85,7 @@ jobs:
8285
DOCKER_CMD="$DOCKER_CMD -e REGISTRY_AUTH_FILE=/root/.docker/config.json"
8386
8487
# Resolve image from explicit /smoketest <tag> override or target branch default
85-
RHDH_TAG="${{ inputs.rhdh-tag }}"
88+
RHDH_TAG="${INPUT_RHDH_TAG:-}"
8689
if [[ -n "$RHDH_TAG" ]]; then
8790
if [[ ! "$RHDH_TAG" =~ ^(pr-[0-9]+(-[0-9a-f]{7,40})?|next(-[0-9]+\.[0-9]+-[0-9a-f]{7,40}|-[0-9a-f]{7,40})?)$ ]]; then
8891
echo "Invalid rhdh-tag input: $RHDH_TAG."
@@ -92,7 +95,7 @@ jobs:
9295
IMAGE_REF="quay.io/rhdh-community/rhdh:${RHDH_TAG}"
9396
echo "Using explicit RHDH image override from smoketest tag: $IMAGE_REF"
9497
else
95-
TARGET_BRANCH="${{ inputs.target-branch }}"
98+
TARGET_BRANCH="${INPUT_TARGET_BRANCH:-main}"
9699
if [[ "$TARGET_BRANCH" =~ ^release-([0-9]+\.[0-9]+)$ ]]; then
97100
IMAGE_TAG="next-${BASH_REMATCH[1]}"
98101
else

0 commit comments

Comments
 (0)