Skip to content

Commit 93c8523

Browse files
EikixEikix
committed
fix: use env vars instead of template expansion in run blocks (zizmor)
zizmor flags ${{ matrix.* }} in run: blocks as code injection risk. Pass matrix values through env vars instead, which is the recommended safe pattern for GitHub Actions.
1 parent 99a4931 commit 93c8523

File tree

1 file changed

+14
-9
lines changed

1 file changed

+14
-9
lines changed

.github/workflows/contracts-upgrade-hygiene.yml

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -79,19 +79,24 @@ jobs:
7979

8080
- name: Install Forge dependencies
8181
if: matrix.extra-deps != ''
82+
env:
83+
PACKAGE: ${{ matrix.package }}
84+
EXTRA_DEPS: ${{ matrix.extra-deps }}
8285
run: |
83-
(cd ${{ matrix.package }} && ${{ matrix.extra-deps }})
84-
(cd main-branch/${{ matrix.package }} && ${{ matrix.extra-deps }})
86+
(cd "$PACKAGE" && $EXTRA_DEPS)
87+
(cd "main-branch/$PACKAGE" && $EXTRA_DEPS)
8588
86-
- name: Align compilation settings
87-
run: cp ${{ matrix.package }}/foundry.toml main-branch/${{ matrix.package }}/foundry.toml
88-
89-
- name: Generate address stubs
89+
- name: Setup compilation
90+
env:
91+
PACKAGE: ${{ matrix.package }}
9092
run: |
91-
for dir in ${{ matrix.package }} main-branch/${{ matrix.package }}; do
93+
cp "$PACKAGE/foundry.toml" "main-branch/$PACKAGE/foundry.toml"
94+
for dir in "$PACKAGE" "main-branch/$PACKAGE"; do
9295
mkdir -p "$dir/addresses"
93-
cp ci/stubs/${{ matrix.package }}/*.sol "$dir/addresses/"
96+
cp ci/stubs/"$PACKAGE"/*.sol "$dir/addresses/"
9497
done
9598
9699
- name: Run upgrade hygiene check
97-
run: ./ci/check-upgrade-hygiene.sh main-branch/${{ matrix.package }} ${{ matrix.package }}
100+
env:
101+
PACKAGE: ${{ matrix.package }}
102+
run: ./ci/check-upgrade-hygiene.sh "main-branch/$PACKAGE" "$PACKAGE"

0 commit comments

Comments
 (0)